diff --git a/.github/workflows/package.yaml b/.github/workflows/package.yaml new file mode 100644 index 000000000..8544523ea --- /dev/null +++ b/.github/workflows/package.yaml @@ -0,0 +1,51 @@ +name: Build package + +on: + push: + +jobs: + build-package: + permissions: + contents: read + packages: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Setup Timoni + uses: stefanprodan/timoni/actions/setup@main + - name: Setup Flux + uses: fluxcd/flux2/action@main + + - name: Preapre tag + run: | + tag=$(echo ${{ github.ref_name}} | tr '/' '-') + echo "tag=${tag}" >> "${GITHUB_ENV}" + + - name: Build bundle + env: + BUNDLE_PATH: k8s/timoni/ + run: | + mkdir ${{ runner.temp }}/timoni + timoni bundle build \ + -f ${BUNDLE_PATH}bundle.cue \ + -f ${BUNDLE_PATH}runners.cue \ + -f ${BUNDLE_PATH}values.cue > ${{ runner.temp }}/timoni/build.yaml + + - name: Diff artifacts + run: | + set +e + flux diff artifact \ + --creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \ + oci://ghcr.io/${{ github.repository }}-manifests:${tag} \ + --path ${{ runner.temp }}/timoni + echo "diff=$?" >> "${GITHUB_ENV}" + + - name: Push artifact + if: ${{ env.diff != '0' }} + run: | + flux push artifact \ + --creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \ + -f ${{ runner.temp }}/timoni \ + --source ${{ github.repositoryUrl }} \ + --revision ${{ inputs.tag }}@sha1:${{ github.sha }} \ + oci://ghcr.io/${{ github.repository }}-manifests:${tag} diff --git a/k8s/flux.cue b/k8s/flux.cue new file mode 100644 index 000000000..4594ff1d8 --- /dev/null +++ b/k8s/flux.cue @@ -0,0 +1,44 @@ +bundle: { + apiVersion: "v1alpha1" + name: "codebattle" + instances: { + "gateway": { + module: url: "oci://ghcr.io/stefanprodan/modules/flux-helm-release" + namespace: "flux-system" + values: { + repository: url: "oci://registry-1.docker.io/envoyproxy" + chart: { + name: "gateway-helm" + version: "v1.3.0" + } + sync: targetNamespace: "codebattle" + } + } + "codebattle": { + module: url: "file://timoni/kustomize-oci" + namespace: "flux-system" + values: { + artifact: { + url: "oci://ghcr.io/hexlet-codebattle/codebattle-manifests" + tag: "master" @timoni(runtime:string:CODEBATTLE_PKG_TAG) + } + auth: credentials: { + username: string @timoni(runtime:string:GITHUB_USERNAME) + password: string @timoni(runtime:string:GITHUB_TOKEN) + } + patches: [{ + apiVersion: "gateway.networking.k8s.io/v1" + kind: "HTTPRoute" + metadata: { + name: "codebattle" + namespace: "codebattle" + } + spec: { + _hostname: string @timoni(runtime:string:CODEBATTLE_HOSTNAME) + hostnames: [_hostname] + } + }] + } + } + } +} diff --git a/k8s/timoni/bundle.cue b/k8s/timoni/bundle.cue new file mode 100644 index 000000000..0c9ba1e6c --- /dev/null +++ b/k8s/timoni/bundle.cue @@ -0,0 +1,39 @@ +#RunnerConfig: { + image: string + version: string + lang: string + replicas: uint +} + +runners: [string]: #RunnerConfig +codebattleValues: {} + +bundle: { + apiVersion: "v1alpha1" + name: "codebattle" + instances: { + codebattle: { + module: url: "file://codebattle" + namespace: "codebattle" + values: codebattleValues + } + for runner in runners { + "runner-\(runner.lang)": { + module: url: "file://runner" + namespace: "codebattle" + values: { + registry: "docker.io" + image: { + repository: "\(registry)/\(runner.image)" + tag: runner.version + } + replicas: runner.replicas + } + } + } + gateway: { + module: url: "file://gateway" + namespace: "codebattle" + } + } +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gateway/v1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gateway/v1/types_gen.cue new file mode 100644 index 000000000..a77d14d64 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gateway/v1/types_gen.cue @@ -0,0 +1,677 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml + +package v1 + +import ( + "strings" + "list" + "struct" +) + +// Gateway represents an instance of a service-traffic handling +// infrastructure +// by binding Listeners to a set of IP addresses. +#Gateway: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Gateway" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of Gateway. + spec!: #GatewaySpec +} + +// Spec defines the desired state of Gateway. +#GatewaySpec: { + // Addresses requested for this Gateway. This is optional and + // behavior can + // depend on the implementation. If a value is set in the spec and + // the + // requested address is invalid or unavailable, the implementation + // MUST + // indicate this in the associated entry in + // GatewayStatus.Addresses. + // + // The Addresses field represents a request for the address(es) on + // the + // "outside of the Gateway", that traffic bound for this Gateway + // will use. + // This could be the IP address or hostname of an external load + // balancer or + // other networking infrastructure, or some other address that + // traffic will + // be sent to. + // + // If no Addresses are specified, the implementation MAY schedule + // the + // Gateway in an implementation-specific manner, assigning an + // appropriate + // set of Addresses. + // + // The implementation MUST bind all Listeners to every + // GatewayAddress that + // it assigns to the Gateway and add a corresponding entry in + // GatewayStatus.Addresses. + // + // Support: Extended + addresses?: list.MaxItems(16) & [...matchN(1, [{ + type?: "IPAddress" + value?: matchN(>=1, [_, _]) + }, { + type?: matchN(0, ["IPAddress"]) + }]) & { + // Type of the address. + type?: strings.MaxRunes(253) & strings.MinRunes(1) & =~"^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$" | *"IPAddress" + + // Value of the address. The validity of the values will depend + // on the type and support by the controller. + // + // Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + value!: strings.MaxRunes(253) & strings.MinRunes(1) + }] + + // GatewayClassName used for this Gateway. This is the name of a + // GatewayClass resource. + gatewayClassName!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Infrastructure defines infrastructure level attributes about + // this Gateway instance. + // + // Support: Extended + infrastructure?: { + // Annotations that SHOULD be applied to any resources created in + // response to this Gateway. + // + // For implementations creating other Kubernetes objects, this + // should be the `metadata.annotations` field on resources. + // For other implementations, this refers to any relevant + // (implementation specific) "annotations" concepts. + // + // An implementation may chose to add additional + // implementation-specific annotations as they see fit. + // + // Support: Extended + annotations?: close({ + [string]: strings.MaxRunes(4096) & strings.MinRunes(0) + }) & struct.MaxFields(8) + + // Labels that SHOULD be applied to any resources created in + // response to this Gateway. + // + // For implementations creating other Kubernetes objects, this + // should be the `metadata.labels` field on resources. + // For other implementations, this refers to any relevant + // (implementation specific) "labels" concepts. + // + // An implementation may chose to add additional + // implementation-specific labels as they see fit. + // + // If an implementation maps these labels to Pods, or any other + // resource that would need to be recreated when labels + // change, it SHOULD clearly warn about this behavior in + // documentation. + // + // Support: Extended + labels?: close({ + [string]: strings.MaxRunes(63) & strings.MinRunes(0) & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + }) & struct.MaxFields(8) + + // ParametersRef is a reference to a resource that contains the + // configuration + // parameters corresponding to the Gateway. This is optional if + // the + // controller does not require any additional configuration. + // + // This follows the same semantics as GatewayClass's + // `parametersRef`, but on a per-Gateway basis + // + // The Gateway's GatewayClass may provide its own `parametersRef`. + // When both are specified, + // the merging behavior is implementation specific. + // It is generally recommended that GatewayClass provides defaults + // that can be overridden by a Gateway. + // + // Support: Implementation-specific + parametersRef?: { + // Group is the group of the referent. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + } + + // Listeners associated with this Gateway. Listeners define + // logical endpoints that are bound on this Gateway's addresses. + // At least one Listener MUST be specified. + // + // Each Listener in a set of Listeners (for example, in a single + // Gateway) + // MUST be _distinct_, in that a traffic flow MUST be able to be + // assigned to + // exactly one listener. (This section uses "set of Listeners" + // rather than + // "Listeners in a single Gateway" because implementations MAY + // merge configuration + // from multiple Gateways onto a single data plane, and these + // rules _also_ + // apply in that case). + // + // Practically, this means that each listener in a set MUST have a + // unique + // combination of Port, Protocol, and, if supported by the + // protocol, Hostname. + // + // Some combinations of port, protocol, and TLS settings are + // considered + // Core support and MUST be supported by implementations based on + // their + // targeted conformance profile: + // + // HTTP Profile + // + // 1. HTTPRoute, Port: 80, Protocol: HTTP + // 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, + // TLS keypair provided + // + // TLS Profile + // + // 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + // + // "Distinct" Listeners have the following property: + // + // The implementation can match inbound requests to a single + // distinct + // Listener. When multiple Listeners share values for fields (for + // example, two Listeners with the same Port value), the + // implementation + // can match requests to only one of the Listeners using other + // Listener fields. + // + // For example, the following Listener scenarios are distinct: + // + // 1. Multiple Listeners with the same Port that all use the + // "HTTP" + // Protocol that all have unique Hostname values. + // 2. Multiple Listeners with the same Port that use either the + // "HTTPS" or + // "TLS" Protocol that all have unique Hostname values. + // 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no + // Listener + // with the same Protocol has the same Port value. + // + // Some fields in the Listener struct have possible values that + // affect + // whether the Listener is distinct. Hostname is particularly + // relevant + // for HTTP or HTTPS protocols. + // + // When using the Hostname value to select between same-Port, + // same-Protocol + // Listeners, the Hostname value must be different on each + // Listener for the + // Listener to be distinct. + // + // When the Listeners are distinct based on Hostname, inbound + // request + // hostnames MUST match from the most specific to least specific + // Hostname + // values to choose the correct Listener and its associated set of + // Routes. + // + // Exact matches must be processed before wildcard matches, and + // wildcard + // matches must be processed before fallback (empty Hostname + // value) + // matches. For example, `"foo.example.com"` takes precedence over + // `"*.example.com"`, and `"*.example.com"` takes precedence over + // `""`. + // + // Additionally, if there are multiple wildcard entries, more + // specific + // wildcard entries must be processed before less specific + // wildcard entries. + // For example, `"*.foo.example.com"` takes precedence over + // `"*.example.com"`. + // The precise definition here is that the higher the number of + // dots in the + // hostname to the right of the wildcard character, the higher the + // precedence. + // + // The wildcard character will match any number of characters _and + // dots_ to + // the left, however, so `"*.example.com"` will match both + // `"foo.bar.example.com"` _and_ `"bar.example.com"`. + // + // If a set of Listeners contains Listeners that are not distinct, + // then those + // Listeners are Conflicted, and the implementation MUST set the + // "Conflicted" + // condition in the Listener Status to "True". + // + // Implementations MAY choose to accept a Gateway with some + // Conflicted + // Listeners only if they only accept the partial Listener set + // that contains + // no Conflicted Listeners. To put this another way, + // implementations may + // accept a partial Listener set only if they throw out *all* the + // conflicting + // Listeners. No picking one of the conflicting listeners as the + // winner. + // This also means that the Gateway must have at least one + // non-conflicting + // Listener in this case, otherwise it violates the requirement + // that at + // least one Listener must be present. + // + // The implementation MUST set a "ListenersNotValid" condition on + // the + // Gateway Status when the Gateway contains Conflicted Listeners + // whether or + // not they accept the Gateway. That Condition SHOULD clearly + // indicate in the Message which Listeners are conflicted, and + // which are + // Accepted. Additionally, the Listener status for those listeners + // SHOULD + // indicate which Listeners are conflicted and not Accepted. + // + // A Gateway's Listeners are considered "compatible" if: + // + // 1. They are distinct. + // 2. The implementation can serve them in compliance with the + // Addresses + // requirement that all Listeners are available on all assigned + // addresses. + // + // Compatible combinations in Extended support are expected to + // vary across + // implementations. A combination that is compatible for one + // implementation + // may not be compatible for another. + // + // For example, an implementation that cannot serve both TCP and + // UDP listeners + // on the same address, or cannot mix HTTPS and generic TLS + // listens on the same port + // would not consider those cases compatible, even though they are + // distinct. + // + // Note that requests SHOULD match at most one Listener. For + // example, if + // Listeners are defined for "foo.example.com" and + // "*.example.com", a + // request to "foo.example.com" SHOULD only be routed using routes + // attached + // to the "foo.example.com" Listener (and not the "*.example.com" + // Listener). + // This concept is known as "Listener Isolation". Implementations + // that do + // not support Listener Isolation MUST clearly document this. + // + // Implementations MAY merge separate Gateways onto a single set + // of + // Addresses if all Listeners across all Gateways are compatible. + // + // Support: Core + listeners!: list.MaxItems(64) & [...{ + // AllowedRoutes defines the types of routes that MAY be attached + // to a + // Listener and the trusted namespaces where those Route resources + // MAY be + // present. + // + // Although a client request may match multiple route rules, only + // one rule + // may ultimately receive the request. Matching precedence MUST be + // determined in order of the following criteria: + // + // * The most specific match as defined by the Route type. + // * The oldest Route based on creation timestamp. For example, a + // Route with + // a creation timestamp of "2020-09-08 01:02:03" is given + // precedence over + // a Route with a creation timestamp of "2020-09-08 01:02:04". + // * If everything else is equivalent, the Route appearing first + // in + // alphabetical order (namespace/name) should be given precedence. + // For + // example, foo/bar is given precedence over foo/baz. + // + // All valid rules within a Route attached to this Listener should + // be + // implemented. Invalid Route rules can be ignored (sometimes that + // will mean + // the full Route). If a Route rule transitions from valid to + // invalid, + // support for that Route rule should be dropped to ensure + // consistency. For + // example, even if a filter specified by a Route rule is invalid, + // the rest + // of the rules within that Route should still be supported. + // + // Support: Core + allowedRoutes?: { + // Kinds specifies the groups and kinds of Routes that are allowed + // to bind + // to this Gateway Listener. When unspecified or empty, the kinds + // of Routes + // selected are determined using the Listener protocol. + // + // A RouteGroupKind MUST correspond to kinds of Routes that are + // compatible + // with the application protocol specified in the Listener's + // Protocol field. + // If an implementation does not support or recognize this + // resource type, it + // MUST set the "ResolvedRefs" condition to False for this + // Listener with the + // "InvalidRouteKinds" reason. + // + // Support: Core + kinds?: list.MaxItems(8) & [...{ + // Group is the group of the Route. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is the kind of the Route. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + }] + + // Namespaces indicates namespaces from which Routes may be + // attached to this + // Listener. This is restricted to the namespace of this Gateway + // by default. + // + // Support: Core + namespaces?: { + // From indicates where Routes will be selected for this Gateway. + // Possible + // values are: + // + // * All: Routes in all namespaces may be used by this Gateway. + // * Selector: Routes in namespaces selected by the selector may + // be used by + // this Gateway. + // * Same: Only Routes in the same namespace may be used by this + // Gateway. + // + // Support: Core + from?: "All" | "Selector" | "Same" | *"Same" + + // Selector must be specified when From is set to "Selector". In + // that case, + // only Routes in Namespaces matching this Selector will be + // selected by this + // Gateway. This field is ignored for other values of "From". + // + // Support: Core + selector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + } | *{ + from: "Same" + } + } | *{ + namespaces: { + from: "Same" + } + } + + // Hostname specifies the virtual hostname to match for protocol + // types that + // define this concept. When unspecified, all hostnames are + // matched. This + // field is ignored for protocols that don't require hostname + // based + // matching. + // + // Implementations MUST apply Hostname matching appropriately for + // each of + // the following protocols: + // + // * TLS: The Listener Hostname MUST match the SNI. + // * HTTP: The Listener Hostname MUST match the Host header of the + // request. + // * HTTPS: The Listener Hostname SHOULD match at both the TLS and + // HTTP + // protocol layers as described above. If an implementation does + // not + // ensure that both the SNI and Host header match the Listener + // hostname, + // it MUST clearly document that. + // + // For HTTPRoute and TLSRoute resources, there is an interaction + // with the + // `spec.hostnames` array. When both listener and route specify + // hostnames, + // there MUST be an intersection between the values for a Route to + // be + // accepted. For more information, refer to the Route specific + // Hostnames + // documentation. + // + // Hostnames that are prefixed with a wildcard label (`*.`) are + // interpreted + // as a suffix match. That means that a match for `*.example.com` + // would match + // both `test.example.com`, and `foo.test.example.com`, but not + // `example.com`. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Name is the name of the Listener. This name MUST be unique + // within a + // Gateway. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Port is the network port. Multiple listeners may use the + // same port, subject to the Listener compatibility rules. + // + // Support: Core + port!: uint16 & >=1 + + // Protocol specifies the network protocol this listener expects + // to receive. + // + // Support: Core + protocol!: strings.MaxRunes(255) & strings.MinRunes(1) & { + =~"^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9]+$" + } + + // TLS is the TLS configuration for the Listener. This field is + // required if + // the Protocol field is "HTTPS" or "TLS". It is invalid to set + // this field + // if the Protocol field is "HTTP", "TCP", or "UDP". + // + // The association of SNIs to Certificate defined in + // GatewayTLSConfig is + // defined based on the Hostname field for this listener. + // + // The GatewayClass MUST use the longest matching SNI out of all + // available certificates for any TLS handshake. + // + // Support: Core + tls?: { + // CertificateRefs contains a series of references to Kubernetes + // objects that + // contains TLS certificates and private keys. These certificates + // are used to + // establish a TLS handshake for requests that match the hostname + // of the + // associated listener. + // + // A single CertificateRef to a Kubernetes Secret has "Core" + // support. + // Implementations MAY choose to support attaching multiple + // certificates to + // a Listener, but this behavior is implementation-specific. + // + // References to a resource in different namespace are invalid + // UNLESS there + // is a ReferenceGrant in the target namespace that allows the + // certificate + // to be attached. If a ReferenceGrant does not allow this + // reference, the + // "ResolvedRefs" condition MUST be set to False for this listener + // with the + // "RefNotPermitted" reason. + // + // This field is required to have at least one element when the + // mode is set + // to "Terminate" (default) and is optional otherwise. + // + // CertificateRefs can reference to standard Kubernetes resources, + // i.e. + // Secret, or implementation-specific custom resources. + // + // Support: Core - A single reference to a Kubernetes Secret of + // type kubernetes.io/tls + // + // Support: Implementation-specific (More than one reference or + // other resource types) + certificateRefs?: list.MaxItems(64) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + }] + + // Mode defines the TLS behavior for the TLS session initiated by + // the client. + // There are two possible modes: + // + // - Terminate: The TLS session between the downstream client and + // the + // Gateway is terminated at the Gateway. This mode requires + // certificates + // to be specified in some way, such as populating the + // certificateRefs + // field. + // - Passthrough: The TLS session is NOT terminated by the + // Gateway. This + // implies that the Gateway can't decipher the TLS stream except + // for + // the ClientHello message of the TLS protocol. The + // certificateRefs field + // is ignored in this mode. + // + // Support: Core + mode?: "Terminate" | "Passthrough" | *"Terminate" + + // Options are a list of key/value pairs to enable extended TLS + // configuration for each implementation. For example, configuring + // the + // minimum TLS version or supported cipher suites. + // + // A set of common keys MAY be defined by the API in the future. + // To avoid + // any ambiguity, implementation-specific definitions MUST use + // domain-prefixed names, such as `example.com/my-custom-option`. + // Un-prefixed names are reserved for key names defined by Gateway + // API. + // + // Support: Implementation-specific + options?: close({ + [string]: strings.MaxRunes(4096) & strings.MinRunes(0) + }) & struct.MaxFields(16) + } + }] & [_, ...] +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gateway/v1beta1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gateway/v1beta1/types_gen.cue new file mode 100644 index 000000000..936fceaab --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gateway/v1beta1/types_gen.cue @@ -0,0 +1,677 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml + +package v1beta1 + +import ( + "strings" + "list" + "struct" +) + +// Gateway represents an instance of a service-traffic handling +// infrastructure +// by binding Listeners to a set of IP addresses. +#Gateway: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1beta1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Gateway" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of Gateway. + spec!: #GatewaySpec +} + +// Spec defines the desired state of Gateway. +#GatewaySpec: { + // Addresses requested for this Gateway. This is optional and + // behavior can + // depend on the implementation. If a value is set in the spec and + // the + // requested address is invalid or unavailable, the implementation + // MUST + // indicate this in the associated entry in + // GatewayStatus.Addresses. + // + // The Addresses field represents a request for the address(es) on + // the + // "outside of the Gateway", that traffic bound for this Gateway + // will use. + // This could be the IP address or hostname of an external load + // balancer or + // other networking infrastructure, or some other address that + // traffic will + // be sent to. + // + // If no Addresses are specified, the implementation MAY schedule + // the + // Gateway in an implementation-specific manner, assigning an + // appropriate + // set of Addresses. + // + // The implementation MUST bind all Listeners to every + // GatewayAddress that + // it assigns to the Gateway and add a corresponding entry in + // GatewayStatus.Addresses. + // + // Support: Extended + addresses?: list.MaxItems(16) & [...matchN(1, [{ + type?: "IPAddress" + value?: matchN(>=1, [_, _]) + }, { + type?: matchN(0, ["IPAddress"]) + }]) & { + // Type of the address. + type?: strings.MaxRunes(253) & strings.MinRunes(1) & =~"^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$" | *"IPAddress" + + // Value of the address. The validity of the values will depend + // on the type and support by the controller. + // + // Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + value!: strings.MaxRunes(253) & strings.MinRunes(1) + }] + + // GatewayClassName used for this Gateway. This is the name of a + // GatewayClass resource. + gatewayClassName!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Infrastructure defines infrastructure level attributes about + // this Gateway instance. + // + // Support: Extended + infrastructure?: { + // Annotations that SHOULD be applied to any resources created in + // response to this Gateway. + // + // For implementations creating other Kubernetes objects, this + // should be the `metadata.annotations` field on resources. + // For other implementations, this refers to any relevant + // (implementation specific) "annotations" concepts. + // + // An implementation may chose to add additional + // implementation-specific annotations as they see fit. + // + // Support: Extended + annotations?: close({ + [string]: strings.MaxRunes(4096) & strings.MinRunes(0) + }) & struct.MaxFields(8) + + // Labels that SHOULD be applied to any resources created in + // response to this Gateway. + // + // For implementations creating other Kubernetes objects, this + // should be the `metadata.labels` field on resources. + // For other implementations, this refers to any relevant + // (implementation specific) "labels" concepts. + // + // An implementation may chose to add additional + // implementation-specific labels as they see fit. + // + // If an implementation maps these labels to Pods, or any other + // resource that would need to be recreated when labels + // change, it SHOULD clearly warn about this behavior in + // documentation. + // + // Support: Extended + labels?: close({ + [string]: strings.MaxRunes(63) & strings.MinRunes(0) & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + }) & struct.MaxFields(8) + + // ParametersRef is a reference to a resource that contains the + // configuration + // parameters corresponding to the Gateway. This is optional if + // the + // controller does not require any additional configuration. + // + // This follows the same semantics as GatewayClass's + // `parametersRef`, but on a per-Gateway basis + // + // The Gateway's GatewayClass may provide its own `parametersRef`. + // When both are specified, + // the merging behavior is implementation specific. + // It is generally recommended that GatewayClass provides defaults + // that can be overridden by a Gateway. + // + // Support: Implementation-specific + parametersRef?: { + // Group is the group of the referent. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + } + + // Listeners associated with this Gateway. Listeners define + // logical endpoints that are bound on this Gateway's addresses. + // At least one Listener MUST be specified. + // + // Each Listener in a set of Listeners (for example, in a single + // Gateway) + // MUST be _distinct_, in that a traffic flow MUST be able to be + // assigned to + // exactly one listener. (This section uses "set of Listeners" + // rather than + // "Listeners in a single Gateway" because implementations MAY + // merge configuration + // from multiple Gateways onto a single data plane, and these + // rules _also_ + // apply in that case). + // + // Practically, this means that each listener in a set MUST have a + // unique + // combination of Port, Protocol, and, if supported by the + // protocol, Hostname. + // + // Some combinations of port, protocol, and TLS settings are + // considered + // Core support and MUST be supported by implementations based on + // their + // targeted conformance profile: + // + // HTTP Profile + // + // 1. HTTPRoute, Port: 80, Protocol: HTTP + // 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, + // TLS keypair provided + // + // TLS Profile + // + // 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + // + // "Distinct" Listeners have the following property: + // + // The implementation can match inbound requests to a single + // distinct + // Listener. When multiple Listeners share values for fields (for + // example, two Listeners with the same Port value), the + // implementation + // can match requests to only one of the Listeners using other + // Listener fields. + // + // For example, the following Listener scenarios are distinct: + // + // 1. Multiple Listeners with the same Port that all use the + // "HTTP" + // Protocol that all have unique Hostname values. + // 2. Multiple Listeners with the same Port that use either the + // "HTTPS" or + // "TLS" Protocol that all have unique Hostname values. + // 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no + // Listener + // with the same Protocol has the same Port value. + // + // Some fields in the Listener struct have possible values that + // affect + // whether the Listener is distinct. Hostname is particularly + // relevant + // for HTTP or HTTPS protocols. + // + // When using the Hostname value to select between same-Port, + // same-Protocol + // Listeners, the Hostname value must be different on each + // Listener for the + // Listener to be distinct. + // + // When the Listeners are distinct based on Hostname, inbound + // request + // hostnames MUST match from the most specific to least specific + // Hostname + // values to choose the correct Listener and its associated set of + // Routes. + // + // Exact matches must be processed before wildcard matches, and + // wildcard + // matches must be processed before fallback (empty Hostname + // value) + // matches. For example, `"foo.example.com"` takes precedence over + // `"*.example.com"`, and `"*.example.com"` takes precedence over + // `""`. + // + // Additionally, if there are multiple wildcard entries, more + // specific + // wildcard entries must be processed before less specific + // wildcard entries. + // For example, `"*.foo.example.com"` takes precedence over + // `"*.example.com"`. + // The precise definition here is that the higher the number of + // dots in the + // hostname to the right of the wildcard character, the higher the + // precedence. + // + // The wildcard character will match any number of characters _and + // dots_ to + // the left, however, so `"*.example.com"` will match both + // `"foo.bar.example.com"` _and_ `"bar.example.com"`. + // + // If a set of Listeners contains Listeners that are not distinct, + // then those + // Listeners are Conflicted, and the implementation MUST set the + // "Conflicted" + // condition in the Listener Status to "True". + // + // Implementations MAY choose to accept a Gateway with some + // Conflicted + // Listeners only if they only accept the partial Listener set + // that contains + // no Conflicted Listeners. To put this another way, + // implementations may + // accept a partial Listener set only if they throw out *all* the + // conflicting + // Listeners. No picking one of the conflicting listeners as the + // winner. + // This also means that the Gateway must have at least one + // non-conflicting + // Listener in this case, otherwise it violates the requirement + // that at + // least one Listener must be present. + // + // The implementation MUST set a "ListenersNotValid" condition on + // the + // Gateway Status when the Gateway contains Conflicted Listeners + // whether or + // not they accept the Gateway. That Condition SHOULD clearly + // indicate in the Message which Listeners are conflicted, and + // which are + // Accepted. Additionally, the Listener status for those listeners + // SHOULD + // indicate which Listeners are conflicted and not Accepted. + // + // A Gateway's Listeners are considered "compatible" if: + // + // 1. They are distinct. + // 2. The implementation can serve them in compliance with the + // Addresses + // requirement that all Listeners are available on all assigned + // addresses. + // + // Compatible combinations in Extended support are expected to + // vary across + // implementations. A combination that is compatible for one + // implementation + // may not be compatible for another. + // + // For example, an implementation that cannot serve both TCP and + // UDP listeners + // on the same address, or cannot mix HTTPS and generic TLS + // listens on the same port + // would not consider those cases compatible, even though they are + // distinct. + // + // Note that requests SHOULD match at most one Listener. For + // example, if + // Listeners are defined for "foo.example.com" and + // "*.example.com", a + // request to "foo.example.com" SHOULD only be routed using routes + // attached + // to the "foo.example.com" Listener (and not the "*.example.com" + // Listener). + // This concept is known as "Listener Isolation". Implementations + // that do + // not support Listener Isolation MUST clearly document this. + // + // Implementations MAY merge separate Gateways onto a single set + // of + // Addresses if all Listeners across all Gateways are compatible. + // + // Support: Core + listeners!: list.MaxItems(64) & [...{ + // AllowedRoutes defines the types of routes that MAY be attached + // to a + // Listener and the trusted namespaces where those Route resources + // MAY be + // present. + // + // Although a client request may match multiple route rules, only + // one rule + // may ultimately receive the request. Matching precedence MUST be + // determined in order of the following criteria: + // + // * The most specific match as defined by the Route type. + // * The oldest Route based on creation timestamp. For example, a + // Route with + // a creation timestamp of "2020-09-08 01:02:03" is given + // precedence over + // a Route with a creation timestamp of "2020-09-08 01:02:04". + // * If everything else is equivalent, the Route appearing first + // in + // alphabetical order (namespace/name) should be given precedence. + // For + // example, foo/bar is given precedence over foo/baz. + // + // All valid rules within a Route attached to this Listener should + // be + // implemented. Invalid Route rules can be ignored (sometimes that + // will mean + // the full Route). If a Route rule transitions from valid to + // invalid, + // support for that Route rule should be dropped to ensure + // consistency. For + // example, even if a filter specified by a Route rule is invalid, + // the rest + // of the rules within that Route should still be supported. + // + // Support: Core + allowedRoutes?: { + // Kinds specifies the groups and kinds of Routes that are allowed + // to bind + // to this Gateway Listener. When unspecified or empty, the kinds + // of Routes + // selected are determined using the Listener protocol. + // + // A RouteGroupKind MUST correspond to kinds of Routes that are + // compatible + // with the application protocol specified in the Listener's + // Protocol field. + // If an implementation does not support or recognize this + // resource type, it + // MUST set the "ResolvedRefs" condition to False for this + // Listener with the + // "InvalidRouteKinds" reason. + // + // Support: Core + kinds?: list.MaxItems(8) & [...{ + // Group is the group of the Route. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is the kind of the Route. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + }] + + // Namespaces indicates namespaces from which Routes may be + // attached to this + // Listener. This is restricted to the namespace of this Gateway + // by default. + // + // Support: Core + namespaces?: { + // From indicates where Routes will be selected for this Gateway. + // Possible + // values are: + // + // * All: Routes in all namespaces may be used by this Gateway. + // * Selector: Routes in namespaces selected by the selector may + // be used by + // this Gateway. + // * Same: Only Routes in the same namespace may be used by this + // Gateway. + // + // Support: Core + from?: "All" | "Selector" | "Same" | *"Same" + + // Selector must be specified when From is set to "Selector". In + // that case, + // only Routes in Namespaces matching this Selector will be + // selected by this + // Gateway. This field is ignored for other values of "From". + // + // Support: Core + selector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + } | *{ + from: "Same" + } + } | *{ + namespaces: { + from: "Same" + } + } + + // Hostname specifies the virtual hostname to match for protocol + // types that + // define this concept. When unspecified, all hostnames are + // matched. This + // field is ignored for protocols that don't require hostname + // based + // matching. + // + // Implementations MUST apply Hostname matching appropriately for + // each of + // the following protocols: + // + // * TLS: The Listener Hostname MUST match the SNI. + // * HTTP: The Listener Hostname MUST match the Host header of the + // request. + // * HTTPS: The Listener Hostname SHOULD match at both the TLS and + // HTTP + // protocol layers as described above. If an implementation does + // not + // ensure that both the SNI and Host header match the Listener + // hostname, + // it MUST clearly document that. + // + // For HTTPRoute and TLSRoute resources, there is an interaction + // with the + // `spec.hostnames` array. When both listener and route specify + // hostnames, + // there MUST be an intersection between the values for a Route to + // be + // accepted. For more information, refer to the Route specific + // Hostnames + // documentation. + // + // Hostnames that are prefixed with a wildcard label (`*.`) are + // interpreted + // as a suffix match. That means that a match for `*.example.com` + // would match + // both `test.example.com`, and `foo.test.example.com`, but not + // `example.com`. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Name is the name of the Listener. This name MUST be unique + // within a + // Gateway. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Port is the network port. Multiple listeners may use the + // same port, subject to the Listener compatibility rules. + // + // Support: Core + port!: uint16 & >=1 + + // Protocol specifies the network protocol this listener expects + // to receive. + // + // Support: Core + protocol!: strings.MaxRunes(255) & strings.MinRunes(1) & { + =~"^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9]+$" + } + + // TLS is the TLS configuration for the Listener. This field is + // required if + // the Protocol field is "HTTPS" or "TLS". It is invalid to set + // this field + // if the Protocol field is "HTTP", "TCP", or "UDP". + // + // The association of SNIs to Certificate defined in + // GatewayTLSConfig is + // defined based on the Hostname field for this listener. + // + // The GatewayClass MUST use the longest matching SNI out of all + // available certificates for any TLS handshake. + // + // Support: Core + tls?: { + // CertificateRefs contains a series of references to Kubernetes + // objects that + // contains TLS certificates and private keys. These certificates + // are used to + // establish a TLS handshake for requests that match the hostname + // of the + // associated listener. + // + // A single CertificateRef to a Kubernetes Secret has "Core" + // support. + // Implementations MAY choose to support attaching multiple + // certificates to + // a Listener, but this behavior is implementation-specific. + // + // References to a resource in different namespace are invalid + // UNLESS there + // is a ReferenceGrant in the target namespace that allows the + // certificate + // to be attached. If a ReferenceGrant does not allow this + // reference, the + // "ResolvedRefs" condition MUST be set to False for this listener + // with the + // "RefNotPermitted" reason. + // + // This field is required to have at least one element when the + // mode is set + // to "Terminate" (default) and is optional otherwise. + // + // CertificateRefs can reference to standard Kubernetes resources, + // i.e. + // Secret, or implementation-specific custom resources. + // + // Support: Core - A single reference to a Kubernetes Secret of + // type kubernetes.io/tls + // + // Support: Implementation-specific (More than one reference or + // other resource types) + certificateRefs?: list.MaxItems(64) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + }] + + // Mode defines the TLS behavior for the TLS session initiated by + // the client. + // There are two possible modes: + // + // - Terminate: The TLS session between the downstream client and + // the + // Gateway is terminated at the Gateway. This mode requires + // certificates + // to be specified in some way, such as populating the + // certificateRefs + // field. + // - Passthrough: The TLS session is NOT terminated by the + // Gateway. This + // implies that the Gateway can't decipher the TLS stream except + // for + // the ClientHello message of the TLS protocol. The + // certificateRefs field + // is ignored in this mode. + // + // Support: Core + mode?: "Terminate" | "Passthrough" | *"Terminate" + + // Options are a list of key/value pairs to enable extended TLS + // configuration for each implementation. For example, configuring + // the + // minimum TLS version or supported cipher suites. + // + // A set of common keys MAY be defined by the API in the future. + // To avoid + // any ambiguity, implementation-specific definitions MUST use + // domain-prefixed names, such as `example.com/my-custom-option`. + // Un-prefixed names are reserved for key names defined by Gateway + // API. + // + // Support: Implementation-specific + options?: close({ + [string]: strings.MaxRunes(4096) & strings.MinRunes(0) + }) & struct.MaxFields(16) + } + }] & [_, ...] +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1/types_gen.cue new file mode 100644 index 000000000..8cca81b79 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1/types_gen.cue @@ -0,0 +1,143 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml + +package v1 + +import "strings" + +// GatewayClass describes a class of Gateways available to the +// user for creating +// Gateway resources. +// +// It is recommended that this resource be used as a template for +// Gateways. This +// means that a Gateway is based on the state of the GatewayClass +// at the time it +// was created and changes to the GatewayClass or associated +// parameters are not +// propagated down to existing Gateways. This recommendation is +// intended to +// limit the blast radius of changes to GatewayClass or associated +// parameters. +// If implementations choose to propagate GatewayClass changes to +// existing +// Gateways, that MUST be clearly documented by the +// implementation. +// +// Whenever one or more Gateways are using a GatewayClass, +// implementations SHOULD +// add the `gateway-exists-finalizer.gateway.networking.k8s.io` +// finalizer on the +// associated GatewayClass. This ensures that a GatewayClass +// associated with a +// Gateway is not deleted while in use. +// +// GatewayClass is a Cluster level resource. +#GatewayClass: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "GatewayClass" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of GatewayClass. + spec!: #GatewayClassSpec +} + +// Spec defines the desired state of GatewayClass. +#GatewayClassSpec: { + // ControllerName is the name of the controller that is managing + // Gateways of + // this class. The value of this field MUST be a domain prefixed + // path. + // + // Example: "example.net/gateway-controller". + // + // This field is not mutable and cannot be empty. + // + // Support: Core + controllerName!: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$" + } + + // Description helps describe a GatewayClass with more details. + description?: strings.MaxRunes(64) + + // ParametersRef is a reference to a resource that contains the + // configuration + // parameters corresponding to the GatewayClass. This is optional + // if the + // controller does not require any additional configuration. + // + // ParametersRef can reference a standard Kubernetes resource, + // i.e. ConfigMap, + // or an implementation-specific custom resource. The resource can + // be + // cluster-scoped or namespace-scoped. + // + // If the referent cannot be found, refers to an unsupported kind, + // or when + // the data within that resource is malformed, the GatewayClass + // SHOULD be + // rejected with the "Accepted" status condition set to "False" + // and an + // "InvalidParameters" reason. + // + // A Gateway for this GatewayClass may provide its own + // `parametersRef`. When both are specified, + // the merging behavior is implementation specific. + // It is generally recommended that GatewayClass provides defaults + // that can be overridden by a Gateway. + // + // Support: Implementation-specific + parametersRef?: { + // Group is the group of the referent. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. + // This field is required when referring to a Namespace-scoped + // resource and + // MUST be unset when referring to a Cluster-scoped resource. + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + } +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1beta1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1beta1/types_gen.cue new file mode 100644 index 000000000..0a23b5dc6 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1beta1/types_gen.cue @@ -0,0 +1,143 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml + +package v1beta1 + +import "strings" + +// GatewayClass describes a class of Gateways available to the +// user for creating +// Gateway resources. +// +// It is recommended that this resource be used as a template for +// Gateways. This +// means that a Gateway is based on the state of the GatewayClass +// at the time it +// was created and changes to the GatewayClass or associated +// parameters are not +// propagated down to existing Gateways. This recommendation is +// intended to +// limit the blast radius of changes to GatewayClass or associated +// parameters. +// If implementations choose to propagate GatewayClass changes to +// existing +// Gateways, that MUST be clearly documented by the +// implementation. +// +// Whenever one or more Gateways are using a GatewayClass, +// implementations SHOULD +// add the `gateway-exists-finalizer.gateway.networking.k8s.io` +// finalizer on the +// associated GatewayClass. This ensures that a GatewayClass +// associated with a +// Gateway is not deleted while in use. +// +// GatewayClass is a Cluster level resource. +#GatewayClass: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1beta1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "GatewayClass" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of GatewayClass. + spec!: #GatewayClassSpec +} + +// Spec defines the desired state of GatewayClass. +#GatewayClassSpec: { + // ControllerName is the name of the controller that is managing + // Gateways of + // this class. The value of this field MUST be a domain prefixed + // path. + // + // Example: "example.net/gateway-controller". + // + // This field is not mutable and cannot be empty. + // + // Support: Core + controllerName!: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$" + } + + // Description helps describe a GatewayClass with more details. + description?: strings.MaxRunes(64) + + // ParametersRef is a reference to a resource that contains the + // configuration + // parameters corresponding to the GatewayClass. This is optional + // if the + // controller does not require any additional configuration. + // + // ParametersRef can reference a standard Kubernetes resource, + // i.e. ConfigMap, + // or an implementation-specific custom resource. The resource can + // be + // cluster-scoped or namespace-scoped. + // + // If the referent cannot be found, refers to an unsupported kind, + // or when + // the data within that resource is malformed, the GatewayClass + // SHOULD be + // rejected with the "Accepted" status condition set to "False" + // and an + // "InvalidParameters" reason. + // + // A Gateway for this GatewayClass may provide its own + // `parametersRef`. When both are specified, + // the merging behavior is implementation specific. + // It is generally recommended that GatewayClass provides defaults + // that can be overridden by a Gateway. + // + // Support: Implementation-specific + parametersRef?: { + // Group is the group of the referent. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. + // This field is required when referring to a Namespace-scoped + // resource and + // MUST be unset when referring to a Cluster-scoped resource. + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + } +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/grpcroute/v1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/grpcroute/v1/types_gen.cue new file mode 100644 index 000000000..41b24be98 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/grpcroute/v1/types_gen.cue @@ -0,0 +1,1406 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml + +package v1 + +import ( + "strings" + "list" +) + +// GRPCRoute provides a way to route gRPC requests. This includes +// the capability +// to match requests by hostname, gRPC service, gRPC method, or +// HTTP/2 header. +// Filters can be used to specify additional processing steps. +// Backends specify +// where matching requests will be routed. +// +// GRPCRoute falls under extended support within the Gateway API. +// Within the +// following specification, the word "MUST" indicates that an +// implementation +// supporting GRPCRoute must conform to the indicated requirement, +// but an +// implementation not supporting this route type need not follow +// the requirement +// unless explicitly indicated. +// +// Implementations supporting `GRPCRoute` with the `HTTPS` +// `ProtocolType` MUST +// accept HTTP/2 connections without an initial upgrade from +// HTTP/1.1, i.e. via +// ALPN. If the implementation does not support this, then it MUST +// set the +// "Accepted" condition to "False" for the affected listener with +// a reason of +// "UnsupportedProtocol". Implementations MAY also accept HTTP/2 +// connections +// with an upgrade from HTTP/1. +// +// Implementations supporting `GRPCRoute` with the `HTTP` +// `ProtocolType` MUST +// support HTTP/2 over cleartext TCP (h2c, +// https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an +// initial +// upgrade from HTTP/1.1, i.e. with prior knowledge +// (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the +// implementation +// does not support this, then it MUST set the "Accepted" +// condition to "False" +// for the affected listener with a reason of +// "UnsupportedProtocol". +// Implementations MAY also accept HTTP/2 connections with an +// upgrade from +// HTTP/1, i.e. without prior knowledge. +#GRPCRoute: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "GRPCRoute" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of GRPCRoute. + spec!: #GRPCRouteSpec +} + +// Spec defines the desired state of GRPCRoute. +#GRPCRouteSpec: { + // Hostnames defines a set of hostnames to match against the GRPC + // Host header to select a GRPCRoute to process the request. This + // matches + // the RFC 1123 definition of a hostname with 2 notable + // exceptions: + // + // 1. IPs are not allowed. + // 2. A hostname may be prefixed with a wildcard label (`*.`). The + // wildcard + // label MUST appear by itself as the first label. + // + // If a hostname is specified by both the Listener and GRPCRoute, + // there + // MUST be at least one intersecting hostname for the GRPCRoute to + // be + // attached to the Listener. For example: + // + // * A Listener with `test.example.com` as the hostname matches + // GRPCRoutes + // that have either not specified any hostnames, or have specified + // at + // least one of `test.example.com` or `*.example.com`. + // * A Listener with `*.example.com` as the hostname matches + // GRPCRoutes + // that have either not specified any hostnames or have specified + // at least + // one hostname that matches the Listener hostname. For example, + // `test.example.com` and `*.example.com` would both match. On the + // other + // hand, `example.com` and `test.example.net` would not match. + // + // Hostnames that are prefixed with a wildcard label (`*.`) are + // interpreted + // as a suffix match. That means that a match for `*.example.com` + // would match + // both `test.example.com`, and `foo.test.example.com`, but not + // `example.com`. + // + // If both the Listener and GRPCRoute have specified hostnames, + // any + // GRPCRoute hostnames that do not match the Listener hostname + // MUST be + // ignored. For example, if a Listener specified `*.example.com`, + // and the + // GRPCRoute specified `test.example.com` and `test.example.net`, + // `test.example.net` MUST NOT be considered for a match. + // + // If both the Listener and GRPCRoute have specified hostnames, + // and none + // match with the criteria above, then the GRPCRoute MUST NOT be + // accepted by + // the implementation. The implementation MUST raise an 'Accepted' + // Condition + // with a status of `False` in the corresponding + // RouteParentStatus. + // + // If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + // Listener and that listener already has another Route (B) of the + // other + // type attached and the intersection of the hostnames of A and B + // is + // non-empty, then the implementation MUST accept exactly one of + // these two + // routes, determined by the following criteria, in order: + // + // * The oldest Route based on creation timestamp. + // * The Route appearing first in alphabetical order by + // "{namespace}/{name}". + // + // The rejected Route MUST raise an 'Accepted' condition with a + // status of + // 'False' in the corresponding RouteParentStatus. + // + // Support: Core + hostnames?: list.MaxItems(16) & [...strings.MaxRunes(253) & strings.MinRunes(1) & =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"] + + // ParentRefs references the resources (usually Gateways) that a + // Route wants + // to be attached to. Note that the referenced parent resource + // needs to + // allow this for the attachment to be complete. For Gateways, + // that means + // the Gateway needs to allow attachment from Routes of this kind + // and + // namespace. For Services, that means the Service must either be + // in the same + // namespace for a "producer" route, or the mesh implementation + // must support + // and allow "consumer" routes for the referenced Service. + // ReferenceGrant is + // not applicable for governing ParentRefs to Services - it is not + // possible to + // create a "producer" route for a Service in a different + // namespace from the + // Route. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // This API may be extended in the future to support additional + // kinds of parent + // resources. + // + // ParentRefs must be _distinct_. This means either that: + // + // * They select different objects. If this is the case, then + // parentRef + // entries are distinct. In terms of fields, this means that the + // multi-part key defined by `group`, `kind`, `namespace`, and + // `name` must + // be unique across all parentRef entries in the Route. + // * They do not select different objects, but for each optional + // field used, + // each ParentRef that selects the same object must set the same + // set of + // optional fields to different values. If one ParentRef sets a + // combination of optional fields, all must set the same + // combination. + // + // Some examples: + // + // * If one ParentRef sets `sectionName`, all ParentRefs + // referencing the + // same object must also set `sectionName`. + // * If one ParentRef sets `port`, all ParentRefs referencing the + // same + // object must also set `port`. + // * If one ParentRef sets `sectionName` and `port`, all + // ParentRefs + // referencing the same object must also set `sectionName` and + // `port`. + // + // It is possible to separately reference multiple distinct + // objects that may + // be collapsed by an implementation. For example, some + // implementations may + // choose to merge compatible Gateway Listeners together. If that + // is the + // case, the list of routes attached to those resources should + // also be + // merged. + // + // Note that for ParentRefs that cross namespace boundaries, there + // are specific + // rules. Cross-namespace references are only valid if they are + // explicitly + // allowed by something in the namespace they are referring to. + // For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable other kinds of cross-namespace reference. + parentRefs?: list.MaxItems(32) & [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Rules are a list of GRPC matchers, filters and actions. + rules?: list.MaxItems(16) & [...{ + // BackendRefs defines the backend(s) where matching requests + // should be + // sent. + // + // Failure behavior here depends on how many BackendRefs are + // specified and + // how many are invalid. + // + // If *all* entries in BackendRefs are invalid, and there are also + // no filters + // specified in this route rule, *all* traffic which matches this + // rule MUST + // receive an `UNAVAILABLE` status. + // + // See the GRPCBackendRef definition for the rules about what + // makes a single + // GRPCBackendRef invalid. + // + // When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST + // be returned for + // requests that would have otherwise been routed to an invalid + // backend. If + // multiple backends are specified, and some are invalid, the + // proportion of + // requests that would otherwise have been routed to an invalid + // backend + // MUST receive an `UNAVAILABLE` status. + // + // For example, if two backends are specified with equal weights, + // and one is + // invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` + // status. + // Implementations may choose how that 50 percent is determined. + // + // Support: Core for Kubernetes Service + // + // Support: Implementation-specific for any other resource + // + // Support for weight: Core + backendRefs?: list.MaxItems(16) & [...{ + // Filters defined at this level MUST be executed if and only if + // the + // request is being forwarded to the backend defined here. + // + // Support: Implementation-specific (For broader support of + // filters, use the + // Filters field in GRPCRouteRule.) + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // Support: Implementation-specific + // + // This filter can be used multiple times within the same rule. + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations supporting GRPCRoute MUST support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` MUST be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + type!: "ResponseHeaderModifier" | "RequestHeaderModifier" | "RequestMirror" | "ExtensionRef" + }] + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + + // Weight specifies the proportion of requests forwarded to the + // referenced + // backend. This is computed as weight/(sum of all weights in this + // BackendRefs list). For non-zero values, there may be some + // epsilon from + // the exact proportion defined here depending on the precision an + // implementation supports. Weight is not a percentage and the sum + // of + // weights does not need to equal 100. + // + // If only one backend is specified and it has a weight greater + // than 0, 100% + // of the traffic is forwarded to that backend. If weight is set + // to 0, no + // traffic should be forwarded for this entry. If unspecified, + // weight + // defaults to 1. + // + // Support for this field varies based on the context where used. + weight?: int32 & int & <=1000000 & >=0 | *1 + }] + + // Filters define the filters that are applied to requests that + // match + // this rule. + // + // The effects of ordering of multiple behaviors are currently + // unspecified. + // This can change in the future based on feedback during the + // alpha stage. + // + // Conformance-levels at this level are defined based on the type + // of filter: + // + // - ALL core filters MUST be supported by all implementations + // that support + // GRPCRoute. + // - Implementers are encouraged to support extended filters. + // - Implementation-specific custom filters have no API guarantees + // across + // implementations. + // + // Specifying the same filter multiple times is not supported + // unless explicitly + // indicated in the filter. + // + // If an implementation can not support a combination of filters, + // it must clearly + // document that limitation. In cases where incompatible or + // unsupported + // filters are specified and cause the `Accepted` condition to be + // set to status + // `False`, implementations may use the `IncompatibleFilters` + // reason to specify + // this configuration error. + // + // Support: Core + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // Support: Implementation-specific + // + // This filter can be used multiple times within the same rule. + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations supporting GRPCRoute MUST support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` MUST be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + type!: "ResponseHeaderModifier" | "RequestHeaderModifier" | "RequestMirror" | "ExtensionRef" + }] + + // Matches define conditions used for matching the rule against + // incoming + // gRPC requests. Each match is independent, i.e. this rule will + // be matched + // if **any** one of the matches is satisfied. + // + // For example, take the following matches configuration: + // + // ``` + // matches: + // - method: + // service: foo.bar + // headers: + // values: + // version: 2 + // - method: + // service: foo.bar.v2 + // ``` + // + // For a request to match against this rule, it MUST satisfy + // EITHER of the two conditions: + // + // - service of foo.bar AND contains the header `version: 2` + // - service of foo.bar.v2 + // + // See the documentation for GRPCRouteMatch on how to specify + // multiple + // match conditions to be ANDed together. + // + // If no matches are specified, the implementation MUST match + // every gRPC request. + // + // Proxy or Load Balancer routing configuration generated from + // GRPCRoutes + // MUST prioritize rules based on the following criteria, + // continuing on + // ties. Merging MUST not be done between GRPCRoutes and + // HTTPRoutes. + // Precedence MUST be given to the rule with the largest number + // of: + // + // * Characters in a matching non-wildcard hostname. + // * Characters in a matching hostname. + // * Characters in a matching service. + // * Characters in a matching method. + // * Header matches. + // + // If ties still exist across multiple Routes, matching precedence + // MUST be + // determined in order of the following criteria, continuing on + // ties: + // + // * The oldest Route based on creation timestamp. + // * The Route appearing first in alphabetical order by + // "{namespace}/{name}". + // + // If ties still exist within the Route that has been given + // precedence, + // matching precedence MUST be granted to the first matching rule + // meeting + // the above criteria. + matches?: list.MaxItems(8) & [...{ + // Headers specifies gRPC request header matchers. Multiple match + // values are + // ANDed together, meaning, a request MUST match all the specified + // headers + // to select the route. + headers?: list.MaxItems(16) & [...{ + // Name is the name of the gRPC Header to be matched. + // + // If multiple entries specify equivalent header names, only the + // first + // entry with an equivalent name MUST be considered for a match. + // Subsequent + // entries with an equivalent header name MUST be ignored. Due to + // the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Type specifies how to match against the value of the header. + type?: "Exact" | "RegularExpression" | *"Exact" + + // Value is the value of the gRPC Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Method specifies a gRPC request service/method matcher. If this + // field is + // not specified, all services and methods will match. + method?: { + // Value of the method to match against. If left empty or omitted, + // will + // match all services. + // + // At least one of Service and Method MUST be a non-empty string. + method?: strings.MaxRunes(1024) + + // Value of the service to match against. If left empty or + // omitted, will + // match any service. + // + // At least one of Service and Method MUST be a non-empty string. + service?: strings.MaxRunes(1024) + + // Type specifies how to match against the service and/or method. + // Support: Core (Exact with service and method specified) + // + // Support: Implementation-specific (Exact with method specified + // but no service specified) + // + // Support: Implementation-specific (RegularExpression) + type?: "Exact" | "RegularExpression" | *"Exact" + } + }] + }] +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/httproute/v1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/httproute/v1/types_gen.cue new file mode 100644 index 000000000..65f7bfbd6 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/httproute/v1/types_gen.cue @@ -0,0 +1,2001 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml + +package v1 + +import ( + "strings" + "list" +) + +// HTTPRoute provides a way to route HTTP requests. This includes +// the capability +// to match requests by hostname, path, header, or query param. +// Filters can be +// used to specify additional processing steps. Backends specify +// where matching +// requests should be routed. +#HTTPRoute: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "HTTPRoute" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of HTTPRoute. + spec!: #HTTPRouteSpec +} + +// Spec defines the desired state of HTTPRoute. +#HTTPRouteSpec: { + // Hostnames defines a set of hostnames that should match against + // the HTTP Host + // header to select a HTTPRoute used to process the request. + // Implementations + // MUST ignore any port value specified in the HTTP Host header + // while + // performing a match and (absent of any applicable header + // modification + // configuration) MUST forward this header unmodified to the + // backend. + // + // Valid values for Hostnames are determined by RFC 1123 + // definition of a + // hostname with 2 notable exceptions: + // + // 1. IPs are not allowed. + // 2. A hostname may be prefixed with a wildcard label (`*.`). The + // wildcard + // label must appear by itself as the first label. + // + // If a hostname is specified by both the Listener and HTTPRoute, + // there + // must be at least one intersecting hostname for the HTTPRoute to + // be + // attached to the Listener. For example: + // + // * A Listener with `test.example.com` as the hostname matches + // HTTPRoutes + // that have either not specified any hostnames, or have specified + // at + // least one of `test.example.com` or `*.example.com`. + // * A Listener with `*.example.com` as the hostname matches + // HTTPRoutes + // that have either not specified any hostnames or have specified + // at least + // one hostname that matches the Listener hostname. For example, + // `*.example.com`, `test.example.com`, and `foo.test.example.com` + // would + // all match. On the other hand, `example.com` and + // `test.example.net` would + // not match. + // + // Hostnames that are prefixed with a wildcard label (`*.`) are + // interpreted + // as a suffix match. That means that a match for `*.example.com` + // would match + // both `test.example.com`, and `foo.test.example.com`, but not + // `example.com`. + // + // If both the Listener and HTTPRoute have specified hostnames, + // any + // HTTPRoute hostnames that do not match the Listener hostname + // MUST be + // ignored. For example, if a Listener specified `*.example.com`, + // and the + // HTTPRoute specified `test.example.com` and `test.example.net`, + // `test.example.net` must not be considered for a match. + // + // If both the Listener and HTTPRoute have specified hostnames, + // and none + // match with the criteria above, then the HTTPRoute is not + // accepted. The + // implementation must raise an 'Accepted' Condition with a status + // of + // `False` in the corresponding RouteParentStatus. + // + // In the event that multiple HTTPRoutes specify intersecting + // hostnames (e.g. + // overlapping wildcard matching and exact matching hostnames), + // precedence must + // be given to rules from the HTTPRoute with the largest number + // of: + // + // * Characters in a matching non-wildcard hostname. + // * Characters in a matching hostname. + // + // If ties exist across multiple Routes, the matching precedence + // rules for + // HTTPRouteMatches takes over. + // + // Support: Core + hostnames?: list.MaxItems(16) & [...strings.MaxRunes(253) & strings.MinRunes(1) & =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"] + + // ParentRefs references the resources (usually Gateways) that a + // Route wants + // to be attached to. Note that the referenced parent resource + // needs to + // allow this for the attachment to be complete. For Gateways, + // that means + // the Gateway needs to allow attachment from Routes of this kind + // and + // namespace. For Services, that means the Service must either be + // in the same + // namespace for a "producer" route, or the mesh implementation + // must support + // and allow "consumer" routes for the referenced Service. + // ReferenceGrant is + // not applicable for governing ParentRefs to Services - it is not + // possible to + // create a "producer" route for a Service in a different + // namespace from the + // Route. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // This API may be extended in the future to support additional + // kinds of parent + // resources. + // + // ParentRefs must be _distinct_. This means either that: + // + // * They select different objects. If this is the case, then + // parentRef + // entries are distinct. In terms of fields, this means that the + // multi-part key defined by `group`, `kind`, `namespace`, and + // `name` must + // be unique across all parentRef entries in the Route. + // * They do not select different objects, but for each optional + // field used, + // each ParentRef that selects the same object must set the same + // set of + // optional fields to different values. If one ParentRef sets a + // combination of optional fields, all must set the same + // combination. + // + // Some examples: + // + // * If one ParentRef sets `sectionName`, all ParentRefs + // referencing the + // same object must also set `sectionName`. + // * If one ParentRef sets `port`, all ParentRefs referencing the + // same + // object must also set `port`. + // * If one ParentRef sets `sectionName` and `port`, all + // ParentRefs + // referencing the same object must also set `sectionName` and + // `port`. + // + // It is possible to separately reference multiple distinct + // objects that may + // be collapsed by an implementation. For example, some + // implementations may + // choose to merge compatible Gateway Listeners together. If that + // is the + // case, the list of routes attached to those resources should + // also be + // merged. + // + // Note that for ParentRefs that cross namespace boundaries, there + // are specific + // rules. Cross-namespace references are only valid if they are + // explicitly + // allowed by something in the namespace they are referring to. + // For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable other kinds of cross-namespace reference. + parentRefs?: list.MaxItems(32) & [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Rules are a list of HTTP matchers, filters and actions. + rules?: list.MaxItems(16) & [...{ + // BackendRefs defines the backend(s) where matching requests + // should be + // sent. + // + // Failure behavior here depends on how many BackendRefs are + // specified and + // how many are invalid. + // + // If *all* entries in BackendRefs are invalid, and there are also + // no filters + // specified in this route rule, *all* traffic which matches this + // rule MUST + // receive a 500 status code. + // + // See the HTTPBackendRef definition for the rules about what + // makes a single + // HTTPBackendRef invalid. + // + // When a HTTPBackendRef is invalid, 500 status codes MUST be + // returned for + // requests that would have otherwise been routed to an invalid + // backend. If + // multiple backends are specified, and some are invalid, the + // proportion of + // requests that would otherwise have been routed to an invalid + // backend + // MUST receive a 500 status code. + // + // For example, if two backends are specified with equal weights, + // and one is + // invalid, 50 percent of traffic must receive a 500. + // Implementations may + // choose how that 50 percent is determined. + // + // When a HTTPBackendRef refers to a Service that has no ready + // endpoints, + // implementations SHOULD return a 503 for requests to that + // backend instead. + // If an implementation chooses to do this, all of the above rules + // for 500 responses + // MUST also apply for responses that return a 503. + // + // Support: Core for Kubernetes Service + // + // Support: Extended for Kubernetes ServiceImport + // + // Support: Implementation-specific for any other resource + // + // Support for weight: Core + backendRefs?: list.MaxItems(16) & [...{ + // Filters defined at this level should be executed if and only if + // the + // request is being forwarded to the backend defined here. + // + // Support: Implementation-specific (For broader support of + // filters, use the + // Filters field in HTTPRouteRule.) + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // This filter can be used multiple times within the same rule. + // + // Support: Implementation-specific + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + } + + // RequestRedirect defines a schema for a filter that responds to + // the + // request with an HTTP redirection. + // + // Support: Core + requestRedirect?: { + // Hostname is the hostname to be used in the value of the + // `Location` + // header in the response. + // When empty, the hostname in the `Host` header of the request is + // used. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines parameters used to modify the path of the incoming + // request. + // The modified path is then used to construct the `Location` + // header. When + // empty, the request path is used as-is. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + + // Port is the port to be used in the value of the `Location` + // header in the response. + // + // If no port is specified, the redirect port MUST be derived + // using the + // following rules: + // + // * If redirect scheme is not-empty, the redirect port MUST be + // the well-known + // port associated with the redirect scheme. Specifically "http" + // to port 80 + // and "https" to port 443. If the redirect scheme does not have a + // well-known port, the listener port of the Gateway SHOULD be + // used. + // * If redirect scheme is empty, the redirect port MUST be the + // Gateway + // Listener port. + // + // Implementations SHOULD NOT add the port number in the + // 'Location' + // header in the following cases: + // + // * A Location header that will use HTTP (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 80. + // * A Location header that will use HTTPS (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 443. + // + // Support: Extended + port?: uint16 & >=1 + + // Scheme is the scheme to be used in the value of the `Location` + // header in + // the response. When empty, the scheme of the request is used. + // + // Scheme redirects can affect the port of the redirect, for more + // information, + // refer to the documentation for the port field of this filter. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Extended + scheme?: "http" | "https" + + // StatusCode is the HTTP status code to be used in response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Core + statusCode?: (301 | 302) & int | *302 + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations must support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by + // specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` should be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "RequestHeaderModifier" | "ResponseHeaderModifier" | "RequestMirror" | "RequestRedirect" | "URLRewrite" | "ExtensionRef" + + // URLRewrite defines a schema for a filter that modifies a + // request during forwarding. + // + // Support: Extended + urlRewrite?: { + // Hostname is the value to be used to replace the Host header + // value during + // forwarding. + // + // Support: Extended + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines a path rewrite. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + } + }] + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + + // Weight specifies the proportion of requests forwarded to the + // referenced + // backend. This is computed as weight/(sum of all weights in this + // BackendRefs list). For non-zero values, there may be some + // epsilon from + // the exact proportion defined here depending on the precision an + // implementation supports. Weight is not a percentage and the sum + // of + // weights does not need to equal 100. + // + // If only one backend is specified and it has a weight greater + // than 0, 100% + // of the traffic is forwarded to that backend. If weight is set + // to 0, no + // traffic should be forwarded for this entry. If unspecified, + // weight + // defaults to 1. + // + // Support for this field varies based on the context where used. + weight?: int32 & int & <=1000000 & >=0 | *1 + }] + + // Filters define the filters that are applied to requests that + // match + // this rule. + // + // Wherever possible, implementations SHOULD implement filters in + // the order + // they are specified. + // + // Implementations MAY choose to implement this ordering strictly, + // rejecting + // any combination or order of filters that can not be supported. + // If implementations + // choose a strict interpretation of filter ordering, they MUST + // clearly document + // that behavior. + // + // To reject an invalid combination or order of filters, + // implementations SHOULD + // consider the Route Rules with this configuration invalid. If + // all Route Rules + // in a Route are invalid, the entire Route would be considered + // invalid. If only + // a portion of Route Rules are invalid, implementations MUST set + // the + // "PartiallyInvalid" condition for the Route. + // + // Conformance-levels at this level are defined based on the type + // of filter: + // + // - ALL core filters MUST be supported by all implementations. + // - Implementers are encouraged to support extended filters. + // - Implementation-specific custom filters have no API guarantees + // across + // implementations. + // + // Specifying the same filter multiple times is not supported + // unless explicitly + // indicated in the filter. + // + // All filters are expected to be compatible with each other + // except for the + // URLRewrite and RequestRedirect filters, which may not be + // combined. If an + // implementation can not support other combinations of filters, + // they must clearly + // document that limitation. In cases where incompatible or + // unsupported + // filters are specified and cause the `Accepted` condition to be + // set to status + // `False`, implementations may use the `IncompatibleFilters` + // reason to specify + // this configuration error. + // + // Support: Core + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // This filter can be used multiple times within the same rule. + // + // Support: Implementation-specific + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + } + + // RequestRedirect defines a schema for a filter that responds to + // the + // request with an HTTP redirection. + // + // Support: Core + requestRedirect?: { + // Hostname is the hostname to be used in the value of the + // `Location` + // header in the response. + // When empty, the hostname in the `Host` header of the request is + // used. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines parameters used to modify the path of the incoming + // request. + // The modified path is then used to construct the `Location` + // header. When + // empty, the request path is used as-is. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + + // Port is the port to be used in the value of the `Location` + // header in the response. + // + // If no port is specified, the redirect port MUST be derived + // using the + // following rules: + // + // * If redirect scheme is not-empty, the redirect port MUST be + // the well-known + // port associated with the redirect scheme. Specifically "http" + // to port 80 + // and "https" to port 443. If the redirect scheme does not have a + // well-known port, the listener port of the Gateway SHOULD be + // used. + // * If redirect scheme is empty, the redirect port MUST be the + // Gateway + // Listener port. + // + // Implementations SHOULD NOT add the port number in the + // 'Location' + // header in the following cases: + // + // * A Location header that will use HTTP (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 80. + // * A Location header that will use HTTPS (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 443. + // + // Support: Extended + port?: uint16 & >=1 + + // Scheme is the scheme to be used in the value of the `Location` + // header in + // the response. When empty, the scheme of the request is used. + // + // Scheme redirects can affect the port of the redirect, for more + // information, + // refer to the documentation for the port field of this filter. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Extended + scheme?: "http" | "https" + + // StatusCode is the HTTP status code to be used in response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Core + statusCode?: (301 | 302) & int | *302 + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations must support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by + // specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` should be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "RequestHeaderModifier" | "ResponseHeaderModifier" | "RequestMirror" | "RequestRedirect" | "URLRewrite" | "ExtensionRef" + + // URLRewrite defines a schema for a filter that modifies a + // request during forwarding. + // + // Support: Extended + urlRewrite?: { + // Hostname is the value to be used to replace the Host header + // value during + // forwarding. + // + // Support: Extended + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines a path rewrite. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + } + }] + + // Matches define conditions used for matching the rule against + // incoming + // HTTP requests. Each match is independent, i.e. this rule will + // be matched + // if **any** one of the matches is satisfied. + // + // For example, take the following matches configuration: + // + // ``` + // matches: + // - path: + // value: "/foo" + // headers: + // - name: "version" + // value: "v2" + // - path: + // value: "/v2/foo" + // ``` + // + // For a request to match against this rule, a request must + // satisfy + // EITHER of the two conditions: + // + // - path prefixed with `/foo` AND contains the header `version: + // v2` + // - path prefix of `/v2/foo` + // + // See the documentation for HTTPRouteMatch on how to specify + // multiple + // match conditions that should be ANDed together. + // + // If no matches are specified, the default is a prefix + // path match on "/", which has the effect of matching every + // HTTP request. + // + // Proxy or Load Balancer routing configuration generated from + // HTTPRoutes + // MUST prioritize matches based on the following criteria, + // continuing on + // ties. Across all rules specified on applicable Routes, + // precedence must be + // given to the match having: + // + // * "Exact" path match. + // * "Prefix" path match with largest number of characters. + // * Method match. + // * Largest number of header matches. + // * Largest number of query param matches. + // + // Note: The precedence of RegularExpression path matches are + // implementation-specific. + // + // If ties still exist across multiple Routes, matching precedence + // MUST be + // determined in order of the following criteria, continuing on + // ties: + // + // * The oldest Route based on creation timestamp. + // * The Route appearing first in alphabetical order by + // "{namespace}/{name}". + // + // If ties still exist within an HTTPRoute, matching precedence + // MUST be granted + // to the FIRST matching rule (in list order) with a match meeting + // the above + // criteria. + // + // When no rules matching a request have been successfully + // attached to the + // parent a request is coming from, a HTTP 404 status code MUST be + // returned. + matches?: list.MaxItems(64) & [...{ + // Headers specifies HTTP request header matchers. Multiple match + // values are + // ANDed together, meaning, a request must match all the specified + // headers + // to select the route. + headers?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, only the + // first + // entry with an equivalent name MUST be considered for a match. + // Subsequent + // entries with an equivalent header name MUST be ignored. Due to + // the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + // + // When a header is repeated in an HTTP request, it is + // implementation-specific behavior as to how this is represented. + // Generally, proxies should follow the guidance from the RFC: + // https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + // regarding + // processing a repeated header, with special handling for + // "Set-Cookie". + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Type specifies how to match against the value of the header. + // + // Support: Core (Exact) + // + // Support: Implementation-specific (RegularExpression) + // + // Since RegularExpression HeaderMatchType has + // implementation-specific + // conformance, implementations can support POSIX, PCRE or any + // other dialects + // of regular expressions. Please read the implementation's + // documentation to + // determine the supported dialect. + type?: "Exact" | "RegularExpression" | *"Exact" + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Method specifies HTTP method matcher. + // When specified, this route will be matched only if the request + // has the + // specified method. + // + // Support: Extended + method?: "GET" | "HEAD" | "POST" | "PUT" | "DELETE" | "CONNECT" | "OPTIONS" | "TRACE" | "PATCH" + + // Path specifies a HTTP request path matcher. If this field is + // not + // specified, a default prefix match on the "/" path is provided. + path?: { + // Type specifies how to match against the path Value. + // + // Support: Core (Exact, PathPrefix) + // + // Support: Implementation-specific (RegularExpression) + type?: "Exact" | "PathPrefix" | "RegularExpression" | *"PathPrefix" + + // Value of the HTTP path to match against. + value?: strings.MaxRunes(1024) | *"/" + } | *{ + type: "PathPrefix" + value: "/" + } + + // QueryParams specifies HTTP query parameter matchers. Multiple + // match + // values are ANDed together, meaning, a request must match all + // the + // specified query parameters to select the route. + // + // Support: Extended + queryParams?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP query param to be matched. This + // must be an + // exact string match. (See + // https://tools.ietf.org/html/rfc7230#section-2.7.3). + // + // If multiple entries specify equivalent query param names, only + // the first + // entry with an equivalent name MUST be considered for a match. + // Subsequent + // entries with an equivalent query param name MUST be ignored. + // + // If a query param is repeated in an HTTP request, the behavior + // is + // purposely left undefined, since different data planes have + // different + // capabilities. However, it is *recommended* that implementations + // should + // match against the first value of the param if the data plane + // supports it, + // as this behavior is expected in other load balancing contexts + // outside of + // the Gateway API. + // + // Users SHOULD NOT route traffic based on repeated query params + // to guard + // themselves against potential differences in the + // implementations. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Type specifies how to match against the value of the query + // parameter. + // + // Support: Extended (Exact) + // + // Support: Implementation-specific (RegularExpression) + // + // Since RegularExpression QueryParamMatchType has + // Implementation-specific + // conformance, implementations can support POSIX, PCRE or any + // other + // dialects of regular expressions. Please read the + // implementation's + // documentation to determine the supported dialect. + type?: "Exact" | "RegularExpression" | *"Exact" + + // Value is the value of HTTP query param to be matched. + value!: strings.MaxRunes(1024) & strings.MinRunes(1) + }] + }] | *[{ + path: { + type: "PathPrefix" + value: "/" + } + }] + + // Timeouts defines the timeouts that can be configured for an + // HTTP request. + // + // Support: Extended + timeouts?: { + // BackendRequest specifies a timeout for an individual request + // from the gateway + // to a backend. This covers the time from when the request first + // starts being + // sent from the gateway to when the full response has been + // received from the backend. + // + // Setting a timeout to the zero duration (e.g. "0s") SHOULD + // disable the timeout + // completely. Implementations that cannot completely disable the + // timeout MUST + // instead interpret the zero duration as the longest possible + // value to which + // the timeout can be set. + // + // An entire client HTTP transaction with a gateway, covered by + // the Request timeout, + // may result in more than one call from the gateway to the + // destination backend, + // for example, if automatic retries are supported. + // + // The value of BackendRequest must be a Gateway API Duration + // string as defined by + // GEP-2257. When this field is unspecified, its behavior is + // implementation-specific; + // when specified, the value of BackendRequest must be no more + // than the value of the + // Request timeout (since the Request timeout encompasses the + // BackendRequest timeout). + // + // Support: Extended + backendRequest?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // Request specifies the maximum duration for a gateway to respond + // to an HTTP request. + // If the gateway has not been able to respond before this + // deadline is met, the gateway + // MUST return a timeout error. + // + // For example, setting the `rules.timeouts.request` field to the + // value `10s` in an + // `HTTPRoute` will cause a timeout if a client request is taking + // longer than 10 seconds + // to complete. + // + // Setting a timeout to the zero duration (e.g. "0s") SHOULD + // disable the timeout + // completely. Implementations that cannot completely disable the + // timeout MUST + // instead interpret the zero duration as the longest possible + // value to which + // the timeout can be set. + // + // This timeout is intended to cover as close to the whole + // request-response transaction + // as possible although an implementation MAY choose to start the + // timeout after the entire + // request stream has been received instead of immediately after + // the transaction is + // initiated by the client. + // + // The value of Request is a Gateway API Duration string as + // defined by GEP-2257. When this + // field is unspecified, request timeout behavior is + // implementation-specific. + // + // Support: Extended + request?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + }] | *[{ + matches: [{ + path: { + type: "PathPrefix" + value: "/" + } + }] + }] +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/httproute/v1beta1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/httproute/v1beta1/types_gen.cue new file mode 100644 index 000000000..cd8d75954 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/httproute/v1beta1/types_gen.cue @@ -0,0 +1,2001 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml + +package v1beta1 + +import ( + "strings" + "list" +) + +// HTTPRoute provides a way to route HTTP requests. This includes +// the capability +// to match requests by hostname, path, header, or query param. +// Filters can be +// used to specify additional processing steps. Backends specify +// where matching +// requests should be routed. +#HTTPRoute: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1beta1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "HTTPRoute" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of HTTPRoute. + spec!: #HTTPRouteSpec +} + +// Spec defines the desired state of HTTPRoute. +#HTTPRouteSpec: { + // Hostnames defines a set of hostnames that should match against + // the HTTP Host + // header to select a HTTPRoute used to process the request. + // Implementations + // MUST ignore any port value specified in the HTTP Host header + // while + // performing a match and (absent of any applicable header + // modification + // configuration) MUST forward this header unmodified to the + // backend. + // + // Valid values for Hostnames are determined by RFC 1123 + // definition of a + // hostname with 2 notable exceptions: + // + // 1. IPs are not allowed. + // 2. A hostname may be prefixed with a wildcard label (`*.`). The + // wildcard + // label must appear by itself as the first label. + // + // If a hostname is specified by both the Listener and HTTPRoute, + // there + // must be at least one intersecting hostname for the HTTPRoute to + // be + // attached to the Listener. For example: + // + // * A Listener with `test.example.com` as the hostname matches + // HTTPRoutes + // that have either not specified any hostnames, or have specified + // at + // least one of `test.example.com` or `*.example.com`. + // * A Listener with `*.example.com` as the hostname matches + // HTTPRoutes + // that have either not specified any hostnames or have specified + // at least + // one hostname that matches the Listener hostname. For example, + // `*.example.com`, `test.example.com`, and `foo.test.example.com` + // would + // all match. On the other hand, `example.com` and + // `test.example.net` would + // not match. + // + // Hostnames that are prefixed with a wildcard label (`*.`) are + // interpreted + // as a suffix match. That means that a match for `*.example.com` + // would match + // both `test.example.com`, and `foo.test.example.com`, but not + // `example.com`. + // + // If both the Listener and HTTPRoute have specified hostnames, + // any + // HTTPRoute hostnames that do not match the Listener hostname + // MUST be + // ignored. For example, if a Listener specified `*.example.com`, + // and the + // HTTPRoute specified `test.example.com` and `test.example.net`, + // `test.example.net` must not be considered for a match. + // + // If both the Listener and HTTPRoute have specified hostnames, + // and none + // match with the criteria above, then the HTTPRoute is not + // accepted. The + // implementation must raise an 'Accepted' Condition with a status + // of + // `False` in the corresponding RouteParentStatus. + // + // In the event that multiple HTTPRoutes specify intersecting + // hostnames (e.g. + // overlapping wildcard matching and exact matching hostnames), + // precedence must + // be given to rules from the HTTPRoute with the largest number + // of: + // + // * Characters in a matching non-wildcard hostname. + // * Characters in a matching hostname. + // + // If ties exist across multiple Routes, the matching precedence + // rules for + // HTTPRouteMatches takes over. + // + // Support: Core + hostnames?: list.MaxItems(16) & [...strings.MaxRunes(253) & strings.MinRunes(1) & =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"] + + // ParentRefs references the resources (usually Gateways) that a + // Route wants + // to be attached to. Note that the referenced parent resource + // needs to + // allow this for the attachment to be complete. For Gateways, + // that means + // the Gateway needs to allow attachment from Routes of this kind + // and + // namespace. For Services, that means the Service must either be + // in the same + // namespace for a "producer" route, or the mesh implementation + // must support + // and allow "consumer" routes for the referenced Service. + // ReferenceGrant is + // not applicable for governing ParentRefs to Services - it is not + // possible to + // create a "producer" route for a Service in a different + // namespace from the + // Route. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // This API may be extended in the future to support additional + // kinds of parent + // resources. + // + // ParentRefs must be _distinct_. This means either that: + // + // * They select different objects. If this is the case, then + // parentRef + // entries are distinct. In terms of fields, this means that the + // multi-part key defined by `group`, `kind`, `namespace`, and + // `name` must + // be unique across all parentRef entries in the Route. + // * They do not select different objects, but for each optional + // field used, + // each ParentRef that selects the same object must set the same + // set of + // optional fields to different values. If one ParentRef sets a + // combination of optional fields, all must set the same + // combination. + // + // Some examples: + // + // * If one ParentRef sets `sectionName`, all ParentRefs + // referencing the + // same object must also set `sectionName`. + // * If one ParentRef sets `port`, all ParentRefs referencing the + // same + // object must also set `port`. + // * If one ParentRef sets `sectionName` and `port`, all + // ParentRefs + // referencing the same object must also set `sectionName` and + // `port`. + // + // It is possible to separately reference multiple distinct + // objects that may + // be collapsed by an implementation. For example, some + // implementations may + // choose to merge compatible Gateway Listeners together. If that + // is the + // case, the list of routes attached to those resources should + // also be + // merged. + // + // Note that for ParentRefs that cross namespace boundaries, there + // are specific + // rules. Cross-namespace references are only valid if they are + // explicitly + // allowed by something in the namespace they are referring to. + // For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable other kinds of cross-namespace reference. + parentRefs?: list.MaxItems(32) & [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Rules are a list of HTTP matchers, filters and actions. + rules?: list.MaxItems(16) & [...{ + // BackendRefs defines the backend(s) where matching requests + // should be + // sent. + // + // Failure behavior here depends on how many BackendRefs are + // specified and + // how many are invalid. + // + // If *all* entries in BackendRefs are invalid, and there are also + // no filters + // specified in this route rule, *all* traffic which matches this + // rule MUST + // receive a 500 status code. + // + // See the HTTPBackendRef definition for the rules about what + // makes a single + // HTTPBackendRef invalid. + // + // When a HTTPBackendRef is invalid, 500 status codes MUST be + // returned for + // requests that would have otherwise been routed to an invalid + // backend. If + // multiple backends are specified, and some are invalid, the + // proportion of + // requests that would otherwise have been routed to an invalid + // backend + // MUST receive a 500 status code. + // + // For example, if two backends are specified with equal weights, + // and one is + // invalid, 50 percent of traffic must receive a 500. + // Implementations may + // choose how that 50 percent is determined. + // + // When a HTTPBackendRef refers to a Service that has no ready + // endpoints, + // implementations SHOULD return a 503 for requests to that + // backend instead. + // If an implementation chooses to do this, all of the above rules + // for 500 responses + // MUST also apply for responses that return a 503. + // + // Support: Core for Kubernetes Service + // + // Support: Extended for Kubernetes ServiceImport + // + // Support: Implementation-specific for any other resource + // + // Support for weight: Core + backendRefs?: list.MaxItems(16) & [...{ + // Filters defined at this level should be executed if and only if + // the + // request is being forwarded to the backend defined here. + // + // Support: Implementation-specific (For broader support of + // filters, use the + // Filters field in HTTPRouteRule.) + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // This filter can be used multiple times within the same rule. + // + // Support: Implementation-specific + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + } + + // RequestRedirect defines a schema for a filter that responds to + // the + // request with an HTTP redirection. + // + // Support: Core + requestRedirect?: { + // Hostname is the hostname to be used in the value of the + // `Location` + // header in the response. + // When empty, the hostname in the `Host` header of the request is + // used. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines parameters used to modify the path of the incoming + // request. + // The modified path is then used to construct the `Location` + // header. When + // empty, the request path is used as-is. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + + // Port is the port to be used in the value of the `Location` + // header in the response. + // + // If no port is specified, the redirect port MUST be derived + // using the + // following rules: + // + // * If redirect scheme is not-empty, the redirect port MUST be + // the well-known + // port associated with the redirect scheme. Specifically "http" + // to port 80 + // and "https" to port 443. If the redirect scheme does not have a + // well-known port, the listener port of the Gateway SHOULD be + // used. + // * If redirect scheme is empty, the redirect port MUST be the + // Gateway + // Listener port. + // + // Implementations SHOULD NOT add the port number in the + // 'Location' + // header in the following cases: + // + // * A Location header that will use HTTP (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 80. + // * A Location header that will use HTTPS (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 443. + // + // Support: Extended + port?: uint16 & >=1 + + // Scheme is the scheme to be used in the value of the `Location` + // header in + // the response. When empty, the scheme of the request is used. + // + // Scheme redirects can affect the port of the redirect, for more + // information, + // refer to the documentation for the port field of this filter. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Extended + scheme?: "http" | "https" + + // StatusCode is the HTTP status code to be used in response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Core + statusCode?: (301 | 302) & int | *302 + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations must support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by + // specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` should be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "RequestHeaderModifier" | "ResponseHeaderModifier" | "RequestMirror" | "RequestRedirect" | "URLRewrite" | "ExtensionRef" + + // URLRewrite defines a schema for a filter that modifies a + // request during forwarding. + // + // Support: Extended + urlRewrite?: { + // Hostname is the value to be used to replace the Host header + // value during + // forwarding. + // + // Support: Extended + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines a path rewrite. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + } + }] + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + + // Weight specifies the proportion of requests forwarded to the + // referenced + // backend. This is computed as weight/(sum of all weights in this + // BackendRefs list). For non-zero values, there may be some + // epsilon from + // the exact proportion defined here depending on the precision an + // implementation supports. Weight is not a percentage and the sum + // of + // weights does not need to equal 100. + // + // If only one backend is specified and it has a weight greater + // than 0, 100% + // of the traffic is forwarded to that backend. If weight is set + // to 0, no + // traffic should be forwarded for this entry. If unspecified, + // weight + // defaults to 1. + // + // Support for this field varies based on the context where used. + weight?: int32 & int & <=1000000 & >=0 | *1 + }] + + // Filters define the filters that are applied to requests that + // match + // this rule. + // + // Wherever possible, implementations SHOULD implement filters in + // the order + // they are specified. + // + // Implementations MAY choose to implement this ordering strictly, + // rejecting + // any combination or order of filters that can not be supported. + // If implementations + // choose a strict interpretation of filter ordering, they MUST + // clearly document + // that behavior. + // + // To reject an invalid combination or order of filters, + // implementations SHOULD + // consider the Route Rules with this configuration invalid. If + // all Route Rules + // in a Route are invalid, the entire Route would be considered + // invalid. If only + // a portion of Route Rules are invalid, implementations MUST set + // the + // "PartiallyInvalid" condition for the Route. + // + // Conformance-levels at this level are defined based on the type + // of filter: + // + // - ALL core filters MUST be supported by all implementations. + // - Implementers are encouraged to support extended filters. + // - Implementation-specific custom filters have no API guarantees + // across + // implementations. + // + // Specifying the same filter multiple times is not supported + // unless explicitly + // indicated in the filter. + // + // All filters are expected to be compatible with each other + // except for the + // URLRewrite and RequestRedirect filters, which may not be + // combined. If an + // implementation can not support other combinations of filters, + // they must clearly + // document that limitation. In cases where incompatible or + // unsupported + // filters are specified and cause the `Accepted` condition to be + // set to status + // `False`, implementations may use the `IncompatibleFilters` + // reason to specify + // this configuration error. + // + // Support: Core + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // This filter can be used multiple times within the same rule. + // + // Support: Implementation-specific + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + } + + // RequestRedirect defines a schema for a filter that responds to + // the + // request with an HTTP redirection. + // + // Support: Core + requestRedirect?: { + // Hostname is the hostname to be used in the value of the + // `Location` + // header in the response. + // When empty, the hostname in the `Host` header of the request is + // used. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines parameters used to modify the path of the incoming + // request. + // The modified path is then used to construct the `Location` + // header. When + // empty, the request path is used as-is. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + + // Port is the port to be used in the value of the `Location` + // header in the response. + // + // If no port is specified, the redirect port MUST be derived + // using the + // following rules: + // + // * If redirect scheme is not-empty, the redirect port MUST be + // the well-known + // port associated with the redirect scheme. Specifically "http" + // to port 80 + // and "https" to port 443. If the redirect scheme does not have a + // well-known port, the listener port of the Gateway SHOULD be + // used. + // * If redirect scheme is empty, the redirect port MUST be the + // Gateway + // Listener port. + // + // Implementations SHOULD NOT add the port number in the + // 'Location' + // header in the following cases: + // + // * A Location header that will use HTTP (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 80. + // * A Location header that will use HTTPS (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 443. + // + // Support: Extended + port?: uint16 & >=1 + + // Scheme is the scheme to be used in the value of the `Location` + // header in + // the response. When empty, the scheme of the request is used. + // + // Scheme redirects can affect the port of the redirect, for more + // information, + // refer to the documentation for the port field of this filter. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Extended + scheme?: "http" | "https" + + // StatusCode is the HTTP status code to be used in response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Core + statusCode?: (301 | 302) & int | *302 + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations must support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by + // specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` should be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "RequestHeaderModifier" | "ResponseHeaderModifier" | "RequestMirror" | "RequestRedirect" | "URLRewrite" | "ExtensionRef" + + // URLRewrite defines a schema for a filter that modifies a + // request during forwarding. + // + // Support: Extended + urlRewrite?: { + // Hostname is the value to be used to replace the Host header + // value during + // forwarding. + // + // Support: Extended + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines a path rewrite. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + } + }] + + // Matches define conditions used for matching the rule against + // incoming + // HTTP requests. Each match is independent, i.e. this rule will + // be matched + // if **any** one of the matches is satisfied. + // + // For example, take the following matches configuration: + // + // ``` + // matches: + // - path: + // value: "/foo" + // headers: + // - name: "version" + // value: "v2" + // - path: + // value: "/v2/foo" + // ``` + // + // For a request to match against this rule, a request must + // satisfy + // EITHER of the two conditions: + // + // - path prefixed with `/foo` AND contains the header `version: + // v2` + // - path prefix of `/v2/foo` + // + // See the documentation for HTTPRouteMatch on how to specify + // multiple + // match conditions that should be ANDed together. + // + // If no matches are specified, the default is a prefix + // path match on "/", which has the effect of matching every + // HTTP request. + // + // Proxy or Load Balancer routing configuration generated from + // HTTPRoutes + // MUST prioritize matches based on the following criteria, + // continuing on + // ties. Across all rules specified on applicable Routes, + // precedence must be + // given to the match having: + // + // * "Exact" path match. + // * "Prefix" path match with largest number of characters. + // * Method match. + // * Largest number of header matches. + // * Largest number of query param matches. + // + // Note: The precedence of RegularExpression path matches are + // implementation-specific. + // + // If ties still exist across multiple Routes, matching precedence + // MUST be + // determined in order of the following criteria, continuing on + // ties: + // + // * The oldest Route based on creation timestamp. + // * The Route appearing first in alphabetical order by + // "{namespace}/{name}". + // + // If ties still exist within an HTTPRoute, matching precedence + // MUST be granted + // to the FIRST matching rule (in list order) with a match meeting + // the above + // criteria. + // + // When no rules matching a request have been successfully + // attached to the + // parent a request is coming from, a HTTP 404 status code MUST be + // returned. + matches?: list.MaxItems(64) & [...{ + // Headers specifies HTTP request header matchers. Multiple match + // values are + // ANDed together, meaning, a request must match all the specified + // headers + // to select the route. + headers?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, only the + // first + // entry with an equivalent name MUST be considered for a match. + // Subsequent + // entries with an equivalent header name MUST be ignored. Due to + // the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + // + // When a header is repeated in an HTTP request, it is + // implementation-specific behavior as to how this is represented. + // Generally, proxies should follow the guidance from the RFC: + // https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + // regarding + // processing a repeated header, with special handling for + // "Set-Cookie". + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Type specifies how to match against the value of the header. + // + // Support: Core (Exact) + // + // Support: Implementation-specific (RegularExpression) + // + // Since RegularExpression HeaderMatchType has + // implementation-specific + // conformance, implementations can support POSIX, PCRE or any + // other dialects + // of regular expressions. Please read the implementation's + // documentation to + // determine the supported dialect. + type?: "Exact" | "RegularExpression" | *"Exact" + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Method specifies HTTP method matcher. + // When specified, this route will be matched only if the request + // has the + // specified method. + // + // Support: Extended + method?: "GET" | "HEAD" | "POST" | "PUT" | "DELETE" | "CONNECT" | "OPTIONS" | "TRACE" | "PATCH" + + // Path specifies a HTTP request path matcher. If this field is + // not + // specified, a default prefix match on the "/" path is provided. + path?: { + // Type specifies how to match against the path Value. + // + // Support: Core (Exact, PathPrefix) + // + // Support: Implementation-specific (RegularExpression) + type?: "Exact" | "PathPrefix" | "RegularExpression" | *"PathPrefix" + + // Value of the HTTP path to match against. + value?: strings.MaxRunes(1024) | *"/" + } | *{ + type: "PathPrefix" + value: "/" + } + + // QueryParams specifies HTTP query parameter matchers. Multiple + // match + // values are ANDed together, meaning, a request must match all + // the + // specified query parameters to select the route. + // + // Support: Extended + queryParams?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP query param to be matched. This + // must be an + // exact string match. (See + // https://tools.ietf.org/html/rfc7230#section-2.7.3). + // + // If multiple entries specify equivalent query param names, only + // the first + // entry with an equivalent name MUST be considered for a match. + // Subsequent + // entries with an equivalent query param name MUST be ignored. + // + // If a query param is repeated in an HTTP request, the behavior + // is + // purposely left undefined, since different data planes have + // different + // capabilities. However, it is *recommended* that implementations + // should + // match against the first value of the param if the data plane + // supports it, + // as this behavior is expected in other load balancing contexts + // outside of + // the Gateway API. + // + // Users SHOULD NOT route traffic based on repeated query params + // to guard + // themselves against potential differences in the + // implementations. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Type specifies how to match against the value of the query + // parameter. + // + // Support: Extended (Exact) + // + // Support: Implementation-specific (RegularExpression) + // + // Since RegularExpression QueryParamMatchType has + // Implementation-specific + // conformance, implementations can support POSIX, PCRE or any + // other + // dialects of regular expressions. Please read the + // implementation's + // documentation to determine the supported dialect. + type?: "Exact" | "RegularExpression" | *"Exact" + + // Value is the value of HTTP query param to be matched. + value!: strings.MaxRunes(1024) & strings.MinRunes(1) + }] + }] | *[{ + path: { + type: "PathPrefix" + value: "/" + } + }] + + // Timeouts defines the timeouts that can be configured for an + // HTTP request. + // + // Support: Extended + timeouts?: { + // BackendRequest specifies a timeout for an individual request + // from the gateway + // to a backend. This covers the time from when the request first + // starts being + // sent from the gateway to when the full response has been + // received from the backend. + // + // Setting a timeout to the zero duration (e.g. "0s") SHOULD + // disable the timeout + // completely. Implementations that cannot completely disable the + // timeout MUST + // instead interpret the zero duration as the longest possible + // value to which + // the timeout can be set. + // + // An entire client HTTP transaction with a gateway, covered by + // the Request timeout, + // may result in more than one call from the gateway to the + // destination backend, + // for example, if automatic retries are supported. + // + // The value of BackendRequest must be a Gateway API Duration + // string as defined by + // GEP-2257. When this field is unspecified, its behavior is + // implementation-specific; + // when specified, the value of BackendRequest must be no more + // than the value of the + // Request timeout (since the Request timeout encompasses the + // BackendRequest timeout). + // + // Support: Extended + backendRequest?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // Request specifies the maximum duration for a gateway to respond + // to an HTTP request. + // If the gateway has not been able to respond before this + // deadline is met, the gateway + // MUST return a timeout error. + // + // For example, setting the `rules.timeouts.request` field to the + // value `10s` in an + // `HTTPRoute` will cause a timeout if a client request is taking + // longer than 10 seconds + // to complete. + // + // Setting a timeout to the zero duration (e.g. "0s") SHOULD + // disable the timeout + // completely. Implementations that cannot completely disable the + // timeout MUST + // instead interpret the zero duration as the longest possible + // value to which + // the timeout can be set. + // + // This timeout is intended to cover as close to the whole + // request-response transaction + // as possible although an implementation MAY choose to start the + // timeout after the entire + // request stream has been received instead of immediately after + // the transaction is + // initiated by the client. + // + // The value of Request is a Gateway API Duration string as + // defined by GEP-2257. When this + // field is unspecified, request timeout behavior is + // implementation-specific. + // + // Support: Extended + request?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + }] | *[{ + matches: [{ + path: { + type: "PathPrefix" + value: "/" + } + }] + }] +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/referencegrant/v1beta1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/referencegrant/v1beta1/types_gen.cue new file mode 100644 index 000000000..8abfe8588 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/gateway.networking.k8s.io/referencegrant/v1beta1/types_gen.cue @@ -0,0 +1,161 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml + +package v1beta1 + +import ( + "strings" + "list" +) + +// ReferenceGrant identifies kinds of resources in other +// namespaces that are +// trusted to reference the specified kinds of resources in the +// same namespace +// as the policy. +// +// Each ReferenceGrant can be used to represent a unique trust +// relationship. +// Additional Reference Grants can be used to add to the set of +// trusted +// sources of inbound references for the namespace they are +// defined within. +// +// All cross-namespace references in Gateway API (with the +// exception of cross-namespace +// Gateway-route attachment) require a ReferenceGrant. +// +// ReferenceGrant is a form of runtime verification allowing users +// to assert +// which cross-namespace object references are permitted. +// Implementations that +// support ReferenceGrant MUST NOT permit cross-namespace +// references which have +// no grant, and MUST respond to the removal of a grant by +// revoking the access +// that the grant allowed. +#ReferenceGrant: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1beta1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "ReferenceGrant" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of ReferenceGrant. + spec!: #ReferenceGrantSpec +} + +// Spec defines the desired state of ReferenceGrant. +#ReferenceGrantSpec: { + // From describes the trusted namespaces and kinds that can + // reference the + // resources described in "To". Each entry in this list MUST be + // considered + // to be an additional place that references can be valid from, or + // to put + // this another way, entries MUST be combined using OR. + // + // Support: Core + from!: list.MaxItems(16) & [...{ + // Group is the group of the referent. + // When empty, the Kubernetes core API group is inferred. + // + // Support: Core + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is the kind of the referent. Although implementations may + // support + // additional resources, the following types are part of the + // "Core" + // support level for this field. + // + // When used to permit a SecretObjectReference: + // + // * Gateway + // + // When used to permit a BackendObjectReference: + // + // * GRPCRoute + // * HTTPRoute + // * TCPRoute + // * TLSRoute + // * UDPRoute + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Namespace is the namespace of the referent. + // + // Support: Core + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + }] & [_, ...] + + // To describes the resources that may be referenced by the + // resources + // described in "From". Each entry in this list MUST be considered + // to be an + // additional place that references can be valid to, or to put + // this another + // way, entries MUST be combined using OR. + // + // Support: Core + to!: list.MaxItems(16) & [...{ + // Group is the group of the referent. + // When empty, the Kubernetes core API group is inferred. + // + // Support: Core + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is the kind of the referent. Although implementations may + // support + // additional resources, the following types are part of the + // "Core" + // support level for this field: + // + // * Secret when used to permit a SecretObjectReference + // * Service when used to permit a BackendObjectReference + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. When unspecified, this policy + // refers to all resources of the specified Group and Kind in the + // local + // namespace. + name?: strings.MaxRunes(253) & strings.MinRunes(1) + }] & [_, ...] +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue new file mode 100644 index 000000000..597f5b0e7 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admission/v1 + +package v1 + +#GroupName: "admission.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue new file mode 100644 index 000000000..af26bd060 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue @@ -0,0 +1,172 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admission/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + authenticationv1 "k8s.io/api/authentication/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +// AdmissionReview describes an admission review request/response. +#AdmissionReview: { + metav1.#TypeMeta + + // Request describes the attributes for the admission request. + // +optional + request?: null | #AdmissionRequest @go(Request,*AdmissionRequest) @protobuf(1,bytes,opt) + + // Response describes the attributes for the admission response. + // +optional + response?: null | #AdmissionResponse @go(Response,*AdmissionResponse) @protobuf(2,bytes,opt) +} + +// AdmissionRequest describes the admission.Attributes for the admission request. +#AdmissionRequest: { + // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + // otherwise identical (parallel requests, requests when earlier requests did not modify etc) + // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + uid: types.#UID @go(UID) @protobuf(1,bytes,opt) + + // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale) + kind: metav1.#GroupVersionKind @go(Kind) @protobuf(2,bytes,opt) + + // Resource is the fully-qualified resource being requested (for example, v1.pods) + resource: metav1.#GroupVersionResource @go(Resource) @protobuf(3,bytes,opt) + + // SubResource is the subresource being requested, if any (for example, "status" or "scale") + // +optional + subResource?: string @go(SubResource) @protobuf(4,bytes,opt) + + // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + // + // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + // an API request to apps/v1beta1 deployments would be converted and sent to the webhook + // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + // + // See documentation for the "matchPolicy" field in the webhook configuration type for more details. + // +optional + requestKind?: null | metav1.#GroupVersionKind @go(RequestKind,*metav1.GroupVersionKind) @protobuf(13,bytes,opt) + + // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + // + // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + // an API request to apps/v1beta1 deployments would be converted and sent to the webhook + // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + // + // See documentation for the "matchPolicy" field in the webhook configuration type. + // +optional + requestResource?: null | metav1.#GroupVersionResource @go(RequestResource,*metav1.GroupVersionResource) @protobuf(14,bytes,opt) + + // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + // See documentation for the "matchPolicy" field in the webhook configuration type. + // +optional + requestSubResource?: string @go(RequestSubResource) @protobuf(15,bytes,opt) + + // Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + // rely on the server to generate the name. If that is the case, this field will contain an empty string. + // +optional + name?: string @go(Name) @protobuf(5,bytes,opt) + + // Namespace is the namespace associated with the request (if any). + // +optional + namespace?: string @go(Namespace) @protobuf(6,bytes,opt) + + // Operation is the operation being performed. This may be different than the operation + // requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + operation: #Operation @go(Operation) @protobuf(7,bytes,opt) + + // UserInfo is information about the requesting user + userInfo: authenticationv1.#UserInfo @go(UserInfo) @protobuf(8,bytes,opt) + + // Object is the object from the incoming request. + // +optional + object?: runtime.#RawExtension @go(Object) @protobuf(9,bytes,opt) + + // OldObject is the existing object. Only populated for DELETE and UPDATE requests. + // +optional + oldObject?: runtime.#RawExtension @go(OldObject) @protobuf(10,bytes,opt) + + // DryRun indicates that modifications will definitely not be persisted for this request. + // Defaults to false. + // +optional + dryRun?: null | bool @go(DryRun,*bool) @protobuf(11,varint,opt) + + // Options is the operation option structure of the operation being performed. + // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + // different than the options the caller provided. e.g. for a patch request the performed + // Operation might be a CREATE, in which case the Options will a + // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + // +optional + options?: runtime.#RawExtension @go(Options) @protobuf(12,bytes,opt) +} + +// AdmissionResponse describes an admission response. +#AdmissionResponse: { + // UID is an identifier for the individual request/response. + // This must be copied over from the corresponding AdmissionRequest. + uid: types.#UID @go(UID) @protobuf(1,bytes,opt) + + // Allowed indicates whether or not the admission request was permitted. + allowed: bool @go(Allowed) @protobuf(2,varint,opt) + + // Result contains extra details into why an admission request was denied. + // This field IS NOT consulted in any way if "Allowed" is "true". + // +optional + status?: null | metav1.#Status @go(Result,*metav1.Status) @protobuf(3,bytes,opt) + + // The patch body. Currently we only support "JSONPatch" which implements RFC 6902. + // +optional + patch?: bytes @go(Patch,[]byte) @protobuf(4,bytes,opt) + + // The type of Patch. Currently we only allow "JSONPatch". + // +optional + patchType?: null | #PatchType @go(PatchType,*PatchType) @protobuf(5,bytes,opt) + + // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). + // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with + // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by + // the admission webhook to add additional context to the audit log for this request. + // +optional + auditAnnotations?: {[string]: string} @go(AuditAnnotations,map[string]string) @protobuf(6,bytes,opt) + + // warnings is a list of warning messages to return to the requesting API client. + // Warning messages describe a problem the client making the API request should correct or be aware of. + // Limit warnings to 120 characters if possible. + // Warnings over 256 characters and large numbers of warnings may be truncated. + // +optional + warnings?: [...string] @go(Warnings,[]string) @protobuf(7,bytes,rep) +} + +// PatchType is the type of patch being used to represent the mutated object +#PatchType: string // #enumPatchType + +#enumPatchType: + #PatchTypeJSONPatch + +#PatchTypeJSONPatch: #PatchType & "JSONPatch" + +// Operation is the type of resource operation being checked for admission control +#Operation: string // #enumOperation + +#enumOperation: + #Create | + #Update | + #Delete | + #Connect + +#Create: #Operation & "CREATE" +#Update: #Operation & "UPDATE" +#Delete: #Operation & "DELETE" +#Connect: #Operation & "CONNECT" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue new file mode 100644 index 000000000..5d30100e9 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +// Package v1 is the v1 version of the API. +// AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration +// MutatingWebhookConfiguration and ValidatingWebhookConfiguration are for the +// new dynamic admission controller configuration. +package v1 diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue new file mode 100644 index 000000000..93348e918 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +package v1 + +#GroupName: "admissionregistration.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue new file mode 100644 index 000000000..7038db05a --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue @@ -0,0 +1,645 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended +// to make sure that all the tuple expansions are valid. +#Rule: { + // APIGroups is the API groups the resources belong to. '*' is all groups. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(1,bytes,rep) + + // APIVersions is the API versions the resources belong to. '*' is all versions. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + apiVersions?: [...string] @go(APIVersions,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. + // + // For example: + // 'pods' means pods. + // 'pods/log' means the log subresource of pods. + // '*' means all resources, but not subresources. + // 'pods/*' means all subresources of pods. + // '*/scale' means all scale subresources. + // '*/*' means all resources and their subresources. + // + // If wildcard is present, the validation rule will ensure resources do not + // overlap with each other. + // + // Depending on the enclosing object, subresources might not be allowed. + // Required. + // +listType=atomic + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // scope specifies the scope of this rule. + // Valid values are "Cluster", "Namespaced", and "*" + // "Cluster" means that only cluster-scoped resources will match this rule. + // Namespace API objects are cluster-scoped. + // "Namespaced" means that only namespaced resources will match this rule. + // "*" means that there are no scope restrictions. + // Subresources match the scope of their parent resource. + // Default is "*". + // + // +optional + scope?: null | #ScopeType @go(Scope,*ScopeType) @protobuf(4,bytes,rep) +} + +// ScopeType specifies a scope for a Rule. +// +enum +#ScopeType: string // #enumScopeType + +#enumScopeType: + #ClusterScope | + #NamespacedScope | + #AllScopes + +// ClusterScope means that scope is limited to cluster-scoped objects. +// Namespace objects are cluster-scoped. +#ClusterScope: #ScopeType & "Cluster" + +// NamespacedScope means that scope is limited to namespaced objects. +#NamespacedScope: #ScopeType & "Namespaced" + +// AllScopes means that all scopes are included. +#AllScopes: #ScopeType & "*" + +// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. +// +enum +#FailurePolicyType: string // #enumFailurePolicyType + +#enumFailurePolicyType: + #Ignore | + #Fail + +// Ignore means that an error calling the webhook is ignored. +#Ignore: #FailurePolicyType & "Ignore" + +// Fail means that an error calling the webhook causes the admission to fail. +#Fail: #FailurePolicyType & "Fail" + +// MatchPolicyType specifies the type of match policy. +// +enum +#MatchPolicyType: string // #enumMatchPolicyType + +#enumMatchPolicyType: + #Exact | + #Equivalent + +// Exact means requests should only be sent to the webhook if they exactly match a given rule. +#Exact: #MatchPolicyType & "Exact" + +// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version. +#Equivalent: #MatchPolicyType & "Equivalent" + +// SideEffectClass specifies the types of side effects a webhook may have. +// +enum +#SideEffectClass: string // #enumSideEffectClass + +#enumSideEffectClass: + #SideEffectClassUnknown | + #SideEffectClassNone | + #SideEffectClassSome | + #SideEffectClassNoneOnDryRun + +// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook. +// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. +#SideEffectClassUnknown: #SideEffectClass & "Unknown" + +// SideEffectClassNone means that calling the webhook will have no side effects. +#SideEffectClassNone: #SideEffectClass & "None" + +// SideEffectClassSome means that calling the webhook will possibly have side effects. +// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. +#SideEffectClassSome: #SideEffectClass & "Some" + +// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the +// request being reviewed has the dry-run attribute, the side effects will be suppressed. +#SideEffectClassNoneOnDryRun: #SideEffectClass & "NoneOnDryRun" + +// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it. +#ValidatingWebhookConfiguration: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Webhooks is a list of webhooks and the affected resources and operations. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + webhooks?: [...#ValidatingWebhook] @go(Webhooks,[]ValidatingWebhook) @protobuf(2,bytes,rep,name=Webhooks) +} + +// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration. +#ValidatingWebhookConfigurationList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ValidatingWebhookConfiguration. + items: [...#ValidatingWebhookConfiguration] @go(Items,[]ValidatingWebhookConfiguration) @protobuf(2,bytes,rep) +} + +// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object. +#MutatingWebhookConfiguration: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Webhooks is a list of webhooks and the affected resources and operations. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + webhooks?: [...#MutatingWebhook] @go(Webhooks,[]MutatingWebhook) @protobuf(2,bytes,rep,name=Webhooks) +} + +// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration. +#MutatingWebhookConfigurationList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of MutatingWebhookConfiguration. + items: [...#MutatingWebhookConfiguration] @go(Items,[]MutatingWebhookConfiguration) @protobuf(2,bytes,rep) +} + +// ValidatingWebhook describes an admission webhook and the resources and operations it applies to. +#ValidatingWebhook: { + // The name of the admission webhook. + // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where + // "imagepolicy" is the name of the webhook, and kubernetes.io is the name + // of the organization. + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // ClientConfig defines how to communicate with the hook. + // Required + clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt) + + // Rules describes what operations on what resources/subresources the webhook cares about. + // The webhook cares about an operation if it matches _any_ Rule. + // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks + // from putting the cluster in a state which cannot be recovered from without completely + // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called + // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep) + + // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - + // allowed values are Ignore or Fail. Defaults to Fail. + // +optional + failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType) + + // matchPolicy defines how the "rules" list is used to match incoming requests. + // Allowed values are "Exact" or "Equivalent". + // + // - Exact: match a request only if it exactly matches a specified rule. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + // + // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + // + // Defaults to "Equivalent" + // +optional + matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType) + + // NamespaceSelector decides whether to run the webhook on an object based + // on whether the namespace for that object matches the selector. If the + // object itself is a namespace, the matching is performed on + // object.metadata.labels. If the object is another cluster scoped resource, + // it never skips the webhook. + // + // For example, to run the webhook on any objects whose namespace is not + // associated with "runlevel" of "0" or "1"; you will set the selector as + // follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "runlevel", + // "operator": "NotIn", + // "values": [ + // "0", + // "1" + // ] + // } + // ] + // } + // + // If instead you want to only run the webhook on any objects whose + // namespace is associated with the "environment" of "prod" or "staging"; + // you will set the selector as follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "environment", + // "operator": "In", + // "values": [ + // "prod", + // "staging" + // ] + // } + // ] + // } + // + // See + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + // for more examples of label selectors. + // + // Default to the empty LabelSelector, which matches everything. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt) + + // ObjectSelector decides whether to run the webhook based on if the + // object has matching labels. objectSelector is evaluated against both + // the oldObject and newObject that would be sent to the webhook, and + // is considered to match if either object matches the selector. A null + // object (oldObject in the case of create, or newObject in the case of + // delete) or an object that cannot have labels (like a + // DeploymentRollback or a PodProxyOptions object) is not considered to + // match. + // Use the object selector only if the webhook is opt-in, because end + // users may skip the admission webhook by setting the labels. + // Default to the empty LabelSelector, which matches everything. + // +optional + objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(10,bytes,opt) + + // SideEffects states whether this webhook has side effects. + // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + // Webhooks with side effects MUST implement a reconciliation system, since a request may be + // rejected by a future step in the admission chain and the side effects therefore need to be undone. + // Requests with the dryRun attribute will be auto-rejected if they match a webhook with + // sideEffects == Unknown or Some. + sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass) + + // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + // the webhook call will be ignored or the API call will fail based on the + // failure policy. + // The timeout value must be between 1 and 30 seconds. + // Default to 10 seconds. + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt) + + // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` + // versions the Webhook expects. API server will try to use first version in + // the list which it supports. If none of the versions specified in this list + // supported by API server, validation will fail for this object. + // If a persisted webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail + // and be subject to the failure policy. + admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep) + + // MatchConditions is a list of conditions that must be met for a request to be sent to this + // webhook. Match conditions filter requests that have already been matched by the rules, + // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + // There are a maximum of 64 match conditions allowed. + // + // The exact matching logic is (in order): + // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. + // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. + // 3. If any matchCondition evaluates to an error (but none are FALSE): + // - If failurePolicy=Fail, reject the request + // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped + // + // This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=AdmissionWebhookMatchConditions + // +optional + matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(11,bytes,opt) +} + +// MutatingWebhook describes an admission webhook and the resources and operations it applies to. +#MutatingWebhook: { + // The name of the admission webhook. + // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where + // "imagepolicy" is the name of the webhook, and kubernetes.io is the name + // of the organization. + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // ClientConfig defines how to communicate with the hook. + // Required + clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt) + + // Rules describes what operations on what resources/subresources the webhook cares about. + // The webhook cares about an operation if it matches _any_ Rule. + // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks + // from putting the cluster in a state which cannot be recovered from without completely + // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called + // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep) + + // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - + // allowed values are Ignore or Fail. Defaults to Fail. + // +optional + failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType) + + // matchPolicy defines how the "rules" list is used to match incoming requests. + // Allowed values are "Exact" or "Equivalent". + // + // - Exact: match a request only if it exactly matches a specified rule. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + // + // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + // + // Defaults to "Equivalent" + // +optional + matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType) + + // NamespaceSelector decides whether to run the webhook on an object based + // on whether the namespace for that object matches the selector. If the + // object itself is a namespace, the matching is performed on + // object.metadata.labels. If the object is another cluster scoped resource, + // it never skips the webhook. + // + // For example, to run the webhook on any objects whose namespace is not + // associated with "runlevel" of "0" or "1"; you will set the selector as + // follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "runlevel", + // "operator": "NotIn", + // "values": [ + // "0", + // "1" + // ] + // } + // ] + // } + // + // If instead you want to only run the webhook on any objects whose + // namespace is associated with the "environment" of "prod" or "staging"; + // you will set the selector as follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "environment", + // "operator": "In", + // "values": [ + // "prod", + // "staging" + // ] + // } + // ] + // } + // + // See + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + // for more examples of label selectors. + // + // Default to the empty LabelSelector, which matches everything. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt) + + // ObjectSelector decides whether to run the webhook based on if the + // object has matching labels. objectSelector is evaluated against both + // the oldObject and newObject that would be sent to the webhook, and + // is considered to match if either object matches the selector. A null + // object (oldObject in the case of create, or newObject in the case of + // delete) or an object that cannot have labels (like a + // DeploymentRollback or a PodProxyOptions object) is not considered to + // match. + // Use the object selector only if the webhook is opt-in, because end + // users may skip the admission webhook by setting the labels. + // Default to the empty LabelSelector, which matches everything. + // +optional + objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(11,bytes,opt) + + // SideEffects states whether this webhook has side effects. + // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + // Webhooks with side effects MUST implement a reconciliation system, since a request may be + // rejected by a future step in the admission chain and the side effects therefore need to be undone. + // Requests with the dryRun attribute will be auto-rejected if they match a webhook with + // sideEffects == Unknown or Some. + sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass) + + // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + // the webhook call will be ignored or the API call will fail based on the + // failure policy. + // The timeout value must be between 1 and 30 seconds. + // Default to 10 seconds. + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt) + + // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` + // versions the Webhook expects. API server will try to use first version in + // the list which it supports. If none of the versions specified in this list + // supported by API server, validation will fail for this object. + // If a persisted webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail + // and be subject to the failure policy. + admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep) + + // reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. + // Allowed values are "Never" and "IfNeeded". + // + // Never: the webhook will not be called more than once in a single admission evaluation. + // + // IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation + // if the object being admitted is modified by other admission plugins after the initial webhook call. + // Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. + // Note: + // * the number of additional invocations is not guaranteed to be exactly one. + // * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. + // * webhooks that use this option may be reordered to minimize the number of additional invocations. + // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. + // + // Defaults to "Never". + // +optional + reinvocationPolicy?: null | #ReinvocationPolicyType @go(ReinvocationPolicy,*ReinvocationPolicyType) @protobuf(10,bytes,opt,casttype=ReinvocationPolicyType) + + // MatchConditions is a list of conditions that must be met for a request to be sent to this + // webhook. Match conditions filter requests that have already been matched by the rules, + // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + // There are a maximum of 64 match conditions allowed. + // + // The exact matching logic is (in order): + // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. + // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. + // 3. If any matchCondition evaluates to an error (but none are FALSE): + // - If failurePolicy=Fail, reject the request + // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped + // + // This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=AdmissionWebhookMatchConditions + // +optional + matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(12,bytes,opt) +} + +// ReinvocationPolicyType specifies what type of policy the admission hook uses. +// +enum +#ReinvocationPolicyType: string // #enumReinvocationPolicyType + +#enumReinvocationPolicyType: + #NeverReinvocationPolicy | + #IfNeededReinvocationPolicy + +// NeverReinvocationPolicy indicates that the webhook must not be called more than once in a +// single admission evaluation. +#NeverReinvocationPolicy: #ReinvocationPolicyType & "Never" + +// IfNeededReinvocationPolicy indicates that the webhook may be called at least one +// additional time as part of the admission evaluation if the object being admitted is +// modified by other admission plugins after the initial webhook call. +#IfNeededReinvocationPolicy: #ReinvocationPolicyType & "IfNeeded" + +// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make +// sure that all the tuple expansions are valid. +#RuleWithOperations: { + // Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + // for all of those operations and any future admission operations that are added. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + operations?: [...#OperationType] @go(Operations,[]OperationType) @protobuf(1,bytes,rep,casttype=OperationType) + + #Rule +} + +// OperationType specifies an operation for a request. +// +enum +#OperationType: string // #enumOperationType + +#enumOperationType: + #OperationAll | + #Create | + #Update | + #Delete | + #Connect + +#OperationAll: #OperationType & "*" +#Create: #OperationType & "CREATE" +#Update: #OperationType & "UPDATE" +#Delete: #OperationType & "DELETE" +#Connect: #OperationType & "CONNECT" + +// WebhookClientConfig contains the information to make a TLS +// connection with the webhook +#WebhookClientConfig: { + // `url` gives the location of the webhook, in standard URL form + // (`scheme://host:port/path`). Exactly one of `url` or `service` + // must be specified. + // + // The `host` should not refer to a service running in the cluster; use + // the `service` field instead. The host might be resolved via external + // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve + // in-cluster DNS as that would be a layering violation). `host` may + // also be an IP address. + // + // Please note that using `localhost` or `127.0.0.1` as a `host` is + // risky unless you take great care to run this webhook on all hosts + // which run an apiserver which might need to make calls to this + // webhook. Such installs are likely to be non-portable, i.e., not easy + // to turn up in a new cluster. + // + // The scheme must be "https"; the URL must begin with "https://". + // + // A path is optional, and if present may be any string permissible in + // a URL. You may use the path to pass an arbitrary string to the + // webhook, for example, a cluster identifier. + // + // Attempting to use a user or basic auth e.g. "user:password@" is not + // allowed. Fragments ("#...") and query parameters ("?...") are not + // allowed, either. + // + // +optional + url?: null | string @go(URL,*string) @protobuf(3,bytes,opt) + + // `service` is a reference to the service for this webhook. Either + // `service` or `url` must be specified. + // + // If the webhook is running within the cluster, then you should use `service`. + // + // +optional + service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt) + + // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. + // If unspecified, system trust roots on the apiserver are used. + // +optional + caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt) +} + +// ServiceReference holds a reference to Service.legacy.k8s.io +#ServiceReference: { + // `namespace` is the namespace of the service. + // Required + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // `name` is the name of the service. + // Required + name: string @go(Name) @protobuf(2,bytes,opt) + + // `path` is an optional URL path which will be sent in any request to + // this service. + // +optional + path?: null | string @go(Path,*string) @protobuf(3,bytes,opt) + + // If specified, the port on the service that hosting webhook. + // Default to 443 for backward compatibility. + // `port` should be a valid port number (1-65535, inclusive). + // +optional + port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt) +} + +// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. +#MatchCondition: { + // Name is an identifier for this match condition, used for strategic merging of MatchConditions, + // as well as providing an identifier for logging purposes. A good name should be descriptive of + // the associated expression. + // Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + // must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + // '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + // optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + // + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + // CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + // + // 'object' - The object from the incoming request. The value is null for DELETE requests. + // 'oldObject' - The existing object. The value is null for CREATE requests. + // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + // 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + // 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + // request resource. + // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + // + // Required. + expression: string @go(Expression) @protobuf(2,bytes,opt) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue new file mode 100644 index 000000000..c2497a513 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/apps/v1 + +package v1 + +#GroupName: "apps" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue new file mode 100644 index 000000000..d3ecc8345 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue @@ -0,0 +1,946 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/apps/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +#ControllerRevisionHashLabelKey: "controller-revision-hash" +#StatefulSetRevisionLabel: "controller-revision-hash" +#DeprecatedRollbackTo: "deprecated.deployment.rollback.to" +#DeprecatedTemplateGeneration: "deprecated.daemonset.template.generation" +#StatefulSetPodNameLabel: "statefulset.kubernetes.io/pod-name" +#PodIndexLabel: "apps.kubernetes.io/pod-index" + +// StatefulSet represents a set of pods with consistent identities. +// Identities are defined as: +// - Network: A single stable DNS and hostname. +// - Storage: As many VolumeClaims as requested. +// +// The StatefulSet guarantees that a given network identity will always +// map to the same storage identity. +#StatefulSet: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the desired identities of pods in this set. + // +optional + spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is the current status of Pods in this StatefulSet. This data + // may be out of date by some window of time. + // +optional + status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodManagementPolicyType defines the policy for creating pods under a stateful set. +// +enum +#PodManagementPolicyType: string // #enumPodManagementPolicyType + +#enumPodManagementPolicyType: + #OrderedReadyPodManagement | + #ParallelPodManagement + +// OrderedReadyPodManagement will create pods in strictly increasing order on +// scale up and strictly decreasing order on scale down, progressing only when +// the previous pod is ready or terminated. At most one pod will be changed +// at any time. +#OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady" + +// ParallelPodManagement will create and delete pods as soon as the stateful set +// replica count is changed, and will not wait for pods to be ready or complete +// termination. +#ParallelPodManagement: #PodManagementPolicyType & "Parallel" + +// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet +// controller will use to perform updates. It includes any additional parameters +// necessary to perform the update for the indicated strategy. +#StatefulSetUpdateStrategy: { + // Type indicates the type of the StatefulSetUpdateStrategy. + // Default is RollingUpdate. + // +optional + type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType) + + // RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType. + // +optional + rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt) +} + +// StatefulSetUpdateStrategyType is a string enumeration type that enumerates +// all possible update strategies for the StatefulSet controller. +// +enum +#StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType + +#enumStatefulSetUpdateStrategyType: + #RollingUpdateStatefulSetStrategyType | + #OnDeleteStatefulSetStrategyType + +// RollingUpdateStatefulSetStrategyType indicates that update will be +// applied to all Pods in the StatefulSet with respect to the StatefulSet +// ordering constraints. When a scale operation is performed with this +// strategy, new Pods will be created from the specification version indicated +// by the StatefulSet's updateRevision. +#RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate" + +// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version +// tracking and ordered rolling restarts are disabled. Pods are recreated +// from the StatefulSetSpec when they are manually deleted. When a scale +// operation is performed with this strategy,specification version indicated +// by the StatefulSet's currentRevision. +#OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete" + +// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType. +#RollingUpdateStatefulSetStrategy: { + // Partition indicates the ordinal at which the StatefulSet should be partitioned + // for updates. During a rolling update, all pods from ordinal Replicas-1 to + // Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. + // This is helpful in being able to do a canary based deployment. The default value is 0. + // +optional + partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt) + + // The maximum number of pods that can be unavailable during the update. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // Absolute number is calculated from percentage by rounding up. This can not be 0. + // Defaults to 1. This field is alpha-level and is only honored by servers that enable the + // MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to + // Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it + // will be counted towards MaxUnavailable. + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(2,varint,opt) +} + +// PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine +// when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is +// deleted or scaled down. +#PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType + +#enumPersistentVolumeClaimRetentionPolicyType: + #RetainPersistentVolumeClaimRetentionPolicyType | + #DeletePersistentVolumeClaimRetentionPolicyType + +// RetainPersistentVolumeClaimRetentionPolicyType is the default +// PersistentVolumeClaimRetentionPolicy and specifies that +// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates +// will not be deleted. +#RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain" + +// RetentionPersistentVolumeClaimRetentionPolicyType specifies that +// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates +// will be deleted in the scenario specified in +// StatefulSetPersistentVolumeClaimRetentionPolicy. +#DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete" + +// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs +// created from the StatefulSet VolumeClaimTemplates. +#StatefulSetPersistentVolumeClaimRetentionPolicy: { + // WhenDeleted specifies what happens to PVCs created from StatefulSet + // VolumeClaimTemplates when the StatefulSet is deleted. The default policy + // of `Retain` causes PVCs to not be affected by StatefulSet deletion. The + // `Delete` policy causes those PVCs to be deleted. + whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType) + + // WhenScaled specifies what happens to PVCs created from StatefulSet + // VolumeClaimTemplates when the StatefulSet is scaled down. The default + // policy of `Retain` causes PVCs to not be affected by a scaledown. The + // `Delete` policy causes the associated PVCs for any excess pods above + // the replica count to be deleted. + whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType) +} + +// StatefulSetOrdinals describes the policy used for replica ordinal assignment +// in this StatefulSet. +#StatefulSetOrdinals: { + // start is the number representing the first replica's index. It may be used + // to number replicas from an alternate index (eg: 1-indexed) over the default + // 0-indexed names, or to orchestrate progressive movement of replicas from + // one StatefulSet to another. + // If set, replica indices will be in the range: + // [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas). + // If unset, defaults to 0. Replica indices will be in the range: + // [0, .spec.replicas). + // +optional + start: int32 @go(Start) @protobuf(1,varint,opt) +} + +// A StatefulSetSpec is the specification of a StatefulSet. +#StatefulSetSpec: { + // replicas is the desired number of replicas of the given Template. + // These are replicas in the sense that they are instantiations of the + // same Template, but individual replicas also have a consistent identity. + // If unspecified, defaults to 1. + // TODO: Consider a rename of this field. + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // selector is a label query over pods that should match the replica count. + // It must match the pod template's labels. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // template is the object that describes the pod that will be created if + // insufficient replicas are detected. Each pod stamped out by the StatefulSet + // will fulfill this Template, but have a unique identity from the rest + // of the StatefulSet. Each pod will be named with the format + // -. For example, a pod in a StatefulSet named + // "web" with index number "3" would be named "web-3". + // The only allowed template.spec.restartPolicy value is "Always". + template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt) + + // volumeClaimTemplates is a list of claims that pods are allowed to reference. + // The StatefulSet controller is responsible for mapping network identities to + // claims in a way that maintains the identity of a pod. Every claim in + // this list must have at least one matching (by name) volumeMount in one + // container in the template. A claim in this list takes precedence over + // any volumes in the template, with the same name. + // TODO: Define the behavior if a claim already exists with the same name. + // +optional + volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep) + + // serviceName is the name of the service that governs this StatefulSet. + // This service must exist before the StatefulSet, and is responsible for + // the network identity of the set. Pods get DNS/hostnames that follow the + // pattern: pod-specific-string.serviceName.default.svc.cluster.local + // where "pod-specific-string" is managed by the StatefulSet controller. + serviceName: string @go(ServiceName) @protobuf(5,bytes,opt) + + // podManagementPolicy controls how pods are created during initial scale up, + // when replacing pods on nodes, or when scaling down. The default policy is + // `OrderedReady`, where pods are created in increasing order (pod-0, then + // pod-1, etc) and the controller will wait until each pod is ready before + // continuing. When scaling down, the pods are removed in the opposite order. + // The alternative policy is `Parallel` which will create pods in parallel + // to match the desired scale without waiting, and on scale down will delete + // all pods at once. + // +optional + podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType) + + // updateStrategy indicates the StatefulSetUpdateStrategy that will be + // employed to update Pods in the StatefulSet when a revision is made to + // Template. + updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt) + + // revisionHistoryLimit is the maximum number of revisions that will + // be maintained in the StatefulSet's revision history. The revision history + // consists of all revisions not represented by a currently applied + // StatefulSetSpec version. The default value is 10. + revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt) + + // persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent + // volume claims created from volumeClaimTemplates. By default, all persistent + // volume claims are created as needed and retained until manually deleted. This + // policy allows the lifecycle to be altered, for example by deleting persistent + // volume claims when their stateful set is deleted, or when their pod is scaled + // down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled, + // which is alpha. +optional + persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt) + + // ordinals controls the numbering of replica indices in a StatefulSet. The + // default ordinals behavior assigns a "0" index to the first replica and + // increments the index by one for each additional replica requested. Using + // the ordinals field requires the StatefulSetStartOrdinal feature gate to be + // enabled, which is beta. + // +optional + ordinals?: null | #StatefulSetOrdinals @go(Ordinals,*StatefulSetOrdinals) @protobuf(11,bytes,opt) +} + +// StatefulSetStatus represents the current state of a StatefulSet. +#StatefulSetStatus: { + // observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the + // StatefulSet's generation, which is updated on mutation by the API Server. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt) + + // replicas is the number of Pods created by the StatefulSet controller. + replicas: int32 @go(Replicas) @protobuf(2,varint,opt) + + // readyReplicas is the number of pods created for this StatefulSet with a Ready Condition. + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt) + + // currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version + // indicated by currentRevision. + currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt) + + // updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version + // indicated by updateRevision. + updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt) + + // currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the + // sequence [0,currentReplicas). + currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt) + + // updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence + // [replicas-updatedReplicas,replicas) + updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt) + + // collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller + // uses this field as a collision avoidance mechanism when it needs to create the name for the + // newest ControllerRevision. + // +optional + collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt) + + // Represents the latest available observations of a statefulset's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep) + + // Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset. + // +optional + availableReplicas: int32 @go(AvailableReplicas) @protobuf(11,varint,opt) +} + +#StatefulSetConditionType: string + +// StatefulSetCondition describes the state of a statefulset at a certain point. +#StatefulSetCondition: { + // Type of statefulset condition. + type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // Last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// StatefulSetList is a collection of StatefulSets. +#StatefulSetList: { + metav1.#TypeMeta + + // Standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of stateful sets. + items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep) +} + +// Deployment enables declarative updates for Pods and ReplicaSets. +#Deployment: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the Deployment. + // +optional + spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the Deployment. + // +optional + status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt) +} + +// DeploymentSpec is the specification of the desired behavior of the Deployment. +#DeploymentSpec: { + // Number of desired pods. This is a pointer to distinguish between explicit + // zero and not specified. Defaults to 1. + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // Label selector for pods. Existing ReplicaSets whose pods are + // selected by this will be the ones affected by this deployment. + // It must match the pod template's labels. + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // Template describes the pods that will be created. + // The only allowed template.spec.restartPolicy value is "Always". + template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt) + + // The deployment strategy to use to replace existing pods with new ones. + // +optional + // +patchStrategy=retainKeys + strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing, for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt) + + // The number of old ReplicaSets to retain to allow rollback. + // This is a pointer to distinguish between explicit zero and not specified. + // Defaults to 10. + // +optional + revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt) + + // Indicates that the deployment is paused. + // +optional + paused?: bool @go(Paused) @protobuf(7,varint,opt) + + // The maximum time in seconds for a deployment to make progress before it + // is considered to be failed. The deployment controller will continue to + // process failed deployments and a condition with a ProgressDeadlineExceeded + // reason will be surfaced in the deployment status. Note that progress will + // not be estimated during the time a deployment is paused. Defaults to 600s. + progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt) +} + +// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added +// to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets +// to select new pods (and old pods being select by new ReplicaSet). +#DefaultDeploymentUniqueLabelKey: "pod-template-hash" + +// DeploymentStrategy describes how to replace existing pods with new ones. +#DeploymentStrategy: { + // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. + // +optional + type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType) + + // Rolling update config params. Present only if DeploymentStrategyType = + // RollingUpdate. + //--- + // TODO: Update this to follow our convention for oneOf, whatever we decide it + // to be. + // +optional + rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt) +} + +// +enum +#DeploymentStrategyType: string // #enumDeploymentStrategyType + +#enumDeploymentStrategyType: + #RecreateDeploymentStrategyType | + #RollingUpdateDeploymentStrategyType + +// Kill all existing pods before creating new ones. +#RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate" + +// Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one. +#RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate" + +// Spec to control the desired behavior of rolling update. +#RollingUpdateDeployment: { + // The maximum number of pods that can be unavailable during the update. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // Absolute number is calculated from percentage by rounding down. + // This can not be 0 if MaxSurge is 0. + // Defaults to 25%. + // Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + // immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + // can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + // that the total number of pods available at all times during the update is at + // least 70% of desired pods. + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt) + + // The maximum number of pods that can be scheduled above the desired number of + // pods. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // This can not be 0 if MaxUnavailable is 0. + // Absolute number is calculated from percentage by rounding up. + // Defaults to 25%. + // Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + // the rolling update starts, such that the total number of old and new pods do not exceed + // 130% of desired pods. Once old pods have been killed, + // new ReplicaSet can be scaled up further, ensuring that total number of pods running + // at any time during the update is at most 130% of desired pods. + // +optional + maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt) +} + +// DeploymentStatus is the most recently observed status of the Deployment. +#DeploymentStatus: { + // The generation observed by the deployment controller. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt) + + // Total number of non-terminated pods targeted by this deployment (their labels match the selector). + // +optional + replicas?: int32 @go(Replicas) @protobuf(2,varint,opt) + + // Total number of non-terminated pods targeted by this deployment that have the desired template spec. + // +optional + updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt) + + // readyReplicas is the number of pods targeted by this Deployment with a Ready Condition. + // +optional + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt) + + // Total number of available pods (ready for at least minReadySeconds) targeted by this deployment. + // +optional + availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt) + + // Total number of unavailable pods targeted by this deployment. This is the total number of + // pods that are still required for the deployment to have 100% available capacity. They may + // either be pods that are running but not yet available or pods that still have not been created. + // +optional + unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt) + + // Represents the latest available observations of a deployment's current state. + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep) + + // Count of hash collisions for the Deployment. The Deployment controller uses this + // field as a collision avoidance mechanism when it needs to create the name for the + // newest ReplicaSet. + // +optional + collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt) +} + +#DeploymentConditionType: string // #enumDeploymentConditionType + +#enumDeploymentConditionType: + #DeploymentAvailable | + #DeploymentProgressing | + #DeploymentReplicaFailure + +// Available means the deployment is available, ie. at least the minimum available +// replicas required are up and running for at least minReadySeconds. +#DeploymentAvailable: #DeploymentConditionType & "Available" + +// Progressing means the deployment is progressing. Progress for a deployment is +// considered when a new replica set is created or adopted, and when new pods scale +// up or old pods scale down. Progress is not estimated for paused deployments or +// when progressDeadlineSeconds is not specified. +#DeploymentProgressing: #DeploymentConditionType & "Progressing" + +// ReplicaFailure is added in a deployment when one of its pods fails to be created +// or deleted. +#DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure" + +// DeploymentCondition describes the state of a deployment at a certain point. +#DeploymentCondition: { + // Type of deployment condition. + type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // The last time this condition was updated. + lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt) + + // Last time the condition transitioned from one status to another. + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt) + + // The reason for the condition's last transition. + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// DeploymentList is a list of Deployments. +#DeploymentList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of Deployments. + items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep) +} + +// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet. +#DaemonSetUpdateStrategy: { + // Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. + // +optional + type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt) + + // Rolling update config params. Present only if type = "RollingUpdate". + //--- + // TODO: Update this to follow our convention for oneOf, whatever we decide it + // to be. Same as Deployment `strategy.rollingUpdate`. + // See https://github.com/kubernetes/kubernetes/issues/35345 + // +optional + rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt) +} + +// +enum +#DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType + +#enumDaemonSetUpdateStrategyType: + #RollingUpdateDaemonSetStrategyType | + #OnDeleteDaemonSetStrategyType + +// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other. +#RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate" + +// Replace the old daemons only when it's killed +#OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete" + +// Spec to control the desired behavior of daemon set rolling update. +#RollingUpdateDaemonSet: { + // The maximum number of DaemonSet pods that can be unavailable during the + // update. Value can be an absolute number (ex: 5) or a percentage of total + // number of DaemonSet pods at the start of the update (ex: 10%). Absolute + // number is calculated from percentage by rounding up. + // This cannot be 0 if MaxSurge is 0 + // Default value is 1. + // Example: when this is set to 30%, at most 30% of the total number of nodes + // that should be running the daemon pod (i.e. status.desiredNumberScheduled) + // can have their pods stopped for an update at any given time. The update + // starts by stopping at most 30% of those DaemonSet pods and then brings + // up new DaemonSet pods in their place. Once the new pods are available, + // it then proceeds onto other DaemonSet pods, thus ensuring that at least + // 70% of original number of DaemonSet pods are available at all times during + // the update. + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt) + + // The maximum number of nodes with an existing available DaemonSet pod that + // can have an updated DaemonSet pod during during an update. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // This can not be 0 if MaxUnavailable is 0. + // Absolute number is calculated from percentage by rounding up to a minimum of 1. + // Default value is 0. + // Example: when this is set to 30%, at most 30% of the total number of nodes + // that should be running the daemon pod (i.e. status.desiredNumberScheduled) + // can have their a new pod created before the old pod is marked as deleted. + // The update starts by launching new pods on 30% of nodes. Once an updated + // pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + // on that node is marked deleted. If the old pod becomes unavailable for any + // reason (Ready transitions to false, is evicted, or is drained) an updated + // pod is immediatedly created on that node without considering surge limits. + // Allowing surge implies the possibility that the resources consumed by the + // daemonset on any given node can double if the readiness check fails, and + // so resource intensive daemonsets should take into account that they may + // cause evictions during disruption. + // +optional + maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt) +} + +// DaemonSetSpec is the specification of a daemon set. +#DaemonSetSpec: { + // A label query over pods that are managed by the daemon set. + // Must match in order to be controlled. + // It must match the pod template's labels. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // An object that describes the pod that will be created. + // The DaemonSet will create exactly one copy of this pod on every node + // that matches the template's node selector (or on every node if no node + // selector is specified). + // The only allowed template.spec.restartPolicy value is "Always". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template + template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt) + + // An update strategy to replace existing DaemonSet pods with new pods. + // +optional + updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt) + + // The minimum number of seconds for which a newly created DaemonSet pod should + // be ready without any of its container crashing, for it to be considered + // available. Defaults to 0 (pod will be considered available as soon as it + // is ready). + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt) + + // The number of old history to retain to allow rollback. + // This is a pointer to distinguish between explicit zero and not specified. + // Defaults to 10. + // +optional + revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt) +} + +// DaemonSetStatus represents the current status of a daemon set. +#DaemonSetStatus: { + // The number of nodes that are running at least 1 + // daemon pod and are supposed to run the daemon pod. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt) + + // The number of nodes that are running the daemon pod, but are + // not supposed to run the daemon pod. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt) + + // The total number of nodes that should be running the daemon + // pod (including nodes correctly running the daemon pod). + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt) + + // numberReady is the number of nodes that should be running the daemon pod and have one + // or more of the daemon pod running with a Ready Condition. + numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt) + + // The most recent generation observed by the daemon set controller. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt) + + // The total number of nodes that are running updated daemon pod + // +optional + updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt) + + // The number of nodes that should be running the + // daemon pod and have one or more of the daemon pod running and + // available (ready for at least spec.minReadySeconds) + // +optional + numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt) + + // The number of nodes that should be running the + // daemon pod and have none of the daemon pod running and available + // (ready for at least spec.minReadySeconds) + // +optional + numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt) + + // Count of hash collisions for the DaemonSet. The DaemonSet controller + // uses this field as a collision avoidance mechanism when it needs to + // create the name for the newest ControllerRevision. + // +optional + collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt) + + // Represents the latest available observations of a DaemonSet's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep) +} + +#DaemonSetConditionType: string + +// DaemonSetCondition describes the state of a DaemonSet at a certain point. +#DaemonSetCondition: { + // Type of DaemonSet condition. + type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // Last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// DaemonSet represents the configuration of a daemon set. +#DaemonSet: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The desired behavior of this daemon set. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt) + + // The current status of this daemon set. This data may be + // out of date by some window of time. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// DefaultDaemonSetUniqueLabelKey is the default label key that is added +// to existing DaemonSet pods to distinguish between old and new +// DaemonSet pods during DaemonSet template updates. +#DefaultDaemonSetUniqueLabelKey: "controller-revision-hash" + +// DaemonSetList is a collection of daemon sets. +#DaemonSetList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // A list of daemon sets. + items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep) +} + +// ReplicaSet ensures that a specified number of pod replicas are running at any given time. +#ReplicaSet: { + metav1.#TypeMeta + + // If the Labels of a ReplicaSet are empty, they are defaulted to + // be the same as the Pod(s) that the ReplicaSet manages. + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the specification of the desired behavior of the ReplicaSet. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is the most recently observed status of the ReplicaSet. + // This data may be out of date by some window of time. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ReplicaSetList is a collection of ReplicaSets. +#ReplicaSetList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ReplicaSets. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller + items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep) +} + +// ReplicaSetSpec is the specification of a ReplicaSet. +#ReplicaSetSpec: { + // Replicas is the number of desired replicas. + // This is a pointer to distinguish between explicit zero and unspecified. + // Defaults to 1. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing, for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt) + + // Selector is a label query over pods that should match the replica count. + // Label keys and values that must match in order to be controlled by this replica set. + // It must match the pod template's labels. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // Template is the object that describes the pod that will be created if + // insufficient replicas are detected. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template + // +optional + template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt) +} + +// ReplicaSetStatus represents the current status of a ReplicaSet. +#ReplicaSetStatus: { + // Replicas is the most recently observed number of replicas. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // The number of pods that have labels matching the labels of the pod template of the replicaset. + // +optional + fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt) + + // readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition. + // +optional + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt) + + // The number of available replicas (ready for at least minReadySeconds) for this replica set. + // +optional + availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt) + + // ObservedGeneration reflects the generation of the most recently observed ReplicaSet. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // Represents the latest available observations of a replica set's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep) +} + +#ReplicaSetConditionType: string // #enumReplicaSetConditionType + +#enumReplicaSetConditionType: + #ReplicaSetReplicaFailure + +// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created +// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted +// due to kubelet being down or finalizers are failing. +#ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure" + +// ReplicaSetCondition describes the state of a replica set at a certain point. +#ReplicaSetCondition: { + // Type of replica set condition. + type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // The last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ControllerRevision implements an immutable snapshot of state data. Clients +// are responsible for serializing and deserializing the objects that contain +// their internal state. +// Once a ControllerRevision has been successfully created, it can not be updated. +// The API Server will fail validation of all requests that attempt to mutate +// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both +// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, +// it may be subject to name and representation changes in future releases, and clients should not +// depend on its stability. It is primarily for internal use by controllers. +#ControllerRevision: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Data is the serialized representation of the state. + data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt) + + // Revision indicates the revision of the state represented by Data. + revision: int64 @go(Revision) @protobuf(3,varint,opt) +} + +// ControllerRevisionList is a resource containing a list of ControllerRevision objects. +#ControllerRevisionList: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of ControllerRevisions + items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue new file mode 100644 index 000000000..082560098 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authentication/v1 + +package v1 + +#GroupName: "authentication.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue new file mode 100644 index 000000000..5f0127a65 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue @@ -0,0 +1,206 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authentication/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" +) + +// ImpersonateUserHeader is used to impersonate a particular user during an API server request +#ImpersonateUserHeader: "Impersonate-User" + +// ImpersonateGroupHeader is used to impersonate a particular group during an API server request. +// It can be repeated multiplied times for multiple groups. +#ImpersonateGroupHeader: "Impersonate-Group" + +// ImpersonateUIDHeader is used to impersonate a particular UID during an API server request +#ImpersonateUIDHeader: "Impersonate-Uid" + +// ImpersonateUserExtraHeaderPrefix is a prefix for any header used to impersonate an entry in the +// extra map[string][]string for user.Info. The key will be every after the prefix. +// It can be repeated multiplied times for multiple map keys and the same key can be repeated multiple +// times to have multiple elements in the slice under a single key +#ImpersonateUserExtraHeaderPrefix: "Impersonate-Extra-" + +// TokenReview attempts to authenticate a token to a known user. +// Note: TokenReview requests may be cached by the webhook token authenticator +// plugin in the kube-apiserver. +#TokenReview: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #TokenReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request can be authenticated. + // +optional + status?: #TokenReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// TokenReviewSpec is a description of the token authentication request. +#TokenReviewSpec: { + // Token is the opaque bearer token. + // +optional + token?: string @go(Token) @protobuf(1,bytes,opt) + + // Audiences is a list of the identifiers that the resource server presented + // with the token identifies as. Audience-aware token authenticators will + // verify that the token was intended for at least one of the audiences in + // this list. If no audiences are provided, the audience will default to the + // audience of the Kubernetes apiserver. + // +optional + audiences?: [...string] @go(Audiences,[]string) @protobuf(2,bytes,rep) +} + +// TokenReviewStatus is the result of the token authentication request. +#TokenReviewStatus: { + // Authenticated indicates that the token was associated with a known user. + // +optional + authenticated?: bool @go(Authenticated) @protobuf(1,varint,opt) + + // User is the UserInfo associated with the provided token. + // +optional + user?: #UserInfo @go(User) @protobuf(2,bytes,opt) + + // Audiences are audience identifiers chosen by the authenticator that are + // compatible with both the TokenReview and token. An identifier is any + // identifier in the intersection of the TokenReviewSpec audiences and the + // token's audiences. A client of the TokenReview API that sets the + // spec.audiences field should validate that a compatible audience identifier + // is returned in the status.audiences field to ensure that the TokenReview + // server is audience aware. If a TokenReview returns an empty + // status.audience field where status.authenticated is "true", the token is + // valid against the audience of the Kubernetes API server. + // +optional + audiences?: [...string] @go(Audiences,[]string) @protobuf(4,bytes,rep) + + // Error indicates that the token couldn't be checked + // +optional + error?: string @go(Error) @protobuf(3,bytes,opt) +} + +// UserInfo holds the information about the user needed to implement the +// user.Info interface. +#UserInfo: { + // The name that uniquely identifies this user among all active users. + // +optional + username?: string @go(Username) @protobuf(1,bytes,opt) + + // A unique value that identifies this user across time. If this user is + // deleted and another user by the same name is added, they will have + // different UIDs. + // +optional + uid?: string @go(UID) @protobuf(2,bytes,opt) + + // The names of groups this user is a part of. + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(3,bytes,rep) + + // Any additional information provided by the authenticator. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(4,bytes,rep) +} + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// TokenRequest requests a token for a given service account. +#TokenRequest: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #TokenRequestSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the token can be authenticated. + // +optional + status?: #TokenRequestStatus @go(Status) @protobuf(3,bytes,opt) +} + +// TokenRequestSpec contains client provided parameters of a token request. +#TokenRequestSpec: { + // Audiences are the intendend audiences of the token. A recipient of a + // token must identify themself with an identifier in the list of + // audiences of the token, and otherwise should reject the token. A + // token issued for multiple audiences may be used to authenticate + // against any of the audiences listed but implies a high degree of + // trust between the target audiences. + audiences: [...string] @go(Audiences,[]string) @protobuf(1,bytes,rep) + + // ExpirationSeconds is the requested duration of validity of the request. The + // token issuer may return a token with a different validity duration so a + // client needs to check the 'expiration' field in a response. + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(4,varint,opt) + + // BoundObjectRef is a reference to an object that the token will be bound to. + // The token will only be valid for as long as the bound object exists. + // NOTE: The API server's TokenReview endpoint will validate the + // BoundObjectRef, but other audiences may not. Keep ExpirationSeconds + // small if you want prompt revocation. + // +optional + boundObjectRef?: null | #BoundObjectReference @go(BoundObjectRef,*BoundObjectReference) @protobuf(3,bytes,opt) +} + +// TokenRequestStatus is the result of a token request. +#TokenRequestStatus: { + // Token is the opaque bearer token. + token: string @go(Token) @protobuf(1,bytes,opt) + + // ExpirationTimestamp is the time of expiration of the returned token. + expirationTimestamp: metav1.#Time @go(ExpirationTimestamp) @protobuf(2,bytes,opt) +} + +// BoundObjectReference is a reference to an object that a token is bound to. +#BoundObjectReference: { + // Kind of the referent. Valid kinds are 'Pod' and 'Secret'. + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // API version of the referent. + // +optional + apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt) + + // Name of the referent. + // +optional + name?: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // +optional + uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. +// When using impersonation, users will receive the user info of the user being impersonated. If impersonation or +// request header authentication is used, any extra keys will have their case ignored and returned as lowercase. +#SelfSubjectReview: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Status is filled in by the server with the user attributes. + status?: #SelfSubjectReviewStatus @go(Status) @protobuf(2,bytes,opt) +} + +// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user. +#SelfSubjectReviewStatus: { + // User attributes of the user making this request. + // +optional + userInfo?: #UserInfo @go(UserInfo) @protobuf(1,bytes,opt) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue new file mode 100644 index 000000000..afd54ec06 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authorization/v1 + +package v1 + +#GroupName: "authorization.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue new file mode 100644 index 000000000..6eaf81871 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue @@ -0,0 +1,262 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authorization/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// SubjectAccessReview checks whether or not a user or group can perform an action. +#SubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a +// spec.namespace means "in all namespaces". Self is a special case, because users should always be able +// to check whether they can perform an action +#SelfSubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. user and groups must be empty + spec: #SelfSubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. +// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions +// checking. +#LocalSubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace + // you made the request against. If empty, it is defaulted. + spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface +#ResourceAttributes: { + // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces + // "" (empty) is defaulted for LocalSubjectAccessReviews + // "" (empty) is empty for cluster-scoped resources + // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview + // +optional + namespace?: string @go(Namespace) @protobuf(1,bytes,opt) + + // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all. + // +optional + verb?: string @go(Verb) @protobuf(2,bytes,opt) + + // Group is the API Group of the Resource. "*" means all. + // +optional + group?: string @go(Group) @protobuf(3,bytes,opt) + + // Version is the API Version of the Resource. "*" means all. + // +optional + version?: string @go(Version) @protobuf(4,bytes,opt) + + // Resource is one of the existing resource types. "*" means all. + // +optional + resource?: string @go(Resource) @protobuf(5,bytes,opt) + + // Subresource is one of the existing resource types. "" means none. + // +optional + subresource?: string @go(Subresource) @protobuf(6,bytes,opt) + + // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all. + // +optional + name?: string @go(Name) @protobuf(7,bytes,opt) +} + +// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface +#NonResourceAttributes: { + // Path is the URL path of the request + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // Verb is the standard HTTP verb + // +optional + verb?: string @go(Verb) @protobuf(2,bytes,opt) +} + +// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes +// and NonResourceAuthorizationAttributes must be set +#SubjectAccessReviewSpec: { + // ResourceAuthorizationAttributes describes information for a resource access request + // +optional + resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt) + + // NonResourceAttributes describes information for a non-resource access request + // +optional + nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt) + + // User is the user you're testing for. + // If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // Groups is the groups you're testing for. + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep) + + // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer + // it needs a reflection here. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(5,bytes,rep) + + // UID information about the requesting user. + // +optional + uid?: string @go(UID) @protobuf(6,bytes,opt) +} + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes +// and NonResourceAuthorizationAttributes must be set +#SelfSubjectAccessReviewSpec: { + // ResourceAuthorizationAttributes describes information for a resource access request + // +optional + resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt) + + // NonResourceAttributes describes information for a non-resource access request + // +optional + nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt) +} + +// SubjectAccessReviewStatus +#SubjectAccessReviewStatus: { + // Allowed is required. True if the action would be allowed, false otherwise. + allowed: bool @go(Allowed) @protobuf(1,varint,opt) + + // Denied is optional. True if the action would be denied, otherwise + // false. If both allowed is false and denied is false, then the + // authorizer has no opinion on whether to authorize the action. Denied + // may not be true if Allowed is true. + // +optional + denied?: bool @go(Denied) @protobuf(4,varint,opt) + + // Reason is optional. It indicates why a request was allowed or denied. + // +optional + reason?: string @go(Reason) @protobuf(2,bytes,opt) + + // EvaluationError is an indication that some error occurred during the authorization check. + // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. + // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request. + // +optional + evaluationError?: string @go(EvaluationError) @protobuf(3,bytes,opt) +} + +// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. +// The returned list of actions may be incomplete depending on the server's authorization mode, +// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, +// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to +// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. +// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. +#SelfSubjectRulesReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. + spec: #SelfSubjectRulesReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates the set of actions a user can perform. + // +optional + status?: #SubjectRulesReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview. +#SelfSubjectRulesReviewSpec: { + // Namespace to evaluate rules for. Required. + namespace?: string @go(Namespace) @protobuf(1,bytes,opt) +} + +// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on +// the set of authorizers the server is configured with and any errors experienced during evaluation. +// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, +// even if that list is incomplete. +#SubjectRulesReviewStatus: { + // ResourceRules is the list of actions the subject is allowed to perform on resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + resourceRules: [...#ResourceRule] @go(ResourceRules,[]ResourceRule) @protobuf(1,bytes,rep) + + // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + nonResourceRules: [...#NonResourceRule] @go(NonResourceRules,[]NonResourceRule) @protobuf(2,bytes,rep) + + // Incomplete is true when the rules returned by this call are incomplete. This is most commonly + // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. + incomplete: bool @go(Incomplete) @protobuf(3,bytes,rep) + + // EvaluationError can appear in combination with Rules. It indicates an error occurred during + // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that + // ResourceRules and/or NonResourceRules may be incomplete. + // +optional + evaluationError?: string @go(EvaluationError) @protobuf(4,bytes,opt) +} + +// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, +// may contain duplicates, and possibly be incomplete. +#ResourceRule: { + // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "*" means all. + // +optional + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. + // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups. + // +optional + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. + // +optional + resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep) +} + +// NonResourceRule holds information that describes a rule for the non-resource +#NonResourceRule: { + // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, + // final step in the path. "*" means all. + // +optional + nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue new file mode 100644 index 000000000..0a7f3423c --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v1 + +package v1 + +#GroupName: "autoscaling" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue new file mode 100644 index 000000000..6e873a358 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue @@ -0,0 +1,542 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/api/core/v1" +) + +// CrossVersionObjectReference contains enough information to let you identify the referred resource. +// +structType=atomic +#CrossVersionObjectReference: { + // kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(2,bytes,opt) + + // apiVersion is the API version of the referent + // +optional + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) +} + +// specification of a horizontal pod autoscaler. +#HorizontalPodAutoscalerSpec: { + // reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption + // and will set the desired number of pods by using its Scale subresource. + scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt) + + // minReplicas is the lower limit for the number of replicas to which the autoscaler + // can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + // alpha feature gate HPAScaleToZero is enabled and at least one Object or External + // metric is configured. Scaling is active as long as at least one metric value is + // available. + // +optional + minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt) + + // maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas. + maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt) + + // targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods; + // if not specified the default autoscaling policy will be used. + // +optional + targetCPUUtilizationPercentage?: null | int32 @go(TargetCPUUtilizationPercentage,*int32) @protobuf(4,varint,opt) +} + +// current status of a horizontal pod autoscaler +#HorizontalPodAutoscalerStatus: { + // observedGeneration is the most recent generation observed by this autoscaler. + // +optional + observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt) + + // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods; + // used by the autoscaler to control how often the number of pods is changed. + // +optional + lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt) + + // currentReplicas is the current number of replicas of pods managed by this autoscaler. + currentReplicas: int32 @go(CurrentReplicas) @protobuf(3,varint,opt) + + // desiredReplicas is the desired number of replicas of pods managed by this autoscaler. + desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt) + + // currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU, + // e.g. 70 means that an average pod is using now 70% of its requested CPU. + // +optional + currentCPUUtilizationPercentage?: null | int32 @go(CurrentCPUUtilizationPercentage,*int32) @protobuf(5,varint,opt) +} + +// configuration of a horizontal pod autoscaler. +#HorizontalPodAutoscaler: { + metav1.#TypeMeta + + // Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current information about the autoscaler. + // +optional + status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// list of horizontal pod autoscaler objects. +#HorizontalPodAutoscalerList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of horizontal pod autoscaler objects. + items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep) +} + +// Scale represents a scaling request for a resource. +#Scale: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #ScaleSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only. + // +optional + status?: #ScaleStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ScaleSpec describes the attributes of a scale subresource. +#ScaleSpec: { + // replicas is the desired number of instances for the scaled object. + // +optional + replicas?: int32 @go(Replicas) @protobuf(1,varint,opt) +} + +// ScaleStatus represents the current status of a scale subresource. +#ScaleStatus: { + // replicas is the actual number of observed instances of the scaled object. + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // selector is the label query over pods that should match the replicas count. This is same + // as the label selector but in the string format to avoid introspection + // by clients. The string will be in the same format as the query-param syntax. + // More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + // +optional + selector?: string @go(Selector) @protobuf(2,bytes,opt) +} + +// MetricSourceType indicates the type of metric. +// +enum +#MetricSourceType: string // #enumMetricSourceType + +#enumMetricSourceType: + #ObjectMetricSourceType | + #PodsMetricSourceType | + #ResourceMetricSourceType | + #ContainerResourceMetricSourceType | + #ExternalMetricSourceType + +// ObjectMetricSourceType is a metric describing a kubernetes object +// (for example, hits-per-second on an Ingress object). +#ObjectMetricSourceType: #MetricSourceType & "Object" + +// PodsMetricSourceType is a metric describing each pod in the current scale +// target (for example, transactions-processed-per-second). The values +// will be averaged together before being compared to the target value. +#PodsMetricSourceType: #MetricSourceType & "Pods" + +// ResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ResourceMetricSourceType: #MetricSourceType & "Resource" + +// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing a single container in each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource" + +// ExternalMetricSourceType is a global metric that is not associated +// with any Kubernetes object. It allows autoscaling based on information +// coming from components running outside of cluster +// (for example length of queue in cloud messaging service, or +// QPS from loadbalancer running outside of cluster). +#ExternalMetricSourceType: #MetricSourceType & "External" + +// MetricSpec specifies how to scale based on a single metric +// (only `type` and one other matching field should be set at once). +#MetricSpec: { + // type is the type of metric source. It should be one of "ContainerResource", + // "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod of the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. + // +optional + containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt) +} + +// ObjectMetricSource indicates how to scale on a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricSource: { + // target is the described Kubernetes object. + target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes) + + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(2,bytes) + + // targetValue is the target value of the metric (as a quantity). + targetValue: resource.#Quantity @go(TargetValue) @protobuf(3,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric. + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes) + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes) +} + +// PodsMetricSource indicates how to scale on a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +// The values will be averaged together before being compared to the target +// value. +#PodsMetricSource: { + // metricName is the name of the metric in question + metricName: string @go(MetricName) @protobuf(1,bytes) + + // targetAverageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + targetAverageValue: resource.#Quantity @go(TargetAverageValue) @protobuf(2,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes) +} + +// ResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // targetAverageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt) + + // targetAverageValue is the target value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt) +} + +// ContainerResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in the requests and limits, describing a single container in +// each of the pods of the current scale target(e.g. CPU or memory). The values will be +// averaged together before being compared to the target. Such metrics are built into +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ContainerResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // targetAverageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt) + + // targetAverageValue is the target value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // container is the name of the container in the pods of the scaling target. + container: string @go(Container) @protobuf(5,bytes,opt) +} + +// ExternalMetricSource indicates how to scale on a metric not associated with +// any Kubernetes object (for example length of queue in cloud +// messaging service, or QPS from loadbalancer running outside of cluster). +#ExternalMetricSource: { + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(1,bytes) + + // metricSelector is used to identify a specific time series + // within a given metric. + // +optional + metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // targetValue is the target value of the metric (as a quantity). + // Mutually exclusive with TargetAverageValue. + // +optional + targetValue?: null | resource.#Quantity @go(TargetValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // targetAverageValue is the target per-pod value of global metric (as a quantity). + // Mutually exclusive with TargetValue. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(4,bytes,opt) +} + +// MetricStatus describes the last-read state of a single metric. +#MetricStatus: { + // type is the type of metric source. It will be one of "ContainerResource", + // "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt) +} + +// HorizontalPodAutoscalerConditionType are the valid conditions of +// a HorizontalPodAutoscaler. +#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType + +#enumHorizontalPodAutoscalerConditionType: + #ScalingActive | + #AbleToScale | + #ScalingLimited + +// ScalingActive indicates that the HPA controller is able to scale if necessary: +// it's correctly configured, can fetch the desired metrics, and isn't disabled. +#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive" + +// AbleToScale indicates a lack of transient issues which prevent scaling from occurring, +// such as being in a backoff window, or being unable to access/update the target scale. +#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale" + +// ScalingLimited indicates that the calculated scale based on metrics would be above or +// below the range for the HPA, and has thus been capped. +#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited" + +// HorizontalPodAutoscalerCondition describes the state of +// a HorizontalPodAutoscaler at a certain point. +#HorizontalPodAutoscalerCondition: { + // type describes the current condition + type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes) + + // status is the status of the condition (True, False, Unknown) + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes) + + // lastTransitionTime is the last time the condition transitioned from + // one status to another + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is the reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable explanation containing details about + // the transition + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ObjectMetricStatus indicates the current value of a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricStatus: { + // target is the described Kubernetes object. + target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes) + + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(2,bytes) + + // currentValue is the current value of the metric (as a quantity). + currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes) + + // averageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes) +} + +// PodsMetricStatus indicates the current value of a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +#PodsMetricStatus: { + // metricName is the name of the metric in question + metricName: string @go(MetricName) @protobuf(1,bytes) + + // currentAverageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(2,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes) +} + +// ResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. It will only be + // present if `targetAverageValue` was set in the corresponding metric + // specification. + // +optional + currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt) + + // currentAverageValue is the current value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // It will always be set, regardless of the corresponding metric specification. + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes) +} + +// ContainerResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing a single container in each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ContainerResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. It will only be + // present if `targetAverageValue` was set in the corresponding metric + // specification. + // +optional + currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt) + + // currentAverageValue is the current value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // It will always be set, regardless of the corresponding metric specification. + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes) + + // container is the name of the container in the pods of the scaling taget + container: string @go(Container) @protobuf(4,bytes,opt) +} + +// ExternalMetricStatus indicates the current value of a global metric +// not associated with any Kubernetes object. +#ExternalMetricStatus: { + // metricName is the name of a metric used for autoscaling in + // metric system. + metricName: string @go(MetricName) @protobuf(1,bytes) + + // metricSelector is used to identify a specific time series + // within a given metric. + // +optional + metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // currentValue is the current value of the metric (as a quantity) + currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes) + + // currentAverageValue is the current value of metric averaged over autoscaled pods. + // +optional + currentAverageValue?: null | resource.#Quantity @go(CurrentAverageValue,*resource.Quantity) @protobuf(4,bytes,opt) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue new file mode 100644 index 000000000..aea0fb269 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v2 + +package v2 + +#GroupName: "autoscaling" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue new file mode 100644 index 000000000..767020856 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue @@ -0,0 +1,597 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v2 + +package v2 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" +) + +// HorizontalPodAutoscaler is the configuration for a horizontal pod +// autoscaler, which automatically manages the replica count of any resource +// implementing the scale subresource based on the metrics specified. +#HorizontalPodAutoscaler: { + metav1.#TypeMeta + + // metadata is the standard object metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the specification for the behaviour of the autoscaler. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current information about the autoscaler. + // +optional + status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler. +#HorizontalPodAutoscalerSpec: { + // scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics + // should be collected, as well as to actually change the replica count. + scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt) + + // minReplicas is the lower limit for the number of replicas to which the autoscaler + // can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + // alpha feature gate HPAScaleToZero is enabled and at least one Object or External + // metric is configured. Scaling is active as long as at least one metric value is + // available. + // +optional + minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt) + + // maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. + // It cannot be less that minReplicas. + maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt) + + // metrics contains the specifications for which to use to calculate the + // desired replica count (the maximum replica count across all metrics will + // be used). The desired replica count is calculated multiplying the + // ratio between the target value and the current value by the current + // number of pods. Ergo, metrics used must decrease as the pod count is + // increased, and vice-versa. See the individual metric source types for + // more information about how each type of metric must respond. + // If not set, the default metric will be set to 80% average CPU utilization. + // +listType=atomic + // +optional + metrics?: [...#MetricSpec] @go(Metrics,[]MetricSpec) @protobuf(4,bytes,rep) + + // behavior configures the scaling behavior of the target + // in both Up and Down directions (scaleUp and scaleDown fields respectively). + // If not set, the default HPAScalingRules for scale up and scale down are used. + // +optional + behavior?: null | #HorizontalPodAutoscalerBehavior @go(Behavior,*HorizontalPodAutoscalerBehavior) @protobuf(5,bytes,opt) +} + +// CrossVersionObjectReference contains enough information to let you identify the referred resource. +#CrossVersionObjectReference: { + // kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(2,bytes,opt) + + // apiVersion is the API version of the referent + // +optional + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) +} + +// MetricSpec specifies how to scale based on a single metric +// (only `type` and one other matching field should be set at once). +#MetricSpec: { + // type is the type of metric source. It should be one of "ContainerResource", "External", + // "Object", "Pods" or "Resource", each mapping to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in + // each pod of the current scale target (e.g. CPU or memory). Such metrics are + // built in to Kubernetes, and have special scaling options on top of those + // available to normal per-pod metrics using the "pods" source. + // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. + // +optional + containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt) +} + +// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target +// in both Up and Down directions (scaleUp and scaleDown fields respectively). +#HorizontalPodAutoscalerBehavior: { + // scaleUp is scaling policy for scaling Up. + // If not set, the default value is the higher of: + // * increase no more than 4 pods per 60 seconds + // * double the number of pods per 60 seconds + // No stabilization is used. + // +optional + scaleUp?: null | #HPAScalingRules @go(ScaleUp,*HPAScalingRules) @protobuf(1,bytes,opt) + + // scaleDown is scaling policy for scaling Down. + // If not set, the default value is to allow to scale down to minReplicas pods, with a + // 300 second stabilization window (i.e., the highest recommendation for + // the last 300sec is used). + // +optional + scaleDown?: null | #HPAScalingRules @go(ScaleDown,*HPAScalingRules) @protobuf(2,bytes,opt) +} + +// ScalingPolicySelect is used to specify which policy should be used while scaling in a certain direction +#ScalingPolicySelect: string // #enumScalingPolicySelect + +#enumScalingPolicySelect: + #MaxChangePolicySelect | + #MinChangePolicySelect | + #DisabledPolicySelect + +// MaxChangePolicySelect selects the policy with the highest possible change. +#MaxChangePolicySelect: #ScalingPolicySelect & "Max" + +// MinChangePolicySelect selects the policy with the lowest possible change. +#MinChangePolicySelect: #ScalingPolicySelect & "Min" + +// DisabledPolicySelect disables the scaling in this direction. +#DisabledPolicySelect: #ScalingPolicySelect & "Disabled" + +// HPAScalingRules configures the scaling behavior for one direction. +// These Rules are applied after calculating DesiredReplicas from metrics for the HPA. +// They can limit the scaling velocity by specifying scaling policies. +// They can prevent flapping by specifying the stabilization window, so that the +// number of replicas is not set instantly, instead, the safest value from the stabilization +// window is chosen. +#HPAScalingRules: { + // stabilizationWindowSeconds is the number of seconds for which past recommendations should be + // considered while scaling up or scaling down. + // StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + // If not set, use the default values: + // - For scale up: 0 (i.e. no stabilization is done). + // - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + // +optional + stabilizationWindowSeconds?: null | int32 @go(StabilizationWindowSeconds,*int32) @protobuf(3,varint,opt) + + // selectPolicy is used to specify which policy should be used. + // If not set, the default value Max is used. + // +optional + selectPolicy?: null | #ScalingPolicySelect @go(SelectPolicy,*ScalingPolicySelect) @protobuf(1,bytes,opt) + + // policies is a list of potential scaling polices which can be used during scaling. + // At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid + // +listType=atomic + // +optional + policies?: [...#HPAScalingPolicy] @go(Policies,[]HPAScalingPolicy) @protobuf(2,bytes,rep) +} + +// HPAScalingPolicyType is the type of the policy which could be used while making scaling decisions. +#HPAScalingPolicyType: string // #enumHPAScalingPolicyType + +#enumHPAScalingPolicyType: + #PodsScalingPolicy | + #PercentScalingPolicy + +// PodsScalingPolicy is a policy used to specify a change in absolute number of pods. +#PodsScalingPolicy: #HPAScalingPolicyType & "Pods" + +// PercentScalingPolicy is a policy used to specify a relative amount of change with respect to +// the current number of pods. +#PercentScalingPolicy: #HPAScalingPolicyType & "Percent" + +// HPAScalingPolicy is a single policy which must hold true for a specified past interval. +#HPAScalingPolicy: { + // type is used to specify the scaling policy. + type: #HPAScalingPolicyType @go(Type) @protobuf(1,bytes,opt,casttype=HPAScalingPolicyType) + + // value contains the amount of change which is permitted by the policy. + // It must be greater than zero + value: int32 @go(Value) @protobuf(2,varint,opt) + + // periodSeconds specifies the window of time for which the policy should hold true. + // PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + periodSeconds: int32 @go(PeriodSeconds) @protobuf(3,varint,opt) +} + +// MetricSourceType indicates the type of metric. +#MetricSourceType: string // #enumMetricSourceType + +#enumMetricSourceType: + #ObjectMetricSourceType | + #PodsMetricSourceType | + #ResourceMetricSourceType | + #ContainerResourceMetricSourceType | + #ExternalMetricSourceType + +// ObjectMetricSourceType is a metric describing a kubernetes object +// (for example, hits-per-second on an Ingress object). +#ObjectMetricSourceType: #MetricSourceType & "Object" + +// PodsMetricSourceType is a metric describing each pod in the current scale +// target (for example, transactions-processed-per-second). The values +// will be averaged together before being compared to the target value. +#PodsMetricSourceType: #MetricSourceType & "Pods" + +// ResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ResourceMetricSourceType: #MetricSourceType & "Resource" + +// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing a single container in each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource" + +// ExternalMetricSourceType is a global metric that is not associated +// with any Kubernetes object. It allows autoscaling based on information +// coming from components running outside of cluster +// (for example length of queue in cloud messaging service, or +// QPS from loadbalancer running outside of cluster). +#ExternalMetricSourceType: #MetricSourceType & "External" + +// ObjectMetricSource indicates how to scale on a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricSource: { + // describedObject specifies the descriptions of a object,such as kind,name apiVersion + describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) + + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(3,bytes) +} + +// PodsMetricSource indicates how to scale on a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +// The values will be averaged together before being compared to the target +// value. +#PodsMetricSource: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// ResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// ContainerResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ContainerResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) + + // container is the name of the container in the pods of the scaling target + container: string @go(Container) @protobuf(3,bytes,opt) +} + +// ExternalMetricSource indicates how to scale on a metric not associated with +// any Kubernetes object (for example length of queue in cloud +// messaging service, or QPS from loadbalancer running outside of cluster). +#ExternalMetricSource: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// MetricIdentifier defines the name and optionally selector for a metric +#MetricIdentifier: { + // name is the name of the given metric + name: string @go(Name) @protobuf(1,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes) +} + +// MetricTarget defines the target value, average value, or average utilization of a specific metric +#MetricTarget: { + // type represents whether the metric type is Utilization, Value, or AverageValue + type: #MetricTargetType @go(Type) @protobuf(1,bytes) + + // value is the target value of the metric (as a quantity). + // +optional + value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(2,bytes,opt) + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // averageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // Currently only valid for Resource metric source type + // +optional + averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(4,bytes,opt) +} + +// MetricTargetType specifies the type of metric being targeted, and should be either +// "Value", "AverageValue", or "Utilization" +#MetricTargetType: string // #enumMetricTargetType + +#enumMetricTargetType: + #UtilizationMetricType | + #ValueMetricType | + #AverageValueMetricType + +// UtilizationMetricType declares a MetricTarget is an AverageUtilization value +#UtilizationMetricType: #MetricTargetType & "Utilization" + +// ValueMetricType declares a MetricTarget is a raw value +#ValueMetricType: #MetricTargetType & "Value" + +// AverageValueMetricType declares a MetricTarget is an +#AverageValueMetricType: #MetricTargetType & "AverageValue" + +// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler. +#HorizontalPodAutoscalerStatus: { + // observedGeneration is the most recent generation observed by this autoscaler. + // +optional + observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt) + + // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, + // used by the autoscaler to control how often the number of pods is changed. + // +optional + lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt) + + // currentReplicas is current number of replicas of pods managed by this autoscaler, + // as last seen by the autoscaler. + // +optional + currentReplicas?: int32 @go(CurrentReplicas) @protobuf(3,varint,opt) + + // desiredReplicas is the desired number of replicas of pods managed by this autoscaler, + // as last calculated by the autoscaler. + desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt) + + // currentMetrics is the last read state of the metrics used by this autoscaler. + // +listType=atomic + // +optional + currentMetrics: [...#MetricStatus] @go(CurrentMetrics,[]MetricStatus) @protobuf(5,bytes,rep) + + // conditions is the set of conditions required for this autoscaler to scale its target, + // and indicates whether or not those conditions are met. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + // +optional + conditions?: [...#HorizontalPodAutoscalerCondition] @go(Conditions,[]HorizontalPodAutoscalerCondition) @protobuf(6,bytes,rep) +} + +// HorizontalPodAutoscalerConditionType are the valid conditions of +// a HorizontalPodAutoscaler. +#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType + +#enumHorizontalPodAutoscalerConditionType: + #ScalingActive | + #AbleToScale | + #ScalingLimited + +// ScalingActive indicates that the HPA controller is able to scale if necessary: +// it's correctly configured, can fetch the desired metrics, and isn't disabled. +#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive" + +// AbleToScale indicates a lack of transient issues which prevent scaling from occurring, +// such as being in a backoff window, or being unable to access/update the target scale. +#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale" + +// ScalingLimited indicates that the calculated scale based on metrics would be above or +// below the range for the HPA, and has thus been capped. +#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited" + +// HorizontalPodAutoscalerCondition describes the state of +// a HorizontalPodAutoscaler at a certain point. +#HorizontalPodAutoscalerCondition: { + // type describes the current condition + type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes) + + // status is the status of the condition (True, False, Unknown) + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes) + + // lastTransitionTime is the last time the condition transitioned from + // one status to another + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is the reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable explanation containing details about + // the transition + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// MetricStatus describes the last-read state of a single metric. +#MetricStatus: { + // type is the type of metric source. It will be one of "ContainerResource", "External", + // "Object", "Pods" or "Resource", each corresponds to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt) + + // container resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt) +} + +// ObjectMetricStatus indicates the current value of a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) + + // DescribedObject specifies the descriptions of a object,such as kind,name apiVersion + describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(3,bytes) +} + +// PodsMetricStatus indicates the current value of a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +#PodsMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// ResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// ContainerResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing a single container in each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ContainerResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) + + // container is the name of the container in the pods of the scaling target + container: string @go(Container) @protobuf(3,bytes,opt) +} + +// ExternalMetricStatus indicates the current value of a global metric +// not associated with any Kubernetes object. +#ExternalMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// MetricValueStatus holds the current value for a metric +#MetricValueStatus: { + // value is the current value of the metric (as a quantity). + // +optional + value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(1,bytes,opt) + + // averageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(2,bytes,opt) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(3,bytes,opt) +} + +// HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects. +#HorizontalPodAutoscalerList: { + metav1.#TypeMeta + + // metadata is the standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of horizontal pod autoscaler objects. + items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue new file mode 100644 index 000000000..5c4890873 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/batch/v1 + +package v1 + +#GroupName: "batch" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue new file mode 100644 index 000000000..3cbdc66ff --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue @@ -0,0 +1,693 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/batch/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" +) + +// All Kubernetes labels need to be prefixed with Kubernetes to distinguish them from end-user labels +// More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#label-selector-and-annotation-conventions +_#labelPrefix: "batch.kubernetes.io/" + +// CronJobScheduledTimestampAnnotation is the scheduled timestamp annotation for the Job. +// It records the original/expected scheduled timestamp for the running job, represented in RFC3339. +// The CronJob controller adds this annotation if the CronJobsScheduledAnnotation feature gate (beta in 1.28) is enabled. +#CronJobScheduledTimestampAnnotation: "batch.kubernetes.io/cronjob-scheduled-timestamp" +#JobCompletionIndexAnnotation: "batch.kubernetes.io/job-completion-index" + +// JobTrackingFinalizer is a finalizer for Job's pods. It prevents them from +// being deleted before being accounted in the Job status. +// +// Additionally, the apiserver and job controller use this string as a Job +// annotation, to mark Jobs that are being tracked using pod finalizers. +// However, this behavior is deprecated in kubernetes 1.26. This means that, in +// 1.27+, one release after JobTrackingWithFinalizers graduates to GA, the +// apiserver and job controller will ignore this annotation and they will +// always track jobs using finalizers. +#JobTrackingFinalizer: "batch.kubernetes.io/job-tracking" + +// The Job labels will use batch.kubernetes.io as a prefix for all labels +// Historically the job controller uses unprefixed labels for job-name and controller-uid and +// Kubernetes continutes to recognize those unprefixed labels for consistency. +#JobNameLabel: "batch.kubernetes.io/job-name" + +// ControllerUid is used to programatically get pods corresponding to a Job. +// There is a corresponding label without the batch.kubernetes.io that we support for legacy reasons. +#ControllerUidLabel: "batch.kubernetes.io/controller-uid" + +// Annotation indicating the number of failures for the index corresponding +// to the pod, which are counted towards the backoff limit. +#JobIndexFailureCountAnnotation: "batch.kubernetes.io/job-index-failure-count" + +// Annotation indicating the number of failures for the index corresponding +// to the pod, which don't count towards the backoff limit, according to the +// pod failure policy. When the annotation is absent zero is implied. +#JobIndexIgnoredFailureCountAnnotation: "batch.kubernetes.io/job-index-ignored-failure-count" + +// Job represents the configuration of a single job. +#Job: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of a job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt) + + // Current status of a job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #JobStatus @go(Status) @protobuf(3,bytes,opt) +} + +// JobList is a collection of jobs. +#JobList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of Jobs. + items: [...#Job] @go(Items,[]Job) @protobuf(2,bytes,rep) +} + +// CompletionMode specifies how Pod completions of a Job are tracked. +// +enum +#CompletionMode: string // #enumCompletionMode + +#enumCompletionMode: + #NonIndexedCompletion | + #IndexedCompletion + +// NonIndexedCompletion is a Job completion mode. In this mode, the Job is +// considered complete when there have been .spec.completions +// successfully completed Pods. Pod completions are homologous to each other. +#NonIndexedCompletion: #CompletionMode & "NonIndexed" + +// IndexedCompletion is a Job completion mode. In this mode, the Pods of a +// Job get an associated completion index from 0 to (.spec.completions - 1). +// The Job is considered complete when a Pod completes for each completion +// index. +#IndexedCompletion: #CompletionMode & "Indexed" + +// PodFailurePolicyAction specifies how a Pod failure is handled. +// +enum +#PodFailurePolicyAction: string // #enumPodFailurePolicyAction + +#enumPodFailurePolicyAction: + #PodFailurePolicyActionFailJob | + #PodFailurePolicyActionFailIndex | + #PodFailurePolicyActionIgnore | + #PodFailurePolicyActionCount + +// This is an action which might be taken on a pod failure - mark the +// pod's job as Failed and terminate all running pods. +#PodFailurePolicyActionFailJob: #PodFailurePolicyAction & "FailJob" + +// This is an action which might be taken on a pod failure - mark the +// Job's index as failed to avoid restarts within this index. This action +// can only be used when backoffLimitPerIndex is set. +#PodFailurePolicyActionFailIndex: #PodFailurePolicyAction & "FailIndex" + +// This is an action which might be taken on a pod failure - the counter towards +// .backoffLimit, represented by the job's .status.failed field, is not +// incremented and a replacement pod is created. +#PodFailurePolicyActionIgnore: #PodFailurePolicyAction & "Ignore" + +// This is an action which might be taken on a pod failure - the pod failure +// is handled in the default way - the counter towards .backoffLimit, +// represented by the job's .status.failed field, is incremented. +#PodFailurePolicyActionCount: #PodFailurePolicyAction & "Count" + +// +enum +#PodFailurePolicyOnExitCodesOperator: string // #enumPodFailurePolicyOnExitCodesOperator + +#enumPodFailurePolicyOnExitCodesOperator: + #PodFailurePolicyOnExitCodesOpIn | + #PodFailurePolicyOnExitCodesOpNotIn + +#PodFailurePolicyOnExitCodesOpIn: #PodFailurePolicyOnExitCodesOperator & "In" +#PodFailurePolicyOnExitCodesOpNotIn: #PodFailurePolicyOnExitCodesOperator & "NotIn" + +// PodReplacementPolicy specifies the policy for creating pod replacements. +// +enum +#PodReplacementPolicy: string // #enumPodReplacementPolicy + +#enumPodReplacementPolicy: + #TerminatingOrFailed | + #Failed + +// TerminatingOrFailed means that we recreate pods +// when they are terminating (has a metadata.deletionTimestamp) or failed. +#TerminatingOrFailed: #PodReplacementPolicy & "TerminatingOrFailed" + +// Failed means to wait until a previously created Pod is fully terminated (has phase +// Failed or Succeeded) before creating a replacement Pod. +#Failed: #PodReplacementPolicy & "Failed" + +// PodFailurePolicyOnExitCodesRequirement describes the requirement for handling +// a failed pod based on its container exit codes. In particular, it lookups the +// .state.terminated.exitCode for each app container and init container status, +// represented by the .status.containerStatuses and .status.initContainerStatuses +// fields in the Pod status, respectively. Containers completed with success +// (exit code 0) are excluded from the requirement check. +#PodFailurePolicyOnExitCodesRequirement: { + // Restricts the check for exit codes to the container with the + // specified name. When null, the rule applies to all containers. + // When specified, it should match one the container or initContainer + // names in the pod template. + // +optional + containerName?: null | string @go(ContainerName,*string) @protobuf(1,bytes,opt) + + // Represents the relationship between the container exit code(s) and the + // specified values. Containers completed with success (exit code 0) are + // excluded from the requirement check. Possible values are: + // + // - In: the requirement is satisfied if at least one container exit code + // (might be multiple if there are multiple containers not restricted + // by the 'containerName' field) is in the set of specified values. + // - NotIn: the requirement is satisfied if at least one container exit code + // (might be multiple if there are multiple containers not restricted + // by the 'containerName' field) is not in the set of specified values. + // Additional values are considered to be added in the future. Clients should + // react to an unknown operator by assuming the requirement is not satisfied. + operator: #PodFailurePolicyOnExitCodesOperator @go(Operator) @protobuf(2,bytes,req) + + // Specifies the set of values. Each returned container exit code (might be + // multiple in case of multiple containers) is checked against this set of + // values with respect to the operator. The list of values must be ordered + // and must not contain duplicates. Value '0' cannot be used for the In operator. + // At least one element is required. At most 255 elements are allowed. + // +listType=set + values: [...int32] @go(Values,[]int32) @protobuf(3,varint,rep) +} + +// PodFailurePolicyOnPodConditionsPattern describes a pattern for matching +// an actual pod condition type. +#PodFailurePolicyOnPodConditionsPattern: { + // Specifies the required Pod condition type. To match a pod condition + // it is required that specified type equals the pod condition type. + type: corev1.#PodConditionType @go(Type) @protobuf(1,bytes,req) + + // Specifies the required Pod condition status. To match a pod condition + // it is required that the specified status equals the pod condition status. + // Defaults to True. + status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,req) +} + +// PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. +// One of onExitCodes and onPodConditions, but not both, can be used in each rule. +#PodFailurePolicyRule: { + // Specifies the action taken on a pod failure when the requirements are satisfied. + // Possible values are: + // + // - FailJob: indicates that the pod's job is marked as Failed and all + // running pods are terminated. + // - FailIndex: indicates that the pod's index is marked as Failed and will + // not be restarted. + // This value is alpha-level. It can be used when the + // `JobBackoffLimitPerIndex` feature gate is enabled (disabled by default). + // - Ignore: indicates that the counter towards the .backoffLimit is not + // incremented and a replacement pod is created. + // - Count: indicates that the pod is handled in the default way - the + // counter towards the .backoffLimit is incremented. + // Additional values are considered to be added in the future. Clients should + // react to an unknown action by skipping the rule. + action: #PodFailurePolicyAction @go(Action) @protobuf(1,bytes,req) + + // Represents the requirement on the container exit codes. + // +optional + onExitCodes?: null | #PodFailurePolicyOnExitCodesRequirement @go(OnExitCodes,*PodFailurePolicyOnExitCodesRequirement) @protobuf(2,bytes,opt) + + // Represents the requirement on the pod conditions. The requirement is represented + // as a list of pod condition patterns. The requirement is satisfied if at + // least one pattern matches an actual pod condition. At most 20 elements are allowed. + // +listType=atomic + // +optional + onPodConditions: [...#PodFailurePolicyOnPodConditionsPattern] @go(OnPodConditions,[]PodFailurePolicyOnPodConditionsPattern) @protobuf(3,bytes,opt) +} + +// PodFailurePolicy describes how failed pods influence the backoffLimit. +#PodFailurePolicy: { + // A list of pod failure policy rules. The rules are evaluated in order. + // Once a rule matches a Pod failure, the remaining of the rules are ignored. + // When no rule matches the Pod failure, the default handling applies - the + // counter of pod failures is incremented and it is checked against + // the backoffLimit. At most 20 elements are allowed. + // +listType=atomic + rules: [...#PodFailurePolicyRule] @go(Rules,[]PodFailurePolicyRule) @protobuf(1,bytes,opt) +} + +// JobSpec describes how the job execution will look like. +#JobSpec: { + // Specifies the maximum desired number of pods the job should + // run at any given time. The actual number of pods running in steady state will + // be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism), + // i.e. when the work left to do is less than max parallelism. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + parallelism?: null | int32 @go(Parallelism,*int32) @protobuf(1,varint,opt) + + // Specifies the desired number of successfully finished pods the + // job should be run with. Setting to null means that the success of any + // pod signals the success of all pods, and allows parallelism to have any positive + // value. Setting to 1 means that parallelism is limited to 1 and the success of that + // pod signals the success of the job. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + completions?: null | int32 @go(Completions,*int32) @protobuf(2,varint,opt) + + // Specifies the duration in seconds relative to the startTime that the job + // may be continuously active before the system tries to terminate it; value + // must be positive integer. If a Job is suspended (at creation or through an + // update), this timer will effectively be stopped and reset when the Job is + // resumed again. + // +optional + activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(3,varint,opt) + + // Specifies the policy of handling failed pods. In particular, it allows to + // specify the set of actions and conditions which need to be + // satisfied to take the associated action. + // If empty, the default behaviour applies - the counter of failed pods, + // represented by the jobs's .status.failed field, is incremented and it is + // checked against the backoffLimit. This field cannot be used in combination + // with restartPolicy=OnFailure. + // + // This field is beta-level. It can be used when the `JobPodFailurePolicy` + // feature gate is enabled (enabled by default). + // +optional + podFailurePolicy?: null | #PodFailurePolicy @go(PodFailurePolicy,*PodFailurePolicy) @protobuf(11,bytes,opt) + + // Specifies the number of retries before marking this job failed. + // Defaults to 6 + // +optional + backoffLimit?: null | int32 @go(BackoffLimit,*int32) @protobuf(7,varint,opt) + + // Specifies the limit for the number of retries within an + // index before marking this index as failed. When enabled the number of + // failures per index is kept in the pod's + // batch.kubernetes.io/job-index-failure-count annotation. It can only + // be set when Job's completionMode=Indexed, and the Pod's restart + // policy is Never. The field is immutable. + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + backoffLimitPerIndex?: null | int32 @go(BackoffLimitPerIndex,*int32) @protobuf(12,varint,opt) + + // Specifies the maximal number of failed indexes before marking the Job as + // failed, when backoffLimitPerIndex is set. Once the number of failed + // indexes exceeds this number the entire Job is marked as Failed and its + // execution is terminated. When left as null the job continues execution of + // all of its indexes and is marked with the `Complete` Job condition. + // It can only be specified when backoffLimitPerIndex is set. + // It can be null or up to completions. It is required and must be + // less than or equal to 10^4 when is completions greater than 10^5. + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + maxFailedIndexes?: null | int32 @go(MaxFailedIndexes,*int32) @protobuf(13,varint,opt) + + // A label query over pods that should match the pod count. + // Normally, the system sets this field for you. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // manualSelector controls generation of pod labels and pod selectors. + // Leave `manualSelector` unset unless you are certain what you are doing. + // When false or unset, the system pick labels unique to this job + // and appends those labels to the pod template. When true, + // the user is responsible for picking unique labels and specifying + // the selector. Failure to pick a unique label may cause this + // and other jobs to not function correctly. However, You may see + // `manualSelector=true` in jobs that were created with the old `extensions/v1beta1` + // API. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector + // +optional + manualSelector?: null | bool @go(ManualSelector,*bool) @protobuf(5,varint,opt) + + // Describes the pod that will be created when executing a job. + // The only allowed template.spec.restartPolicy values are "Never" or "OnFailure". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + template: corev1.#PodTemplateSpec @go(Template) @protobuf(6,bytes,opt) + + // ttlSecondsAfterFinished limits the lifetime of a Job that has finished + // execution (either Complete or Failed). If this field is set, + // ttlSecondsAfterFinished after the Job finishes, it is eligible to be + // automatically deleted. When the Job is being deleted, its lifecycle + // guarantees (e.g. finalizers) will be honored. If this field is unset, + // the Job won't be automatically deleted. If this field is set to zero, + // the Job becomes eligible to be deleted immediately after it finishes. + // +optional + ttlSecondsAfterFinished?: null | int32 @go(TTLSecondsAfterFinished,*int32) @protobuf(8,varint,opt) + + // completionMode specifies how Pod completions are tracked. It can be + // `NonIndexed` (default) or `Indexed`. + // + // `NonIndexed` means that the Job is considered complete when there have + // been .spec.completions successfully completed Pods. Each Pod completion is + // homologous to each other. + // + // `Indexed` means that the Pods of a + // Job get an associated completion index from 0 to (.spec.completions - 1), + // available in the annotation batch.kubernetes.io/job-completion-index. + // The Job is considered complete when there is one successfully completed Pod + // for each index. + // When value is `Indexed`, .spec.completions must be specified and + // `.spec.parallelism` must be less than or equal to 10^5. + // In addition, The Pod name takes the form + // `$(job-name)-$(index)-$(random-string)`, + // the Pod hostname takes the form `$(job-name)-$(index)`. + // + // More completion modes can be added in the future. + // If the Job controller observes a mode that it doesn't recognize, which + // is possible during upgrades due to version skew, the controller + // skips updates for the Job. + // +optional + completionMode?: null | #CompletionMode @go(CompletionMode,*CompletionMode) @protobuf(9,bytes,opt,casttype=CompletionMode) + + // suspend specifies whether the Job controller should create Pods or not. If + // a Job is created with suspend set to true, no Pods are created by the Job + // controller. If a Job is suspended after creation (i.e. the flag goes from + // false to true), the Job controller will delete all active Pods associated + // with this Job. Users must design their workload to gracefully handle this. + // Suspending a Job will reset the StartTime field of the Job, effectively + // resetting the ActiveDeadlineSeconds timer too. Defaults to false. + // + // +optional + suspend?: null | bool @go(Suspend,*bool) @protobuf(10,varint,opt) + + // podReplacementPolicy specifies when to create replacement Pods. + // Possible values are: + // - TerminatingOrFailed means that we recreate pods + // when they are terminating (has a metadata.deletionTimestamp) or failed. + // - Failed means to wait until a previously created Pod is fully terminated (has phase + // Failed or Succeeded) before creating a replacement Pod. + // + // When using podFailurePolicy, Failed is the the only allowed value. + // TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use. + // This is an alpha field. Enable JobPodReplacementPolicy to be able to use this field. + // +optional + podReplacementPolicy?: null | #PodReplacementPolicy @go(PodReplacementPolicy,*PodReplacementPolicy) @protobuf(14,bytes,opt,casttype=podReplacementPolicy) +} + +// JobStatus represents the current state of a Job. +#JobStatus: { + // The latest available observations of an object's current state. When a Job + // fails, one of the conditions will have type "Failed" and status true. When + // a Job is suspended, one of the conditions will have type "Suspended" and + // status true; when the Job is resumed, the status of this condition will + // become false. When a Job is completed, one of the conditions will have + // type "Complete" and status true. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=atomic + conditions?: [...#JobCondition] @go(Conditions,[]JobCondition) @protobuf(1,bytes,rep) + + // Represents time when the job controller started processing a job. When a + // Job is created in the suspended state, this field is not set until the + // first time it is resumed. This field is reset every time a Job is resumed + // from suspension. It is represented in RFC3339 form and is in UTC. + // +optional + startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(2,bytes,opt) + + // Represents time when the job was completed. It is not guaranteed to + // be set in happens-before order across separate operations. + // It is represented in RFC3339 form and is in UTC. + // The completion time is only set when the job finishes successfully. + // +optional + completionTime?: null | metav1.#Time @go(CompletionTime,*metav1.Time) @protobuf(3,bytes,opt) + + // The number of pending and running pods. + // +optional + active?: int32 @go(Active) @protobuf(4,varint,opt) + + // The number of pods which reached phase Succeeded. + // +optional + succeeded?: int32 @go(Succeeded) @protobuf(5,varint,opt) + + // The number of pods which reached phase Failed. + // +optional + failed?: int32 @go(Failed) @protobuf(6,varint,opt) + + // The number of pods which are terminating (in phase Pending or Running + // and have a deletionTimestamp). + // + // This field is alpha-level. The job controller populates the field when + // the feature gate JobPodReplacementPolicy is enabled (disabled by default). + // +optional + terminating?: null | int32 @go(Terminating,*int32) @protobuf(11,varint,opt) + + // completedIndexes holds the completed indexes when .spec.completionMode = + // "Indexed" in a text format. The indexes are represented as decimal integers + // separated by commas. The numbers are listed in increasing order. Three or + // more consecutive numbers are compressed and represented by the first and + // last element of the series, separated by a hyphen. + // For example, if the completed indexes are 1, 3, 4, 5 and 7, they are + // represented as "1,3-5,7". + // +optional + completedIndexes?: string @go(CompletedIndexes) @protobuf(7,bytes,opt) + + // FailedIndexes holds the failed indexes when backoffLimitPerIndex=true. + // The indexes are represented in the text format analogous as for the + // `completedIndexes` field, ie. they are kept as decimal integers + // separated by commas. The numbers are listed in increasing order. Three or + // more consecutive numbers are compressed and represented by the first and + // last element of the series, separated by a hyphen. + // For example, if the failed indexes are 1, 3, 4, 5 and 7, they are + // represented as "1,3-5,7". + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + failedIndexes?: null | string @go(FailedIndexes,*string) @protobuf(10,bytes,opt) + + // uncountedTerminatedPods holds the UIDs of Pods that have terminated but + // the job controller hasn't yet accounted for in the status counters. + // + // The job controller creates pods with a finalizer. When a pod terminates + // (succeeded or failed), the controller does three steps to account for it + // in the job status: + // + // 1. Add the pod UID to the arrays in this field. + // 2. Remove the pod finalizer. + // 3. Remove the pod UID from the arrays while increasing the corresponding + // counter. + // + // Old jobs might not be tracked using this field, in which case the field + // remains null. + // +optional + uncountedTerminatedPods?: null | #UncountedTerminatedPods @go(UncountedTerminatedPods,*UncountedTerminatedPods) @protobuf(8,bytes,opt) + + // The number of pods which have a Ready condition. + // + // This field is beta-level. The job controller populates the field when + // the feature gate JobReadyPods is enabled (enabled by default). + // +optional + ready?: null | int32 @go(Ready,*int32) @protobuf(9,varint,opt) +} + +// UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't +// been accounted in Job status counters. +#UncountedTerminatedPods: { + // succeeded holds UIDs of succeeded Pods. + // +listType=set + // +optional + succeeded?: [...types.#UID] @go(Succeeded,[]types.UID) @protobuf(1,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID) + + // failed holds UIDs of failed Pods. + // +listType=set + // +optional + failed?: [...types.#UID] @go(Failed,[]types.UID) @protobuf(2,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +#JobConditionType: string // #enumJobConditionType + +#enumJobConditionType: + #JobSuspended | + #JobComplete | + #JobFailed | + #JobFailureTarget + +// JobSuspended means the job has been suspended. +#JobSuspended: #JobConditionType & "Suspended" + +// JobComplete means the job has completed its execution. +#JobComplete: #JobConditionType & "Complete" + +// JobFailed means the job has failed its execution. +#JobFailed: #JobConditionType & "Failed" + +// FailureTarget means the job is about to fail its execution. +#JobFailureTarget: #JobConditionType & "FailureTarget" + +// JobCondition describes current state of a job. +#JobCondition: { + // Type of job condition, Complete or Failed. + type: #JobConditionType @go(Type) @protobuf(1,bytes,opt,casttype=JobConditionType) + + // Status of the condition, one of True, False, Unknown. + status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // Last time the condition was checked. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // Last time the condition transit from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // (brief) reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// JobTemplateSpec describes the data a Job should have when created from a template +#JobTemplateSpec: { + // Standard object's metadata of the jobs created from this template. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CronJob represents the configuration of a single cron job. +#CronJob: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of a cron job, including the schedule. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #CronJobSpec @go(Spec) @protobuf(2,bytes,opt) + + // Current status of a cron job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #CronJobStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CronJobList is a collection of cron jobs. +#CronJobList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CronJobs. + items: [...#CronJob] @go(Items,[]CronJob) @protobuf(2,bytes,rep) +} + +// CronJobSpec describes how the job execution will look like and when it will actually run. +#CronJobSpec: { + // The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron. + schedule: string @go(Schedule) @protobuf(1,bytes,opt) + + // The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. + // If not specified, this will default to the time zone of the kube-controller-manager process. + // The set of valid time zone names and the time zone offset is loaded from the system-wide time zone + // database by the API server during CronJob validation and the controller manager during execution. + // If no system-wide time zone database can be found a bundled version of the database is used instead. + // If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host + // configuration, the controller will stop creating new new Jobs and will create a system event with the + // reason UnknownTimeZone. + // More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones + // +optional + timeZone?: null | string @go(TimeZone,*string) @protobuf(8,bytes,opt) + + // Optional deadline in seconds for starting the job if it misses scheduled + // time for any reason. Missed jobs executions will be counted as failed ones. + // +optional + startingDeadlineSeconds?: null | int64 @go(StartingDeadlineSeconds,*int64) @protobuf(2,varint,opt) + + // Specifies how to treat concurrent executions of a Job. + // Valid values are: + // + // - "Allow" (default): allows CronJobs to run concurrently; + // - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet; + // - "Replace": cancels currently running job and replaces it with a new one + // +optional + concurrencyPolicy?: #ConcurrencyPolicy @go(ConcurrencyPolicy) @protobuf(3,bytes,opt,casttype=ConcurrencyPolicy) + + // This flag tells the controller to suspend subsequent executions, it does + // not apply to already started executions. Defaults to false. + // +optional + suspend?: null | bool @go(Suspend,*bool) @protobuf(4,varint,opt) + + // Specifies the job that will be created when executing a CronJob. + jobTemplate: #JobTemplateSpec @go(JobTemplate) @protobuf(5,bytes,opt) + + // The number of successful finished jobs to retain. Value must be non-negative integer. + // Defaults to 3. + // +optional + successfulJobsHistoryLimit?: null | int32 @go(SuccessfulJobsHistoryLimit,*int32) @protobuf(6,varint,opt) + + // The number of failed finished jobs to retain. Value must be non-negative integer. + // Defaults to 1. + // +optional + failedJobsHistoryLimit?: null | int32 @go(FailedJobsHistoryLimit,*int32) @protobuf(7,varint,opt) +} + +// ConcurrencyPolicy describes how the job will be handled. +// Only one of the following concurrent policies may be specified. +// If none of the following policies is specified, the default one +// is AllowConcurrent. +// +enum +#ConcurrencyPolicy: string // #enumConcurrencyPolicy + +#enumConcurrencyPolicy: + #AllowConcurrent | + #ForbidConcurrent | + #ReplaceConcurrent + +// AllowConcurrent allows CronJobs to run concurrently. +#AllowConcurrent: #ConcurrencyPolicy & "Allow" + +// ForbidConcurrent forbids concurrent runs, skipping next run if previous +// hasn't finished yet. +#ForbidConcurrent: #ConcurrencyPolicy & "Forbid" + +// ReplaceConcurrent cancels currently running job and replaces it with a new one. +#ReplaceConcurrent: #ConcurrencyPolicy & "Replace" + +// CronJobStatus represents the current state of a cron job. +#CronJobStatus: { + // A list of pointers to currently running jobs. + // +optional + // +listType=atomic + active?: [...corev1.#ObjectReference] @go(Active,[]corev1.ObjectReference) @protobuf(1,bytes,rep) + + // Information when was the last time the job was successfully scheduled. + // +optional + lastScheduleTime?: null | metav1.#Time @go(LastScheduleTime,*metav1.Time) @protobuf(4,bytes,opt) + + // Information when was the last time the job successfully completed. + // +optional + lastSuccessfulTime?: null | metav1.#Time @go(LastSuccessfulTime,*metav1.Time) @protobuf(5,bytes,opt) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue new file mode 100644 index 000000000..f2ce34369 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/certificates/v1 + +package v1 + +#GroupName: "certificates.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue new file mode 100644 index 000000000..401ca5c97 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue @@ -0,0 +1,318 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/certificates/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" +) + +// CertificateSigningRequest objects provide a mechanism to obtain x509 certificates +// by submitting a certificate signing request, and having it asynchronously approved and issued. +// +// Kubelets use this API to obtain: +// 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName). +// 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName). +// +// This API can be used to request client certificates to authenticate to kube-apiserver +// (with the "kubernetes.io/kube-apiserver-client" signerName), +// or to obtain certificates from custom non-Kubernetes signers. +#CertificateSigningRequest: { + metav1.#TypeMeta + + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec contains the certificate request, and is immutable after creation. + // Only the request, signerName, expirationSeconds, and usages fields can be set on creation. + // Other fields are derived by Kubernetes and cannot be modified by users. + spec: #CertificateSigningRequestSpec @go(Spec) @protobuf(2,bytes,opt) + + // status contains information about whether the request is approved or denied, + // and the certificate issued by the signer, or the failure condition indicating signer failure. + // +optional + status?: #CertificateSigningRequestStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CertificateSigningRequestSpec contains the certificate request. +#CertificateSigningRequestSpec: { + // request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. + // When serialized as JSON or YAML, the data is additionally base64-encoded. + // +listType=atomic + request: bytes @go(Request,[]byte) @protobuf(1,bytes,opt) + + // signerName indicates the requested signer, and is a qualified name. + // + // List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector. + // + // Well-known Kubernetes signers are: + // 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver. + // Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager. + // 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver. + // Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. + // 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely. + // Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. + // + // More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers + // + // Custom signerNames can also be specified. The signer defines: + // 1. Trust distribution: how trust (CA bundles) are distributed. + // 2. Permitted subjects: and behavior when a disallowed subject is requested. + // 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested. + // 4. Required, permitted, or forbidden key usages / extended key usages. + // 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin. + // 6. Whether or not requests for CA certificates are allowed. + signerName: string @go(SignerName) @protobuf(7,bytes,opt) + + // expirationSeconds is the requested duration of validity of the issued + // certificate. The certificate signer may issue a certificate with a different + // validity duration so a client must check the delta between the notBefore and + // and notAfter fields in the issued certificate to determine the actual duration. + // + // The v1.22+ in-tree implementations of the well-known Kubernetes signers will + // honor this field as long as the requested duration is not greater than the + // maximum duration they will honor per the --cluster-signing-duration CLI + // flag to the Kubernetes controller manager. + // + // Certificate signers may not honor this field for various reasons: + // + // 1. Old signer that is unaware of the field (such as the in-tree + // implementations prior to v1.22) + // 2. Signer whose configured maximum is shorter than the requested duration + // 3. Signer whose configured minimum is longer than the requested duration + // + // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes. + // + // +optional + expirationSeconds?: null | int32 @go(ExpirationSeconds,*int32) @protobuf(8,varint,opt) + + // usages specifies a set of key usages requested in the issued certificate. + // + // Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth". + // + // Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth". + // + // Valid values are: + // "signing", "digital signature", "content commitment", + // "key encipherment", "key agreement", "data encipherment", + // "cert sign", "crl sign", "encipher only", "decipher only", "any", + // "server auth", "client auth", + // "code signing", "email protection", "s/mime", + // "ipsec end system", "ipsec tunnel", "ipsec user", + // "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" + // +listType=atomic + usages?: [...#KeyUsage] @go(Usages,[]KeyUsage) @protobuf(5,bytes,opt) + + // username contains the name of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + username?: string @go(Username) @protobuf(2,bytes,opt) + + // uid contains the uid of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + uid?: string @go(UID) @protobuf(3,bytes,opt) + + // groups contains group membership of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +listType=atomic + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep) + + // extra contains extra attributes of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(6,bytes,rep) +} + +// "kubernetes.io/kube-apiserver-client" signer issues client certificates that can be used to authenticate to kube-apiserver. +// Never auto-approved by kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeAPIServerClientSignerName: "kubernetes.io/kube-apiserver-client" + +// "kubernetes.io/kube-apiserver-client-kubelet" issues client certificates that kubelets use to authenticate to kube-apiserver. +// Can be auto-approved by the "csrapproving" controller in kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeAPIServerClientKubeletSignerName: "kubernetes.io/kube-apiserver-client-kubelet" + +// "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, +// which kube-apiserver can connect to securely. +// Never auto-approved by kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeletServingSignerName: "kubernetes.io/kubelet-serving" + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// CertificateSigningRequestStatus contains conditions used to indicate +// approved/denied/failed status of the request, and the issued certificate. +#CertificateSigningRequestStatus: { + // conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed". + // +listType=map + // +listMapKey=type + // +optional + conditions?: [...#CertificateSigningRequestCondition] @go(Conditions,[]CertificateSigningRequestCondition) @protobuf(1,bytes,rep) + + // certificate is populated with an issued certificate by the signer after an Approved condition is present. + // This field is set via the /status subresource. Once populated, this field is immutable. + // + // If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. + // If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty. + // + // Validation requirements: + // 1. certificate must contain one or more PEM blocks. + // 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data + // must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280. + // 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated, + // to allow for explanatory text as described in section 5.2 of RFC7468. + // + // If more than one PEM block is present, and the definition of the requested spec.signerName + // does not indicate otherwise, the first block is the issued certificate, + // and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes. + // + // The certificate is encoded in PEM format. + // + // When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of: + // + // base64( + // -----BEGIN CERTIFICATE----- + // ... + // -----END CERTIFICATE----- + // ) + // + // +listType=atomic + // +optional + certificate?: bytes @go(Certificate,[]byte) @protobuf(2,bytes,opt) +} + +// RequestConditionType is the type of a CertificateSigningRequestCondition +#RequestConditionType: string // #enumRequestConditionType + +#enumRequestConditionType: + #CertificateApproved | + #CertificateDenied | + #CertificateFailed + +// Approved indicates the request was approved and should be issued by the signer. +#CertificateApproved: #RequestConditionType & "Approved" + +// Denied indicates the request was denied and should not be issued by the signer. +#CertificateDenied: #RequestConditionType & "Denied" + +// Failed indicates the signer failed to issue the certificate. +#CertificateFailed: #RequestConditionType & "Failed" + +// CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object +#CertificateSigningRequestCondition: { + // type of the condition. Known conditions are "Approved", "Denied", and "Failed". + // + // An "Approved" condition is added via the /approval subresource, + // indicating the request was approved and should be issued by the signer. + // + // A "Denied" condition is added via the /approval subresource, + // indicating the request was denied and should not be issued by the signer. + // + // A "Failed" condition is added via the /status subresource, + // indicating the signer failed to issue the certificate. + // + // Approved and Denied conditions are mutually exclusive. + // Approved, Denied, and Failed conditions cannot be removed once added. + // + // Only one condition of a given type is allowed. + type: #RequestConditionType @go(Type) @protobuf(1,bytes,opt,casttype=RequestConditionType) + + // status of the condition, one of True, False, Unknown. + // Approved, Denied, and Failed conditions may not be "False" or "Unknown". + status: v1.#ConditionStatus @go(Status) @protobuf(6,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // reason indicates a brief reason for the request state + // +optional + reason?: string @go(Reason) @protobuf(2,bytes,opt) + + // message contains a human readable message with details about the request state + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // lastUpdateTime is the time of the last update to this condition + // +optional + lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(4,bytes,opt) + + // lastTransitionTime is the time the condition last transitioned from one status to another. + // If unset, when a new condition type is added or an existing condition's status is changed, + // the server defaults this to the current time. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(5,bytes,opt) +} + +// CertificateSigningRequestList is a collection of CertificateSigningRequest objects +#CertificateSigningRequestList: { + metav1.#TypeMeta + + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a collection of CertificateSigningRequest objects + items: [...#CertificateSigningRequest] @go(Items,[]CertificateSigningRequest) @protobuf(2,bytes,rep) +} + +// KeyUsage specifies valid usage contexts for keys. +// See: +// +// https://tools.ietf.org/html/rfc5280#section-4.2.1.3 +// https://tools.ietf.org/html/rfc5280#section-4.2.1.12 +// +// +enum +#KeyUsage: string // #enumKeyUsage + +#enumKeyUsage: + #UsageSigning | + #UsageDigitalSignature | + #UsageContentCommitment | + #UsageKeyEncipherment | + #UsageKeyAgreement | + #UsageDataEncipherment | + #UsageCertSign | + #UsageCRLSign | + #UsageEncipherOnly | + #UsageDecipherOnly | + #UsageAny | + #UsageServerAuth | + #UsageClientAuth | + #UsageCodeSigning | + #UsageEmailProtection | + #UsageSMIME | + #UsageIPsecEndSystem | + #UsageIPsecTunnel | + #UsageIPsecUser | + #UsageTimestamping | + #UsageOCSPSigning | + #UsageMicrosoftSGC | + #UsageNetscapeSGC + +#UsageSigning: #KeyUsage & "signing" +#UsageDigitalSignature: #KeyUsage & "digital signature" +#UsageContentCommitment: #KeyUsage & "content commitment" +#UsageKeyEncipherment: #KeyUsage & "key encipherment" +#UsageKeyAgreement: #KeyUsage & "key agreement" +#UsageDataEncipherment: #KeyUsage & "data encipherment" +#UsageCertSign: #KeyUsage & "cert sign" +#UsageCRLSign: #KeyUsage & "crl sign" +#UsageEncipherOnly: #KeyUsage & "encipher only" +#UsageDecipherOnly: #KeyUsage & "decipher only" +#UsageAny: #KeyUsage & "any" +#UsageServerAuth: #KeyUsage & "server auth" +#UsageClientAuth: #KeyUsage & "client auth" +#UsageCodeSigning: #KeyUsage & "code signing" +#UsageEmailProtection: #KeyUsage & "email protection" +#UsageSMIME: #KeyUsage & "s/mime" +#UsageIPsecEndSystem: #KeyUsage & "ipsec end system" +#UsageIPsecTunnel: #KeyUsage & "ipsec tunnel" +#UsageIPsecUser: #KeyUsage & "ipsec user" +#UsageTimestamping: #KeyUsage & "timestamping" +#UsageOCSPSigning: #KeyUsage & "ocsp signing" +#UsageMicrosoftSGC: #KeyUsage & "microsoft sgc" +#UsageNetscapeSGC: #KeyUsage & "netscape sgc" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue new file mode 100644 index 000000000..d0a257d5e --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/coordination/v1 + +package v1 + +#GroupName: "coordination.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue new file mode 100644 index 000000000..de2c74126 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue @@ -0,0 +1,61 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/coordination/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Lease defines a lease concept. +#Lease: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec contains the specification of the Lease. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #LeaseSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// LeaseSpec is a specification of a Lease. +#LeaseSpec: { + // holderIdentity contains the identity of the holder of a current lease. + // +optional + holderIdentity?: null | string @go(HolderIdentity,*string) @protobuf(1,bytes,opt) + + // leaseDurationSeconds is a duration that candidates for a lease need + // to wait to force acquire it. This is measure against time of last + // observed renewTime. + // +optional + leaseDurationSeconds?: null | int32 @go(LeaseDurationSeconds,*int32) @protobuf(2,varint,opt) + + // acquireTime is a time when the current lease was acquired. + // +optional + acquireTime?: null | metav1.#MicroTime @go(AcquireTime,*metav1.MicroTime) @protobuf(3,bytes,opt) + + // renewTime is a time when the current holder of a lease has last + // updated the lease. + // +optional + renewTime?: null | metav1.#MicroTime @go(RenewTime,*metav1.MicroTime) @protobuf(4,bytes,opt) + + // leaseTransitions is the number of transitions of a lease between + // holders. + // +optional + leaseTransitions?: null | int32 @go(LeaseTransitions,*int32) @protobuf(5,varint,opt) +} + +// LeaseList is a list of Lease objects. +#LeaseList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#Lease] @go(Items,[]Lease) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue new file mode 100644 index 000000000..3a3027906 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue @@ -0,0 +1,147 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy +// webhook backend fails. +#ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open" + +// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods +#MirrorPodAnnotationKey: "kubernetes.io/config.mirror" + +// TolerationsAnnotationKey represents the key of tolerations data (json serialized) +// in the Annotations of a Pod. +#TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations" + +// TaintsAnnotationKey represents the key of taints data (json serialized) +// in the Annotations of a Node. +#TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints" + +// SeccompPodAnnotationKey represents the key of a seccomp profile applied +// to all containers of a pod. +// Deprecated: set a pod security context `seccompProfile` field. +#SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod" + +// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied +// to one container of a pod. +// Deprecated: set a container security context `seccompProfile` field. +#SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/" + +// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime. +// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. +#SeccompProfileRuntimeDefault: "runtime/default" + +// SeccompProfileNameUnconfined is the unconfined seccomp profile. +#SeccompProfileNameUnconfined: "unconfined" + +// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk. +#SeccompLocalhostProfileNamePrefix: "localhost/" + +// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile. +#AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/" + +// AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile. +#AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName" + +// AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles. +#AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames" + +// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default. +#AppArmorBetaProfileRuntimeDefault: "runtime/default" + +// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node. +#AppArmorBetaProfileNamePrefix: "localhost/" + +// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile +#AppArmorBetaProfileNameUnconfined: "unconfined" + +// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker. +// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. +#DeprecatedSeccompProfileDockerDefault: "docker/default" + +// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized) +// in the Annotations of a Node. +#PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods" + +// ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache +// an object (e.g. secret, config map) before fetching it again from apiserver. +// This annotation can be attached to node. +#ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl" + +// annotation key prefix used to identify non-convertible json paths. +#NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io" +_#kubectlPrefix: "kubectl.kubernetes.io/" + +// LastAppliedConfigAnnotation is the annotation used to store the previous +// configuration of a resource for use in a three way diff by UpdateApplyAnnotation. +#LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration" + +// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers +// +// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to +// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow +// access only from the CIDRs currently allocated to MIT & the USPS. +// +// Not all cloud providers support this annotation, though AWS & GCE do. +#AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges" + +// EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that +// represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z') +// of the last change, of some Pod or Service object, that triggered the endpoints object change. +// In other words, if a Pod / Service changed at time T0, that change was observed by endpoints +// controller at T1, and the Endpoints object was changed at T2, the +// EndpointsLastChangeTriggerTime would be set to T0. +// +// The "endpoints change trigger" here means any Pod or Service change that resulted in the +// Endpoints object change. +// +// Given the definition of the "endpoints change trigger", please note that this annotation will +// be set ONLY for endpoints object changes triggered by either Pod or Service change. If the +// Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's +// already set). +// +// This annotation will be used to compute the in-cluster network programming latency SLI, see +// https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md +#EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time" + +// EndpointsOverCapacity will be set on an Endpoints resource when it +// exceeds the maximum capacity of 1000 addresses. Initially the Endpoints +// controller will set this annotation with a value of "warning". In a +// future release, the controller may set this annotation with a value of +// "truncated" to indicate that any addresses exceeding the limit of 1000 +// have been truncated from the Endpoints resource. +#EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity" + +// MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated +// list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode. +// This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or +// CSI Backend for a volume plugin on a specific node. +#MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins" + +// PodDeletionCost can be used to set to an int32 that represent the cost of deleting +// a pod compared to other pods belonging to the same ReplicaSet. Pods with lower +// deletion cost are preferred to be deleted before pods with higher deletion cost. +// Note that this is honored on a best-effort basis, and so it does not offer guarantees on +// pod deletion order. +// The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted. +// +// This annotation is beta-level and is only honored when PodDeletionCost feature is enabled. +#PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost" + +// DeprecatedAnnotationTopologyAwareHints can be used to enable or disable +// Topology Aware Hints for a Service. This may be set to "Auto" or +// "Disabled". Any other value is treated as "Disabled". This annotation has +// been deprecated in favor of the "service.kubernetes.io/topology-mode" +// annotation. +#DeprecatedAnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints" + +// AnnotationTopologyMode can be used to enable or disable Topology Aware +// Routing for a Service. Well known values are "Auto" and "Disabled". +// Implementations may choose to develop new topology approaches, exposing +// them with domain-prefixed values. For example, "example.com/lowest-rtt" +// could be a valid implementation-specific value for this annotation. These +// heuristics will often populate topology hints on EndpointSlices, but that +// is not a requirement. +#AnnotationTopologyMode: "service.kubernetes.io/topology-mode" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue new file mode 100644 index 000000000..2bf1afce0 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +// Package v1 is the v1 version of the core API. +package v1 diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue new file mode 100644 index 000000000..29c24abce --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +#GroupName: "" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue new file mode 100644 index 000000000..d87edcff5 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue @@ -0,0 +1,7617 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/types" +) + +// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients +#NamespaceDefault: "default" + +// NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces +#NamespaceAll: "" + +// NamespaceNodeLease is the namespace where we place node lease objects (used for node heartbeats) +#NamespaceNodeLease: "kube-node-lease" + +// Volume represents a named volume in a pod that may be accessed by any container in the pod. +#Volume: { + // name of the volume. + // Must be a DNS_LABEL and unique within the pod. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(1,bytes,opt) + + #VolumeSource +} + +// Represents the source of a volume to mount. +// Only one of its members may be specified. +#VolumeSource: { + // hostPath represents a pre-existing file or directory on the host + // machine that is directly exposed to the container. This is generally + // used for system agents or other privileged things that are allowed + // to see the host machine. Most containers will NOT need this. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // --- + // TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + // mount host directories as read/write. + // +optional + hostPath?: null | #HostPathVolumeSource @go(HostPath,*HostPathVolumeSource) @protobuf(1,bytes,opt) + + // emptyDir represents a temporary directory that shares a pod's lifetime. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + emptyDir?: null | #EmptyDirVolumeSource @go(EmptyDir,*EmptyDirVolumeSource) @protobuf(2,bytes,opt) + + // gcePersistentDisk represents a GCE Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + gcePersistentDisk?: null | #GCEPersistentDiskVolumeSource @go(GCEPersistentDisk,*GCEPersistentDiskVolumeSource) @protobuf(3,bytes,opt) + + // awsElasticBlockStore represents an AWS Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + awsElasticBlockStore?: null | #AWSElasticBlockStoreVolumeSource @go(AWSElasticBlockStore,*AWSElasticBlockStoreVolumeSource) @protobuf(4,bytes,opt) + + // gitRepo represents a git repository at a particular revision. + // DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + // EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + // into the Pod's container. + // +optional + gitRepo?: null | #GitRepoVolumeSource @go(GitRepo,*GitRepoVolumeSource) @protobuf(5,bytes,opt) + + // secret represents a secret that should populate this volume. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + // +optional + secret?: null | #SecretVolumeSource @go(Secret,*SecretVolumeSource) @protobuf(6,bytes,opt) + + // nfs represents an NFS mount on the host that shares a pod's lifetime + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + nfs?: null | #NFSVolumeSource @go(NFS,*NFSVolumeSource) @protobuf(7,bytes,opt) + + // iscsi represents an ISCSI Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://examples.k8s.io/volumes/iscsi/README.md + // +optional + iscsi?: null | #ISCSIVolumeSource @go(ISCSI,*ISCSIVolumeSource) @protobuf(8,bytes,opt) + + // glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md + // +optional + glusterfs?: null | #GlusterfsVolumeSource @go(Glusterfs,*GlusterfsVolumeSource) @protobuf(9,bytes,opt) + + // persistentVolumeClaimVolumeSource represents a reference to a + // PersistentVolumeClaim in the same namespace. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + persistentVolumeClaim?: null | #PersistentVolumeClaimVolumeSource @go(PersistentVolumeClaim,*PersistentVolumeClaimVolumeSource) @protobuf(10,bytes,opt) + + // rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/rbd/README.md + // +optional + rbd?: null | #RBDVolumeSource @go(RBD,*RBDVolumeSource) @protobuf(11,bytes,opt) + + // flexVolume represents a generic volume resource that is + // provisioned/attached using an exec based plugin. + // +optional + flexVolume?: null | #FlexVolumeSource @go(FlexVolume,*FlexVolumeSource) @protobuf(12,bytes,opt) + + // cinder represents a cinder volume attached and mounted on kubelets host machine. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + cinder?: null | #CinderVolumeSource @go(Cinder,*CinderVolumeSource) @protobuf(13,bytes,opt) + + // cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + // +optional + cephfs?: null | #CephFSVolumeSource @go(CephFS,*CephFSVolumeSource) @protobuf(14,bytes,opt) + + // flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + // +optional + flocker?: null | #FlockerVolumeSource @go(Flocker,*FlockerVolumeSource) @protobuf(15,bytes,opt) + + // downwardAPI represents downward API about the pod that should populate this volume + // +optional + downwardAPI?: null | #DownwardAPIVolumeSource @go(DownwardAPI,*DownwardAPIVolumeSource) @protobuf(16,bytes,opt) + + // fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + // +optional + fc?: null | #FCVolumeSource @go(FC,*FCVolumeSource) @protobuf(17,bytes,opt) + + // azureFile represents an Azure File Service mount on the host and bind mount to the pod. + // +optional + azureFile?: null | #AzureFileVolumeSource @go(AzureFile,*AzureFileVolumeSource) @protobuf(18,bytes,opt) + + // configMap represents a configMap that should populate this volume + // +optional + configMap?: null | #ConfigMapVolumeSource @go(ConfigMap,*ConfigMapVolumeSource) @protobuf(19,bytes,opt) + + // vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + // +optional + vsphereVolume?: null | #VsphereVirtualDiskVolumeSource @go(VsphereVolume,*VsphereVirtualDiskVolumeSource) @protobuf(20,bytes,opt) + + // quobyte represents a Quobyte mount on the host that shares a pod's lifetime + // +optional + quobyte?: null | #QuobyteVolumeSource @go(Quobyte,*QuobyteVolumeSource) @protobuf(21,bytes,opt) + + // azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + // +optional + azureDisk?: null | #AzureDiskVolumeSource @go(AzureDisk,*AzureDiskVolumeSource) @protobuf(22,bytes,opt) + + // photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + photonPersistentDisk?: null | #PhotonPersistentDiskVolumeSource @go(PhotonPersistentDisk,*PhotonPersistentDiskVolumeSource) @protobuf(23,bytes,opt) + + // projected items for all in one resources secrets, configmaps, and downward API + projected?: null | #ProjectedVolumeSource @go(Projected,*ProjectedVolumeSource) @protobuf(26,bytes,opt) + + // portworxVolume represents a portworx volume attached and mounted on kubelets host machine + // +optional + portworxVolume?: null | #PortworxVolumeSource @go(PortworxVolume,*PortworxVolumeSource) @protobuf(24,bytes,opt) + + // scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + // +optional + scaleIO?: null | #ScaleIOVolumeSource @go(ScaleIO,*ScaleIOVolumeSource) @protobuf(25,bytes,opt) + + // storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + // +optional + storageos?: null | #StorageOSVolumeSource @go(StorageOS,*StorageOSVolumeSource) @protobuf(27,bytes,opt) + + // csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + // +optional + csi?: null | #CSIVolumeSource @go(CSI,*CSIVolumeSource) @protobuf(28,bytes,opt) + + // ephemeral represents a volume that is handled by a cluster storage driver. + // The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + // and deleted when the pod is removed. + // + // Use this if: + // a) the volume is only needed while the pod runs, + // b) features of normal volumes like restoring from snapshot or capacity + // tracking are needed, + // c) the storage driver is specified through a storage class, and + // d) the storage driver supports dynamic volume provisioning through + // a PersistentVolumeClaim (see EphemeralVolumeSource for more + // information on the connection between this volume type + // and PersistentVolumeClaim). + // + // Use PersistentVolumeClaim or one of the vendor-specific + // APIs for volumes that persist for longer than the lifecycle + // of an individual pod. + // + // Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + // be used that way - see the documentation of the driver for + // more information. + // + // A pod can use both types of ephemeral volumes and + // persistent volumes at the same time. + // + // +optional + ephemeral?: null | #EphemeralVolumeSource @go(Ephemeral,*EphemeralVolumeSource) @protobuf(29,bytes,opt) +} + +// PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. +// This volume finds the bound PV and mounts that volume for the pod. A +// PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another +// type of volume that is owned by someone else (the system). +#PersistentVolumeClaimVolumeSource: { + // claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + claimName: string @go(ClaimName) @protobuf(1,bytes,opt) + + // readOnly Will force the ReadOnly setting in VolumeMounts. + // Default false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt) +} + +// PersistentVolumeSource is similar to VolumeSource but meant for the +// administrator who creates PVs. Exactly one of its members must be set. +#PersistentVolumeSource: { + // gcePersistentDisk represents a GCE Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. Provisioned by an admin. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + gcePersistentDisk?: null | #GCEPersistentDiskVolumeSource @go(GCEPersistentDisk,*GCEPersistentDiskVolumeSource) @protobuf(1,bytes,opt) + + // awsElasticBlockStore represents an AWS Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + awsElasticBlockStore?: null | #AWSElasticBlockStoreVolumeSource @go(AWSElasticBlockStore,*AWSElasticBlockStoreVolumeSource) @protobuf(2,bytes,opt) + + // hostPath represents a directory on the host. + // Provisioned by a developer or tester. + // This is useful for single-node development and testing only! + // On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // +optional + hostPath?: null | #HostPathVolumeSource @go(HostPath,*HostPathVolumeSource) @protobuf(3,bytes,opt) + + // glusterfs represents a Glusterfs volume that is attached to a host and + // exposed to the pod. Provisioned by an admin. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md + // +optional + glusterfs?: null | #GlusterfsPersistentVolumeSource @go(Glusterfs,*GlusterfsPersistentVolumeSource) @protobuf(4,bytes,opt) + + // nfs represents an NFS mount on the host. Provisioned by an admin. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + nfs?: null | #NFSVolumeSource @go(NFS,*NFSVolumeSource) @protobuf(5,bytes,opt) + + // rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/rbd/README.md + // +optional + rbd?: null | #RBDPersistentVolumeSource @go(RBD,*RBDPersistentVolumeSource) @protobuf(6,bytes,opt) + + // iscsi represents an ISCSI Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. Provisioned by an admin. + // +optional + iscsi?: null | #ISCSIPersistentVolumeSource @go(ISCSI,*ISCSIPersistentVolumeSource) @protobuf(7,bytes,opt) + + // cinder represents a cinder volume attached and mounted on kubelets host machine. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + cinder?: null | #CinderPersistentVolumeSource @go(Cinder,*CinderPersistentVolumeSource) @protobuf(8,bytes,opt) + + // cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + // +optional + cephfs?: null | #CephFSPersistentVolumeSource @go(CephFS,*CephFSPersistentVolumeSource) @protobuf(9,bytes,opt) + + // fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + // +optional + fc?: null | #FCVolumeSource @go(FC,*FCVolumeSource) @protobuf(10,bytes,opt) + + // flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running + // +optional + flocker?: null | #FlockerVolumeSource @go(Flocker,*FlockerVolumeSource) @protobuf(11,bytes,opt) + + // flexVolume represents a generic volume resource that is + // provisioned/attached using an exec based plugin. + // +optional + flexVolume?: null | #FlexPersistentVolumeSource @go(FlexVolume,*FlexPersistentVolumeSource) @protobuf(12,bytes,opt) + + // azureFile represents an Azure File Service mount on the host and bind mount to the pod. + // +optional + azureFile?: null | #AzureFilePersistentVolumeSource @go(AzureFile,*AzureFilePersistentVolumeSource) @protobuf(13,bytes,opt) + + // vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + // +optional + vsphereVolume?: null | #VsphereVirtualDiskVolumeSource @go(VsphereVolume,*VsphereVirtualDiskVolumeSource) @protobuf(14,bytes,opt) + + // quobyte represents a Quobyte mount on the host that shares a pod's lifetime + // +optional + quobyte?: null | #QuobyteVolumeSource @go(Quobyte,*QuobyteVolumeSource) @protobuf(15,bytes,opt) + + // azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + // +optional + azureDisk?: null | #AzureDiskVolumeSource @go(AzureDisk,*AzureDiskVolumeSource) @protobuf(16,bytes,opt) + + // photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + photonPersistentDisk?: null | #PhotonPersistentDiskVolumeSource @go(PhotonPersistentDisk,*PhotonPersistentDiskVolumeSource) @protobuf(17,bytes,opt) + + // portworxVolume represents a portworx volume attached and mounted on kubelets host machine + // +optional + portworxVolume?: null | #PortworxVolumeSource @go(PortworxVolume,*PortworxVolumeSource) @protobuf(18,bytes,opt) + + // scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + // +optional + scaleIO?: null | #ScaleIOPersistentVolumeSource @go(ScaleIO,*ScaleIOPersistentVolumeSource) @protobuf(19,bytes,opt) + + // local represents directly-attached storage with node affinity + // +optional + local?: null | #LocalVolumeSource @go(Local,*LocalVolumeSource) @protobuf(20,bytes,opt) + + // storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod + // More info: https://examples.k8s.io/volumes/storageos/README.md + // +optional + storageos?: null | #StorageOSPersistentVolumeSource @go(StorageOS,*StorageOSPersistentVolumeSource) @protobuf(21,bytes,opt) + + // csi represents storage that is handled by an external CSI driver (Beta feature). + // +optional + csi?: null | #CSIPersistentVolumeSource @go(CSI,*CSIPersistentVolumeSource) @protobuf(22,bytes,opt) +} + +// BetaStorageClassAnnotation represents the beta/previous StorageClass annotation. +// It's currently still used and will be held for backwards compatibility +#BetaStorageClassAnnotation: "volume.beta.kubernetes.io/storage-class" + +// MountOptionAnnotation defines mount option annotation used in PVs +#MountOptionAnnotation: "volume.beta.kubernetes.io/mount-options" + +// PersistentVolume (PV) is a storage resource provisioned by an administrator. +// It is analogous to a node. +// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes +#PersistentVolume: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines a specification of a persistent volume owned by the cluster. + // Provisioned by an administrator. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes + // +optional + spec?: #PersistentVolumeSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents the current information/status for the persistent volume. + // Populated by the system. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes + // +optional + status?: #PersistentVolumeStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PersistentVolumeSpec is the specification of a persistent volume. +#PersistentVolumeSpec: { + // capacity is the description of the persistent volume's resources and capacity. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + #PersistentVolumeSource + + // accessModes contains all ways the volume can be mounted. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(3,bytes,rep,casttype=PersistentVolumeAccessMode) + + // claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. + // Expected to be non-nil when bound. + // claim.VolumeName is the authoritative bind between PV and PVC. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding + // +optional + // +structType=granular + claimRef?: null | #ObjectReference @go(ClaimRef,*ObjectReference) @protobuf(4,bytes,opt) + + // persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. + // Valid options are Retain (default for manually created PersistentVolumes), Delete (default + // for dynamically provisioned PersistentVolumes), and Recycle (deprecated). + // Recycle must be supported by the volume plugin underlying this PersistentVolume. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming + // +optional + persistentVolumeReclaimPolicy?: #PersistentVolumeReclaimPolicy @go(PersistentVolumeReclaimPolicy) @protobuf(5,bytes,opt,casttype=PersistentVolumeReclaimPolicy) + + // storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value + // means that this volume does not belong to any StorageClass. + // +optional + storageClassName?: string @go(StorageClassName) @protobuf(6,bytes,opt) + + // mountOptions is the list of mount options, e.g. ["ro", "soft"]. Not validated - mount will + // simply fail if one is invalid. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options + // +optional + mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(7,bytes,opt) + + // volumeMode defines if a volume is intended to be used with a formatted filesystem + // or to remain in raw block state. Value of Filesystem is implied when not included in spec. + // +optional + volumeMode?: null | #PersistentVolumeMode @go(VolumeMode,*PersistentVolumeMode) @protobuf(8,bytes,opt,casttype=PersistentVolumeMode) + + // nodeAffinity defines constraints that limit what nodes this volume can be accessed from. + // This field influences the scheduling of pods that use this volume. + // +optional + nodeAffinity?: null | #VolumeNodeAffinity @go(NodeAffinity,*VolumeNodeAffinity) @protobuf(9,bytes,opt) +} + +// VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from. +#VolumeNodeAffinity: { + // required specifies hard node constraints that must be met. + required?: null | #NodeSelector @go(Required,*NodeSelector) @protobuf(1,bytes,opt) +} + +// PersistentVolumeReclaimPolicy describes a policy for end-of-life maintenance of persistent volumes. +// +enum +#PersistentVolumeReclaimPolicy: string // #enumPersistentVolumeReclaimPolicy + +#enumPersistentVolumeReclaimPolicy: + #PersistentVolumeReclaimRecycle | + #PersistentVolumeReclaimDelete | + #PersistentVolumeReclaimRetain + +// PersistentVolumeReclaimRecycle means the volume will be recycled back into the pool of unbound persistent volumes on release from its claim. +// The volume plugin must support Recycling. +#PersistentVolumeReclaimRecycle: #PersistentVolumeReclaimPolicy & "Recycle" + +// PersistentVolumeReclaimDelete means the volume will be deleted from Kubernetes on release from its claim. +// The volume plugin must support Deletion. +#PersistentVolumeReclaimDelete: #PersistentVolumeReclaimPolicy & "Delete" + +// PersistentVolumeReclaimRetain means the volume will be left in its current phase (Released) for manual reclamation by the administrator. +// The default policy is Retain. +#PersistentVolumeReclaimRetain: #PersistentVolumeReclaimPolicy & "Retain" + +// PersistentVolumeMode describes how a volume is intended to be consumed, either Block or Filesystem. +// +enum +#PersistentVolumeMode: string // #enumPersistentVolumeMode + +#enumPersistentVolumeMode: + #PersistentVolumeBlock | + #PersistentVolumeFilesystem + +// PersistentVolumeBlock means the volume will not be formatted with a filesystem and will remain a raw block device. +#PersistentVolumeBlock: #PersistentVolumeMode & "Block" + +// PersistentVolumeFilesystem means the volume will be or is formatted with a filesystem. +#PersistentVolumeFilesystem: #PersistentVolumeMode & "Filesystem" + +// PersistentVolumeStatus is the current status of a persistent volume. +#PersistentVolumeStatus: { + // phase indicates if a volume is available, bound to a claim, or released by a claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase + // +optional + phase?: #PersistentVolumePhase @go(Phase) @protobuf(1,bytes,opt,casttype=PersistentVolumePhase) + + // message is a human-readable message indicating details about why the volume is in this state. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) + + // reason is a brief CamelCase string that describes any failure and is meant + // for machine parsing and tidy display in the CLI. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // lastPhaseTransitionTime is the time the phase transitioned from one to another + // and automatically resets to current time everytime a volume phase transitions. + // This is an alpha field and requires enabling PersistentVolumeLastPhaseTransitionTime feature. + // +featureGate=PersistentVolumeLastPhaseTransitionTime + // +optional + lastPhaseTransitionTime?: null | metav1.#Time @go(LastPhaseTransitionTime,*metav1.Time) @protobuf(4,bytes,opt) +} + +// PersistentVolumeList is a list of PersistentVolume items. +#PersistentVolumeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of persistent volumes. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes + items: [...#PersistentVolume] @go(Items,[]PersistentVolume) @protobuf(2,bytes,rep) +} + +// PersistentVolumeClaim is a user's request for and claim to a persistent volume +#PersistentVolumeClaim: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the desired characteristics of a volume requested by a pod author. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + spec?: #PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents the current information/status of a persistent volume claim. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + status?: #PersistentVolumeClaimStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PersistentVolumeClaimList is a list of PersistentVolumeClaim items. +#PersistentVolumeClaimList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of persistent volume claims. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + items: [...#PersistentVolumeClaim] @go(Items,[]PersistentVolumeClaim) @protobuf(2,bytes,rep) +} + +// PersistentVolumeClaimSpec describes the common attributes of storage devices +// and allows a Source for provider-specific attributes +#PersistentVolumeClaimSpec: { + // accessModes contains the desired access modes the volume should have. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(1,bytes,rep,casttype=PersistentVolumeAccessMode) + + // selector is a label query over volumes to consider for binding. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // resources represents the minimum resources the volume should have. + // If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + // that are lower than previous value but must still be higher than capacity recorded in the + // status field of the claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(2,bytes,opt) + + // volumeName is the binding reference to the PersistentVolume backing this claim. + // +optional + volumeName?: string @go(VolumeName) @protobuf(3,bytes,opt) + + // storageClassName is the name of the StorageClass required by the claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + // +optional + storageClassName?: null | string @go(StorageClassName,*string) @protobuf(5,bytes,opt) + + // volumeMode defines what type of volume is required by the claim. + // Value of Filesystem is implied when not included in claim spec. + // +optional + volumeMode?: null | #PersistentVolumeMode @go(VolumeMode,*PersistentVolumeMode) @protobuf(6,bytes,opt,casttype=PersistentVolumeMode) + + // dataSource field can be used to specify either: + // * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + // * An existing PVC (PersistentVolumeClaim) + // If the provisioner or an external controller can support the specified data source, + // it will create a new volume based on the contents of the specified data source. + // When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + // and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + // If the namespace is specified, then dataSourceRef will not be copied to dataSource. + // +optional + dataSource?: null | #TypedLocalObjectReference @go(DataSource,*TypedLocalObjectReference) @protobuf(7,bytes,opt) + + // dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + // volume is desired. This may be any object from a non-empty API group (non + // core object) or a PersistentVolumeClaim object. + // When this field is specified, volume binding will only succeed if the type of + // the specified object matches some installed volume populator or dynamic + // provisioner. + // This field will replace the functionality of the dataSource field and as such + // if both fields are non-empty, they must have the same value. For backwards + // compatibility, when namespace isn't specified in dataSourceRef, + // both fields (dataSource and dataSourceRef) will be set to the same + // value automatically if one of them is empty and the other is non-empty. + // When namespace is specified in dataSourceRef, + // dataSource isn't set to the same value and must be empty. + // There are three important differences between dataSource and dataSourceRef: + // * While dataSource only allows two specific types of objects, dataSourceRef + // allows any non-core object, as well as PersistentVolumeClaim objects. + // * While dataSource ignores disallowed values (dropping them), dataSourceRef + // preserves all values, and generates an error if a disallowed value is + // specified. + // * While dataSource only allows local objects, dataSourceRef allows objects + // in any namespaces. + // (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + // (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + // +optional + dataSourceRef?: null | #TypedObjectReference @go(DataSourceRef,*TypedObjectReference) @protobuf(8,bytes,opt) +} + +#TypedObjectReference: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the core API group. + // For any other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) + + // Namespace is the namespace of resource being referenced + // Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + // (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + // +featureGate=CrossNamespaceVolumeDataSource + // +optional + namespace?: null | string @go(Namespace,*string) @protobuf(4,bytes,opt) +} + +// PersistentVolumeClaimConditionType is a valid value of PersistentVolumeClaimCondition.Type +#PersistentVolumeClaimConditionType: string // #enumPersistentVolumeClaimConditionType + +#enumPersistentVolumeClaimConditionType: + #PersistentVolumeClaimResizing | + #PersistentVolumeClaimFileSystemResizePending + +// PersistentVolumeClaimResizing - a user trigger resize of pvc has been started +#PersistentVolumeClaimResizing: #PersistentVolumeClaimConditionType & "Resizing" + +// PersistentVolumeClaimFileSystemResizePending - controller resize is finished and a file system resize is pending on node +#PersistentVolumeClaimFileSystemResizePending: #PersistentVolumeClaimConditionType & "FileSystemResizePending" + +// +enum +// When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource +// that it does not recognizes, then it should ignore that update and let other controllers +// handle it. +#ClaimResourceStatus: string // #enumClaimResourceStatus + +#enumClaimResourceStatus: + #PersistentVolumeClaimControllerResizeInProgress | + #PersistentVolumeClaimControllerResizeFailed | + #PersistentVolumeClaimNodeResizePending | + #PersistentVolumeClaimNodeResizeInProgress | + #PersistentVolumeClaimNodeResizeFailed + +// State set when resize controller starts resizing the volume in control-plane. +#PersistentVolumeClaimControllerResizeInProgress: #ClaimResourceStatus & "ControllerResizeInProgress" + +// State set when resize has failed in resize controller with a terminal error. +// Transient errors such as timeout should not set this status and should leave allocatedResourceStatus +// unmodified, so as resize controller can resume the volume expansion. +#PersistentVolumeClaimControllerResizeFailed: #ClaimResourceStatus & "ControllerResizeFailed" + +// State set when resize controller has finished resizing the volume but further resizing of volume +// is needed on the node. +#PersistentVolumeClaimNodeResizePending: #ClaimResourceStatus & "NodeResizePending" + +// State set when kubelet starts resizing the volume. +#PersistentVolumeClaimNodeResizeInProgress: #ClaimResourceStatus & "NodeResizeInProgress" + +// State set when resizing has failed in kubelet with a terminal error. Transient errors don't set NodeResizeFailed +#PersistentVolumeClaimNodeResizeFailed: #ClaimResourceStatus & "NodeResizeFailed" + +// PersistentVolumeClaimCondition contains details about state of pvc +#PersistentVolumeClaimCondition: { + type: #PersistentVolumeClaimConditionType @go(Type) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimConditionType) + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // lastProbeTime is the time we probed the condition. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // lastTransitionTime is the time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // reason is a unique, this should be a short, machine understandable string that gives the reason + // for condition's last transition. If it reports "ResizeStarted" that means the underlying + // persistent volume is being resized. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // message is the human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// PersistentVolumeClaimStatus is the current status of a persistent volume claim. +#PersistentVolumeClaimStatus: { + // phase represents the current phase of PersistentVolumeClaim. + // +optional + phase?: #PersistentVolumeClaimPhase @go(Phase) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimPhase) + + // accessModes contains the actual access modes the volume backing the PVC has. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(2,bytes,rep,casttype=PersistentVolumeAccessMode) + + // capacity represents the actual resources of the underlying volume. + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(3,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // conditions is the current Condition of persistent volume claim. If underlying persistent volume is being + // resized then the Condition will be set to 'ResizeStarted'. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#PersistentVolumeClaimCondition] @go(Conditions,[]PersistentVolumeClaimCondition) @protobuf(4,bytes,rep) + + // allocatedResources tracks the resources allocated to a PVC including its capacity. + // Key names follow standard Kubernetes label syntax. Valid values are either: + // * Un-prefixed keys: + // - storage - the capacity of the volume. + // * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" + // Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered + // reserved and hence may not be used. + // + // Capacity reported here may be larger than the actual capacity when a volume expansion operation + // is requested. + // For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. + // If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. + // If a volume expansion capacity request is lowered, allocatedResources is only + // lowered if there are no expansion operations in progress and if the actual volume capacity + // is equal or lower than the requested capacity. + // + // A controller that receives PVC update with previously unknown resourceName + // should ignore the update for the purpose it was designed. For example - a controller that + // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid + // resources associated with PVC. + // + // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature. + // +featureGate=RecoverVolumeExpansionFailure + // +optional + allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // allocatedResourceStatuses stores status of resource being resized for the given PVC. + // Key names follow standard Kubernetes label syntax. Valid values are either: + // * Un-prefixed keys: + // - storage - the capacity of the volume. + // * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" + // Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered + // reserved and hence may not be used. + // + // ClaimResourceStatus can be in any of following states: + // - ControllerResizeInProgress: + // State set when resize controller starts resizing the volume in control-plane. + // - ControllerResizeFailed: + // State set when resize has failed in resize controller with a terminal error. + // - NodeResizePending: + // State set when resize controller has finished resizing the volume but further resizing of + // volume is needed on the node. + // - NodeResizeInProgress: + // State set when kubelet starts resizing the volume. + // - NodeResizeFailed: + // State set when resizing has failed in kubelet with a terminal error. Transient errors don't set + // NodeResizeFailed. + // For example: if expanding a PVC for more capacity - this field can be one of the following states: + // - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeInProgress" + // - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeFailed" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizePending" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeInProgress" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeFailed" + // When this field is not set, it means that no resize operation is in progress for the given PVC. + // + // A controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus + // should ignore the update for the purpose it was designed. For example - a controller that + // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid + // resources associated with PVC. + // + // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature. + // +featureGate=RecoverVolumeExpansionFailure + // +mapType=granular + // +optional + allocatedResourceStatuses?: {[string]: #ClaimResourceStatus} @go(AllocatedResourceStatuses,map[ResourceName]ClaimResourceStatus) @protobuf(7,bytes,rep) +} + +// +enum +#PersistentVolumeAccessMode: string // #enumPersistentVolumeAccessMode + +#enumPersistentVolumeAccessMode: + #ReadWriteOnce | + #ReadOnlyMany | + #ReadWriteMany | + #ReadWriteOncePod + +// can be mounted in read/write mode to exactly 1 host +#ReadWriteOnce: #PersistentVolumeAccessMode & "ReadWriteOnce" + +// can be mounted in read-only mode to many hosts +#ReadOnlyMany: #PersistentVolumeAccessMode & "ReadOnlyMany" + +// can be mounted in read/write mode to many hosts +#ReadWriteMany: #PersistentVolumeAccessMode & "ReadWriteMany" + +// can be mounted in read/write mode to exactly 1 pod +// cannot be used in combination with other access modes +#ReadWriteOncePod: #PersistentVolumeAccessMode & "ReadWriteOncePod" + +// +enum +#PersistentVolumePhase: string // #enumPersistentVolumePhase + +#enumPersistentVolumePhase: + #VolumePending | + #VolumeAvailable | + #VolumeBound | + #VolumeReleased | + #VolumeFailed + +// used for PersistentVolumes that are not available +#VolumePending: #PersistentVolumePhase & "Pending" + +// used for PersistentVolumes that are not yet bound +// Available volumes are held by the binder and matched to PersistentVolumeClaims +#VolumeAvailable: #PersistentVolumePhase & "Available" + +// used for PersistentVolumes that are bound +#VolumeBound: #PersistentVolumePhase & "Bound" + +// used for PersistentVolumes where the bound PersistentVolumeClaim was deleted +// released volumes must be recycled before becoming available again +// this phase is used by the persistent volume claim binder to signal to another process to reclaim the resource +#VolumeReleased: #PersistentVolumePhase & "Released" + +// used for PersistentVolumes that failed to be correctly recycled or deleted after being released from a claim +#VolumeFailed: #PersistentVolumePhase & "Failed" + +// +enum +#PersistentVolumeClaimPhase: string // #enumPersistentVolumeClaimPhase + +#enumPersistentVolumeClaimPhase: + #ClaimPending | + #ClaimBound | + #ClaimLost + +// used for PersistentVolumeClaims that are not yet bound +#ClaimPending: #PersistentVolumeClaimPhase & "Pending" + +// used for PersistentVolumeClaims that are bound +#ClaimBound: #PersistentVolumeClaimPhase & "Bound" + +// used for PersistentVolumeClaims that lost their underlying +// PersistentVolume. The claim was bound to a PersistentVolume and this +// volume does not exist any longer and all data on it was lost. +#ClaimLost: #PersistentVolumeClaimPhase & "Lost" + +// +enum +#HostPathType: string // #enumHostPathType + +#enumHostPathType: + #HostPathUnset | + #HostPathDirectoryOrCreate | + #HostPathDirectory | + #HostPathFileOrCreate | + #HostPathFile | + #HostPathSocket | + #HostPathCharDev | + #HostPathBlockDev + +// For backwards compatible, leave it empty if unset +#HostPathUnset: #HostPathType & "" + +// If nothing exists at the given path, an empty directory will be created there +// as needed with file mode 0755, having the same group and ownership with Kubelet. +#HostPathDirectoryOrCreate: #HostPathType & "DirectoryOrCreate" + +// A directory must exist at the given path +#HostPathDirectory: #HostPathType & "Directory" + +// If nothing exists at the given path, an empty file will be created there +// as needed with file mode 0644, having the same group and ownership with Kubelet. +#HostPathFileOrCreate: #HostPathType & "FileOrCreate" + +// A file must exist at the given path +#HostPathFile: #HostPathType & "File" + +// A UNIX socket must exist at the given path +#HostPathSocket: #HostPathType & "Socket" + +// A character device must exist at the given path +#HostPathCharDev: #HostPathType & "CharDevice" + +// A block device must exist at the given path +#HostPathBlockDev: #HostPathType & "BlockDevice" + +// Represents a host path mapped into a pod. +// Host path volumes do not support ownership management or SELinux relabeling. +#HostPathVolumeSource: { + // path of the directory on the host. + // If the path is a symlink, it will follow the link to the real path. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + path: string @go(Path) @protobuf(1,bytes,opt) + + // type for HostPath Volume + // Defaults to "" + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // +optional + type?: null | #HostPathType @go(Type,*HostPathType) @protobuf(2,bytes,opt) +} + +// Represents an empty directory for a pod. +// Empty directory volumes support ownership management and SELinux relabeling. +#EmptyDirVolumeSource: { + // medium represents what type of storage medium should back this directory. + // The default is "" which means to use the node's default medium. + // Must be an empty string (default) or Memory. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + medium?: #StorageMedium @go(Medium) @protobuf(1,bytes,opt,casttype=StorageMedium) + + // sizeLimit is the total amount of local storage required for this EmptyDir volume. + // The size limit is also applicable for memory medium. + // The maximum usage on memory medium EmptyDir would be the minimum value between + // the SizeLimit specified here and the sum of memory limits of all containers in a pod. + // The default is nil which means that the limit is undefined. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + sizeLimit?: null | resource.#Quantity @go(SizeLimit,*resource.Quantity) @protobuf(2,bytes,opt) +} + +// Represents a Glusterfs mount that lasts the lifetime of a pod. +// Glusterfs volumes do not support ownership management or SELinux relabeling. +#GlusterfsVolumeSource: { + // endpoints is the endpoint name that details Glusterfs topology. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + endpoints: string @go(EndpointsName) @protobuf(1,bytes,opt) + + // path is the Glusterfs volume path. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// Represents a Glusterfs mount that lasts the lifetime of a pod. +// Glusterfs volumes do not support ownership management or SELinux relabeling. +#GlusterfsPersistentVolumeSource: { + // endpoints is the endpoint name that details Glusterfs topology. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + endpoints: string @go(EndpointsName) @protobuf(1,bytes,opt) + + // path is the Glusterfs volume path. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // endpointsNamespace is the namespace that contains Glusterfs endpoint. + // If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + endpointsNamespace?: null | string @go(EndpointsNamespace,*string) @protobuf(4,bytes,opt) +} + +// Represents a Rados Block Device mount that lasts the lifetime of a pod. +// RBD volumes support ownership management and SELinux relabeling. +#RBDVolumeSource: { + // monitors is a collection of Ceph monitors. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + monitors: [...string] @go(CephMonitors,[]string) @protobuf(1,bytes,rep) + + // image is the rados image name. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + image: string @go(RBDImage) @protobuf(2,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // pool is the rados pool name. + // Default is rbd. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + pool?: string @go(RBDPool) @protobuf(4,bytes,opt) + + // user is the rados user name. + // Default is admin. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + user?: string @go(RadosUser) @protobuf(5,bytes,opt) + + // keyring is the path to key ring for RBDUser. + // Default is /etc/ceph/keyring. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + keyring?: string @go(Keyring) @protobuf(6,bytes,opt) + + // secretRef is name of the authentication secret for RBDUser. If provided + // overrides keyring. + // Default is nil. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(7,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(8,varint,opt) +} + +// Represents a Rados Block Device mount that lasts the lifetime of a pod. +// RBD volumes support ownership management and SELinux relabeling. +#RBDPersistentVolumeSource: { + // monitors is a collection of Ceph monitors. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + monitors: [...string] @go(CephMonitors,[]string) @protobuf(1,bytes,rep) + + // image is the rados image name. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + image: string @go(RBDImage) @protobuf(2,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // pool is the rados pool name. + // Default is rbd. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + pool?: string @go(RBDPool) @protobuf(4,bytes,opt) + + // user is the rados user name. + // Default is admin. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + user?: string @go(RadosUser) @protobuf(5,bytes,opt) + + // keyring is the path to key ring for RBDUser. + // Default is /etc/ceph/keyring. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + keyring?: string @go(Keyring) @protobuf(6,bytes,opt) + + // secretRef is name of the authentication secret for RBDUser. If provided + // overrides keyring. + // Default is nil. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(7,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(8,varint,opt) +} + +// Represents a cinder volume resource in Openstack. +// A Cinder volume must exist before mounting to a container. +// The volume must also be in the same region as the kubelet. +// Cinder volumes support ownership management and SELinux relabeling. +#CinderVolumeSource: { + // volumeID used to identify the volume in cinder. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretRef is optional: points to a secret object containing parameters used to connect + // to OpenStack. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(4,bytes,opt) +} + +// Represents a cinder volume resource in Openstack. +// A Cinder volume must exist before mounting to a container. +// The volume must also be in the same region as the kubelet. +// Cinder volumes support ownership management and SELinux relabeling. +#CinderPersistentVolumeSource: { + // volumeID used to identify the volume in cinder. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretRef is Optional: points to a secret object containing parameters used to connect + // to OpenStack. + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(4,bytes,opt) +} + +// Represents a Ceph Filesystem mount that lasts the lifetime of a pod +// Cephfs volumes do not support ownership management or SELinux relabeling. +#CephFSVolumeSource: { + // monitors is Required: Monitors is a collection of Ceph monitors + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + monitors: [...string] @go(Monitors,[]string) @protobuf(1,bytes,rep) + + // path is Optional: Used as the mounted root, rather than the full Ceph tree, default is / + // +optional + path?: string @go(Path) @protobuf(2,bytes,opt) + + // user is optional: User is the rados user name, default is admin + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretFile?: string @go(SecretFile) @protobuf(4,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) +} + +// SecretReference represents a Secret Reference. It has enough information to retrieve secret +// in any namespace +// +structType=atomic +#SecretReference: { + // name is unique within a namespace to reference a secret resource. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // namespace defines the space within which the secret name must be unique. + // +optional + namespace?: string @go(Namespace) @protobuf(2,bytes,opt) +} + +// Represents a Ceph Filesystem mount that lasts the lifetime of a pod +// Cephfs volumes do not support ownership management or SELinux relabeling. +#CephFSPersistentVolumeSource: { + // monitors is Required: Monitors is a collection of Ceph monitors + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + monitors: [...string] @go(Monitors,[]string) @protobuf(1,bytes,rep) + + // path is Optional: Used as the mounted root, rather than the full Ceph tree, default is / + // +optional + path?: string @go(Path) @protobuf(2,bytes,opt) + + // user is Optional: User is the rados user name, default is admin + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretFile?: string @go(SecretFile) @protobuf(4,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(5,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) +} + +// Represents a Flocker volume mounted by the Flocker agent. +// One and only one of datasetName and datasetUUID should be set. +// Flocker volumes do not support ownership management or SELinux relabeling. +#FlockerVolumeSource: { + // datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + // should be considered as deprecated + // +optional + datasetName?: string @go(DatasetName) @protobuf(1,bytes,opt) + + // datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset + // +optional + datasetUUID?: string @go(DatasetUUID) @protobuf(2,bytes,opt) +} + +// StorageMedium defines ways that storage can be allocated to a volume. +#StorageMedium: string // #enumStorageMedium + +#enumStorageMedium: + #StorageMediumDefault | + #StorageMediumMemory | + #StorageMediumHugePages | + #StorageMediumHugePagesPrefix + +#StorageMediumDefault: #StorageMedium & "" +#StorageMediumMemory: #StorageMedium & "Memory" +#StorageMediumHugePages: #StorageMedium & "HugePages" +#StorageMediumHugePagesPrefix: #StorageMedium & "HugePages-" + +// Protocol defines network protocols supported for things like container ports. +// +enum +#Protocol: string // #enumProtocol + +#enumProtocol: + #ProtocolTCP | + #ProtocolUDP | + #ProtocolSCTP + +// ProtocolTCP is the TCP protocol. +#ProtocolTCP: #Protocol & "TCP" + +// ProtocolUDP is the UDP protocol. +#ProtocolUDP: #Protocol & "UDP" + +// ProtocolSCTP is the SCTP protocol. +#ProtocolSCTP: #Protocol & "SCTP" + +// Represents a Persistent Disk resource in Google Compute Engine. +// +// A GCE PD must exist before mounting to a container. The disk must +// also be in the same GCE project and zone as the kubelet. A GCE PD +// can only be mounted as read/write once or read-only many times. GCE +// PDs support ownership management and SELinux relabeling. +#GCEPersistentDiskVolumeSource: { + // pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + pdName: string @go(PDName) @protobuf(1,bytes,opt) + + // fsType is filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // partition is the partition in the volume that you want to mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + partition?: int32 @go(Partition) @protobuf(3,varint,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) +} + +// Represents a Quobyte mount that lasts the lifetime of a pod. +// Quobyte volumes do not support ownership management or SELinux relabeling. +#QuobyteVolumeSource: { + // registry represents a single or multiple Quobyte Registry services + // specified as a string as host:port pair (multiple entries are separated with commas) + // which acts as the central registry for volumes + registry: string @go(Registry) @protobuf(1,bytes,opt) + + // volume is a string that references an already created Quobyte volume by name. + volume: string @go(Volume) @protobuf(2,bytes,opt) + + // readOnly here will force the Quobyte volume to be mounted with read-only permissions. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // user to map volume access to + // Defaults to serivceaccount user + // +optional + user?: string @go(User) @protobuf(4,bytes,opt) + + // group to map volume access to + // Default is no group + // +optional + group?: string @go(Group) @protobuf(5,bytes,opt) + + // tenant owning the given Quobyte volume in the Backend + // Used with dynamically provisioned Quobyte volumes, value is set by the plugin + // +optional + tenant?: string @go(Tenant) @protobuf(6,bytes,opt) +} + +// FlexPersistentVolumeSource represents a generic persistent volume resource that is +// provisioned/attached using an exec based plugin. +#FlexPersistentVolumeSource: { + // driver is the name of the driver to use for this volume. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // fsType is the Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the secret object containing + // sensitive information to pass to the plugin scripts. This may be + // empty if no secret object is specified. If the secret object + // contains more than one secret, all secrets are passed to the plugin + // scripts. + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(3,bytes,opt) + + // readOnly is Optional: defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // options is Optional: this field holds extra command options if any. + // +optional + options?: {[string]: string} @go(Options,map[string]string) @protobuf(5,bytes,rep) +} + +// FlexVolume represents a generic volume resource that is +// provisioned/attached using an exec based plugin. +#FlexVolumeSource: { + // driver is the name of the driver to use for this volume. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // secretRef is Optional: secretRef is reference to the secret object containing + // sensitive information to pass to the plugin scripts. This may be + // empty if no secret object is specified. If the secret object + // contains more than one secret, all secrets are passed to the plugin + // scripts. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(3,bytes,opt) + + // readOnly is Optional: defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // options is Optional: this field holds extra command options if any. + // +optional + options?: {[string]: string} @go(Options,map[string]string) @protobuf(5,bytes,rep) +} + +// Represents a Persistent Disk resource in AWS. +// +// An AWS EBS disk must exist before mounting to a container. The disk +// must also be in the same AWS zone as the kubelet. An AWS EBS disk +// can only be mounted as read/write once. AWS EBS volumes support +// ownership management and SELinux relabeling. +#AWSElasticBlockStoreVolumeSource: { + // volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // partition is the partition in the volume that you want to mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + // +optional + partition?: int32 @go(Partition) @protobuf(3,varint,opt) + + // readOnly value true will force the readOnly setting in VolumeMounts. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) +} + +// Represents a volume that is populated with the contents of a git repository. +// Git repo volumes do not support ownership management. +// Git repo volumes support SELinux relabeling. +// +// DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an +// EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir +// into the Pod's container. +#GitRepoVolumeSource: { + // repository is the URL + repository: string @go(Repository) @protobuf(1,bytes,opt) + + // revision is the commit hash for the specified revision. + // +optional + revision?: string @go(Revision) @protobuf(2,bytes,opt) + + // directory is the target directory name. + // Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + // git repository. Otherwise, if specified, the volume will contain the git repository in + // the subdirectory with the given name. + // +optional + directory?: string @go(Directory) @protobuf(3,bytes,opt) +} + +// Adapts a Secret into a volume. +// +// The contents of the target Secret's Data field will be presented in a volume +// as files using the keys in the Data field as the file names. +// Secret volumes support ownership management and SELinux relabeling. +#SecretVolumeSource: { + // secretName is the name of the secret in the pod's namespace to use. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + // +optional + secretName?: string @go(SecretName) @protobuf(1,bytes,opt) + + // items If unspecified, each key-value pair in the Data field of the referenced + // Secret will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the Secret, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // defaultMode is Optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values + // for mode bits. Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(3,bytes,opt) + + // optional field specify whether the Secret or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +#SecretVolumeSourceDefaultMode: int32 & 0o644 + +// Adapts a secret into a projected volume. +// +// The contents of the target Secret's Data field will be presented in a +// projected volume as files using the keys in the Data field as the file names. +// Note that this is identical to a secret volume source without the default +// mode. +#SecretProjection: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // Secret will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the Secret, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // optional field specify whether the Secret or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +// Represents an NFS mount that lasts the lifetime of a pod. +// NFS volumes do not support ownership management or SELinux relabeling. +#NFSVolumeSource: { + // server is the hostname or IP address of the NFS server. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + server: string @go(Server) @protobuf(1,bytes,opt) + + // path that is exported by the NFS server. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the NFS export to be mounted with read-only permissions. + // Defaults to false. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// Represents an ISCSI disk. +// ISCSI volumes can only be mounted as read/write once. +// ISCSI volumes support ownership management and SELinux relabeling. +#ISCSIVolumeSource: { + // targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + targetPortal: string @go(TargetPortal) @protobuf(1,bytes,opt) + + // iqn is the target iSCSI Qualified Name. + iqn: string @go(IQN) @protobuf(2,bytes,opt) + + // lun represents iSCSI Target Lun number. + lun: int32 @go(Lun) @protobuf(3,varint,opt) + + // iscsiInterface is the interface Name that uses an iSCSI transport. + // Defaults to 'default' (tcp). + // +optional + iscsiInterface?: string @go(ISCSIInterface) @protobuf(4,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(5,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) + + // portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + // +optional + portals?: [...string] @go(Portals,[]string) @protobuf(7,bytes,opt) + + // chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + // +optional + chapAuthDiscovery?: bool @go(DiscoveryCHAPAuth) @protobuf(8,varint,opt) + + // chapAuthSession defines whether support iSCSI Session CHAP authentication + // +optional + chapAuthSession?: bool @go(SessionCHAPAuth) @protobuf(11,varint,opt) + + // secretRef is the CHAP Secret for iSCSI target and initiator authentication + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(10,bytes,opt) + + // initiatorName is the custom iSCSI Initiator Name. + // If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + // : will be created for the connection. + // +optional + initiatorName?: null | string @go(InitiatorName,*string) @protobuf(12,bytes,opt) +} + +// ISCSIPersistentVolumeSource represents an ISCSI disk. +// ISCSI volumes can only be mounted as read/write once. +// ISCSI volumes support ownership management and SELinux relabeling. +#ISCSIPersistentVolumeSource: { + // targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + targetPortal: string @go(TargetPortal) @protobuf(1,bytes,opt) + + // iqn is Target iSCSI Qualified Name. + iqn: string @go(IQN) @protobuf(2,bytes,opt) + + // lun is iSCSI Target Lun number. + lun: int32 @go(Lun) @protobuf(3,varint,opt) + + // iscsiInterface is the interface Name that uses an iSCSI transport. + // Defaults to 'default' (tcp). + // +optional + iscsiInterface?: string @go(ISCSIInterface) @protobuf(4,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(5,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) + + // portals is the iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + // +optional + portals?: [...string] @go(Portals,[]string) @protobuf(7,bytes,opt) + + // chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + // +optional + chapAuthDiscovery?: bool @go(DiscoveryCHAPAuth) @protobuf(8,varint,opt) + + // chapAuthSession defines whether support iSCSI Session CHAP authentication + // +optional + chapAuthSession?: bool @go(SessionCHAPAuth) @protobuf(11,varint,opt) + + // secretRef is the CHAP Secret for iSCSI target and initiator authentication + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(10,bytes,opt) + + // initiatorName is the custom iSCSI Initiator Name. + // If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + // : will be created for the connection. + // +optional + initiatorName?: null | string @go(InitiatorName,*string) @protobuf(12,bytes,opt) +} + +// Represents a Fibre Channel volume. +// Fibre Channel volumes can only be mounted as read/write once. +// Fibre Channel volumes support ownership management and SELinux relabeling. +#FCVolumeSource: { + // targetWWNs is Optional: FC target worldwide names (WWNs) + // +optional + targetWWNs?: [...string] @go(TargetWWNs,[]string) @protobuf(1,bytes,rep) + + // lun is Optional: FC target lun number + // +optional + lun?: null | int32 @go(Lun,*int32) @protobuf(2,varint,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // wwids Optional: FC volume world wide identifiers (wwids) + // Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + // +optional + wwids?: [...string] @go(WWIDs,[]string) @protobuf(5,bytes,rep) +} + +// AzureFile represents an Azure File Service mount on the host and bind mount to the pod. +#AzureFileVolumeSource: { + // secretName is the name of secret that contains Azure Storage Account Name and Key + secretName: string @go(SecretName) @protobuf(1,bytes,opt) + + // shareName is the azure share Name + shareName: string @go(ShareName) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// AzureFile represents an Azure File Service mount on the host and bind mount to the pod. +#AzureFilePersistentVolumeSource: { + // secretName is the name of secret that contains Azure Storage Account Name and Key + secretName: string @go(SecretName) @protobuf(1,bytes,opt) + + // shareName is the azure Share Name + shareName: string @go(ShareName) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretNamespace is the namespace of the secret that contains Azure Storage Account Name and Key + // default is the same as the Pod + // +optional + secretNamespace?: null | string @go(SecretNamespace,*string) @protobuf(4,bytes,opt) +} + +// Represents a vSphere volume resource. +#VsphereVirtualDiskVolumeSource: { + // volumePath is the path that identifies vSphere volume vmdk + volumePath: string @go(VolumePath) @protobuf(1,bytes,opt) + + // fsType is filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // storagePolicyName is the storage Policy Based Management (SPBM) profile name. + // +optional + storagePolicyName?: string @go(StoragePolicyName) @protobuf(3,bytes,opt) + + // storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. + // +optional + storagePolicyID?: string @go(StoragePolicyID) @protobuf(4,bytes,opt) +} + +// Represents a Photon Controller persistent disk resource. +#PhotonPersistentDiskVolumeSource: { + // pdID is the ID that identifies Photon Controller persistent disk + pdID: string @go(PdID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + fsType?: string @go(FSType) @protobuf(2,bytes,opt) +} + +// +enum +#AzureDataDiskCachingMode: string // #enumAzureDataDiskCachingMode + +#enumAzureDataDiskCachingMode: + #AzureDataDiskCachingNone | + #AzureDataDiskCachingReadOnly | + #AzureDataDiskCachingReadWrite + +// +enum +#AzureDataDiskKind: string // #enumAzureDataDiskKind + +#enumAzureDataDiskKind: + #AzureSharedBlobDisk | + #AzureDedicatedBlobDisk | + #AzureManagedDisk + +#AzureDataDiskCachingNone: #AzureDataDiskCachingMode & "None" +#AzureDataDiskCachingReadOnly: #AzureDataDiskCachingMode & "ReadOnly" +#AzureDataDiskCachingReadWrite: #AzureDataDiskCachingMode & "ReadWrite" +#AzureSharedBlobDisk: #AzureDataDiskKind & "Shared" +#AzureDedicatedBlobDisk: #AzureDataDiskKind & "Dedicated" +#AzureManagedDisk: #AzureDataDiskKind & "Managed" + +// AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. +#AzureDiskVolumeSource: { + // diskName is the Name of the data disk in the blob storage + diskName: string @go(DiskName) @protobuf(1,bytes,opt) + + // diskURI is the URI of data disk in the blob storage + diskURI: string @go(DataDiskURI) @protobuf(2,bytes,opt) + + // cachingMode is the Host Caching mode: None, Read Only, Read Write. + // +optional + cachingMode?: null | #AzureDataDiskCachingMode @go(CachingMode,*AzureDataDiskCachingMode) @protobuf(3,bytes,opt,casttype=AzureDataDiskCachingMode) + + // fsType is Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(4,bytes,opt) + + // readOnly Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: null | bool @go(ReadOnly,*bool) @protobuf(5,varint,opt) + + // kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared + kind?: null | #AzureDataDiskKind @go(Kind,*AzureDataDiskKind) @protobuf(6,bytes,opt,casttype=AzureDataDiskKind) +} + +// PortworxVolumeSource represents a Portworx volume resource. +#PortworxVolumeSource: { + // volumeID uniquely identifies a Portworx volume + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fSType represents the filesystem type to mount + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// ScaleIOVolumeSource represents a persistent ScaleIO volume +#ScaleIOVolumeSource: { + // gateway is the host address of the ScaleIO API Gateway. + gateway: string @go(Gateway) @protobuf(1,bytes,opt) + + // system is the name of the storage system as configured in ScaleIO. + system: string @go(System) @protobuf(2,bytes,opt) + + // secretRef references to the secret for ScaleIO user and other + // sensitive information. If this is not provided, Login operation will fail. + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(3,bytes,opt) + + // sslEnabled Flag enable/disable SSL communication with Gateway, default false + // +optional + sslEnabled?: bool @go(SSLEnabled) @protobuf(4,varint,opt) + + // protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + // +optional + protectionDomain?: string @go(ProtectionDomain) @protobuf(5,bytes,opt) + + // storagePool is the ScaleIO Storage Pool associated with the protection domain. + // +optional + storagePool?: string @go(StoragePool) @protobuf(6,bytes,opt) + + // storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + // Default is ThinProvisioned. + // +optional + storageMode?: string @go(StorageMode) @protobuf(7,bytes,opt) + + // volumeName is the name of a volume already created in the ScaleIO system + // that is associated with this volume source. + volumeName?: string @go(VolumeName) @protobuf(8,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // Default is "xfs". + // +optional + fsType?: string @go(FSType) @protobuf(9,bytes,opt) + + // readOnly Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(10,varint,opt) +} + +// ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume +#ScaleIOPersistentVolumeSource: { + // gateway is the host address of the ScaleIO API Gateway. + gateway: string @go(Gateway) @protobuf(1,bytes,opt) + + // system is the name of the storage system as configured in ScaleIO. + system: string @go(System) @protobuf(2,bytes,opt) + + // secretRef references to the secret for ScaleIO user and other + // sensitive information. If this is not provided, Login operation will fail. + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(3,bytes,opt) + + // sslEnabled is the flag to enable/disable SSL communication with Gateway, default false + // +optional + sslEnabled?: bool @go(SSLEnabled) @protobuf(4,varint,opt) + + // protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + // +optional + protectionDomain?: string @go(ProtectionDomain) @protobuf(5,bytes,opt) + + // storagePool is the ScaleIO Storage Pool associated with the protection domain. + // +optional + storagePool?: string @go(StoragePool) @protobuf(6,bytes,opt) + + // storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + // Default is ThinProvisioned. + // +optional + storageMode?: string @go(StorageMode) @protobuf(7,bytes,opt) + + // volumeName is the name of a volume already created in the ScaleIO system + // that is associated with this volume source. + volumeName?: string @go(VolumeName) @protobuf(8,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // Default is "xfs" + // +optional + fsType?: string @go(FSType) @protobuf(9,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(10,varint,opt) +} + +// Represents a StorageOS persistent volume resource. +#StorageOSVolumeSource: { + // volumeName is the human-readable name of the StorageOS volume. Volume + // names are only unique within a namespace. + volumeName?: string @go(VolumeName) @protobuf(1,bytes,opt) + + // volumeNamespace specifies the scope of the volume within StorageOS. If no + // namespace is specified then the Pod's namespace will be used. This allows the + // Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + // Set VolumeName to any name to override the default behaviour. + // Set to "default" if you are not using namespaces within StorageOS. + // Namespaces that do not pre-exist within StorageOS will be created. + // +optional + volumeNamespace?: string @go(VolumeNamespace) @protobuf(2,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // secretRef specifies the secret to use for obtaining the StorageOS API + // credentials. If not specified, default values will be attempted. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) +} + +// Represents a StorageOS persistent volume resource. +#StorageOSPersistentVolumeSource: { + // volumeName is the human-readable name of the StorageOS volume. Volume + // names are only unique within a namespace. + volumeName?: string @go(VolumeName) @protobuf(1,bytes,opt) + + // volumeNamespace specifies the scope of the volume within StorageOS. If no + // namespace is specified then the Pod's namespace will be used. This allows the + // Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + // Set VolumeName to any name to override the default behaviour. + // Set to "default" if you are not using namespaces within StorageOS. + // Namespaces that do not pre-exist within StorageOS will be created. + // +optional + volumeNamespace?: string @go(VolumeNamespace) @protobuf(2,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // secretRef specifies the secret to use for obtaining the StorageOS API + // credentials. If not specified, default values will be attempted. + // +optional + secretRef?: null | #ObjectReference @go(SecretRef,*ObjectReference) @protobuf(5,bytes,opt) +} + +// Adapts a ConfigMap into a volume. +// +// The contents of the target ConfigMap's Data field will be presented in a +// volume as files using the keys in the Data field as the file names, unless +// the items element is populated with specific mappings of keys to paths. +// ConfigMap volumes support ownership management and SELinux relabeling. +#ConfigMapVolumeSource: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // ConfigMap will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the ConfigMap, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // defaultMode is optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(3,varint,opt) + + // optional specify whether the ConfigMap or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +#ConfigMapVolumeSourceDefaultMode: int32 & 0o644 + +// Adapts a ConfigMap into a projected volume. +// +// The contents of the target ConfigMap's Data field will be presented in a +// projected volume as files using the keys in the Data field as the file names, +// unless the items element is populated with specific mappings of keys to paths. +// Note that this is identical to a configmap volume source without the default +// mode. +#ConfigMapProjection: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // ConfigMap will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the ConfigMap, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // optional specify whether the ConfigMap or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +// ServiceAccountTokenProjection represents a projected service account token +// volume. This projection can be used to insert a service account token into +// the pods runtime filesystem for use against APIs (Kubernetes API Server or +// otherwise). +#ServiceAccountTokenProjection: { + // audience is the intended audience of the token. A recipient of a token + // must identify itself with an identifier specified in the audience of the + // token, and otherwise should reject the token. The audience defaults to the + // identifier of the apiserver. + // +optional + audience?: string @go(Audience) @protobuf(1,bytes,rep) + + // expirationSeconds is the requested duration of validity of the service + // account token. As the token approaches expiration, the kubelet volume + // plugin will proactively rotate the service account token. The kubelet will + // start trying to rotate the token if the token is older than 80 percent of + // its time to live or if the token is older than 24 hours.Defaults to 1 hour + // and must be at least 10 minutes. + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt) + + // path is the path relative to the mount point of the file to project the + // token into. + path: string @go(Path) @protobuf(3,bytes,opt) +} + +// Represents a projected volume source +#ProjectedVolumeSource: { + // sources is the list of volume projections + // +optional + sources: [...#VolumeProjection] @go(Sources,[]VolumeProjection) @protobuf(1,bytes,rep) + + // defaultMode are the mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(2,varint,opt) +} + +// Projection that may be projected along with other supported volume types +#VolumeProjection: { + // secret information about the secret data to project + // +optional + secret?: null | #SecretProjection @go(Secret,*SecretProjection) @protobuf(1,bytes,opt) + + // downwardAPI information about the downwardAPI data to project + // +optional + downwardAPI?: null | #DownwardAPIProjection @go(DownwardAPI,*DownwardAPIProjection) @protobuf(2,bytes,opt) + + // configMap information about the configMap data to project + // +optional + configMap?: null | #ConfigMapProjection @go(ConfigMap,*ConfigMapProjection) @protobuf(3,bytes,opt) + + // serviceAccountToken is information about the serviceAccountToken data to project + // +optional + serviceAccountToken?: null | #ServiceAccountTokenProjection @go(ServiceAccountToken,*ServiceAccountTokenProjection) @protobuf(4,bytes,opt) +} + +#ProjectedVolumeSourceDefaultMode: int32 & 0o644 + +// Maps a string key to a path within a volume. +#KeyToPath: { + // key is the key to project. + key: string @go(Key) @protobuf(1,bytes,opt) + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path: string @go(Path) @protobuf(2,bytes,opt) + + // mode is Optional: mode bits used to set permissions on this file. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + mode?: null | int32 @go(Mode,*int32) @protobuf(3,varint,opt) +} + +// Local represents directly-attached storage with node affinity (Beta feature) +#LocalVolumeSource: { + // path of the full path to the volume on the node. + // It can be either a directory or block device (disk, partition, ...). + path: string @go(Path) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // It applies only when the Path is a block device. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default value is to auto-select a filesystem if unspecified. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(2,bytes,opt) +} + +// Represents storage that is managed by an external CSI volume driver (Beta feature) +#CSIPersistentVolumeSource: { + // driver is the name of the driver to use for this volume. + // Required. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // volumeHandle is the unique volume name returned by the CSI volume + // plugin’s CreateVolume to refer to the volume on all subsequent calls. + // Required. + volumeHandle: string @go(VolumeHandle) @protobuf(2,bytes,opt) + + // readOnly value to pass to ControllerPublishVolumeRequest. + // Defaults to false (read/write). + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // fsType to mount. Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // +optional + fsType?: string @go(FSType) @protobuf(4,bytes,opt) + + // volumeAttributes of the volume to publish. + // +optional + volumeAttributes?: {[string]: string} @go(VolumeAttributes,map[string]string) @protobuf(5,bytes,rep) + + // controllerPublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // ControllerPublishVolume and ControllerUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + controllerPublishSecretRef?: null | #SecretReference @go(ControllerPublishSecretRef,*SecretReference) @protobuf(6,bytes,opt) + + // nodeStageSecretRef is a reference to the secret object containing sensitive + // information to pass to the CSI driver to complete the CSI NodeStageVolume + // and NodeStageVolume and NodeUnstageVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + nodeStageSecretRef?: null | #SecretReference @go(NodeStageSecretRef,*SecretReference) @protobuf(7,bytes,opt) + + // nodePublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodePublishVolume and NodeUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + nodePublishSecretRef?: null | #SecretReference @go(NodePublishSecretRef,*SecretReference) @protobuf(8,bytes,opt) + + // controllerExpandSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // ControllerExpandVolume call. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + controllerExpandSecretRef?: null | #SecretReference @go(ControllerExpandSecretRef,*SecretReference) @protobuf(9,bytes,opt) + + // nodeExpandSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodeExpandVolume call. + // This is a beta field which is enabled default by CSINodeExpandSecret feature gate. + // This field is optional, may be omitted if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +featureGate=CSINodeExpandSecret + // +optional + nodeExpandSecretRef?: null | #SecretReference @go(NodeExpandSecretRef,*SecretReference) @protobuf(10,bytes,opt) +} + +// Represents a source location of a volume to mount, managed by an external CSI driver +#CSIVolumeSource: { + // driver is the name of the CSI driver that handles this volume. + // Consult with your admin for the correct name as registered in the cluster. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // readOnly specifies a read-only configuration for the volume. + // Defaults to false (read/write). + // +optional + readOnly?: null | bool @go(ReadOnly,*bool) @protobuf(2,varint,opt) + + // fsType to mount. Ex. "ext4", "xfs", "ntfs". + // If not provided, the empty value is passed to the associated CSI driver + // which will determine the default filesystem to apply. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(3,bytes,opt) + + // volumeAttributes stores driver-specific properties that are passed to the CSI + // driver. Consult your driver's documentation for supported values. + // +optional + volumeAttributes?: {[string]: string} @go(VolumeAttributes,map[string]string) @protobuf(4,bytes,rep) + + // nodePublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodePublishVolume and NodeUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secret references are passed. + // +optional + nodePublishSecretRef?: null | #LocalObjectReference @go(NodePublishSecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) +} + +// Represents an ephemeral volume that is handled by a normal storage driver. +#EphemeralVolumeSource: { + // Will be used to create a stand-alone PVC to provision the volume. + // The pod in which this EphemeralVolumeSource is embedded will be the + // owner of the PVC, i.e. the PVC will be deleted together with the + // pod. The name of the PVC will be `-` where + // `` is the name from the `PodSpec.Volumes` array + // entry. Pod validation will reject the pod if the concatenated name + // is not valid for a PVC (for example, too long). + // + // An existing PVC with that name that is not owned by the pod + // will *not* be used for the pod to avoid using an unrelated + // volume by mistake. Starting the pod is then blocked until + // the unrelated PVC is removed. If such a pre-created PVC is + // meant to be used by the pod, the PVC has to updated with an + // owner reference to the pod once the pod exists. Normally + // this should not be necessary, but it may be useful when + // manually reconstructing a broken cluster. + // + // This field is read-only and no changes will be made by Kubernetes + // to the PVC after it has been created. + // + // Required, must not be nil. + volumeClaimTemplate?: null | #PersistentVolumeClaimTemplate @go(VolumeClaimTemplate,*PersistentVolumeClaimTemplate) @protobuf(1,bytes,opt) +} + +// PersistentVolumeClaimTemplate is used to produce +// PersistentVolumeClaim objects as part of an EphemeralVolumeSource. +#PersistentVolumeClaimTemplate: { + // May contain labels and annotations that will be copied into the PVC + // when creating it. No other fields are allowed and will be rejected during + // validation. + // + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The specification for the PersistentVolumeClaim. The entire content is + // copied unchanged into the PVC that gets created from this + // template. The same fields as in a PersistentVolumeClaim + // are also valid here. + spec: #PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes) +} + +// ContainerPort represents a network port in a single container. +#ContainerPort: { + // If specified, this must be an IANA_SVC_NAME and unique within the pod. Each + // named port in a pod must have a unique name. Name for the port that can be + // referred to by services. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // Number of port to expose on the host. + // If specified, this must be a valid port number, 0 < x < 65536. + // If HostNetwork is specified, this must match ContainerPort. + // Most containers do not need this. + // +optional + hostPort?: int32 @go(HostPort) @protobuf(2,varint,opt) + + // Number of port to expose on the pod's IP address. + // This must be a valid port number, 0 < x < 65536. + containerPort: int32 @go(ContainerPort) @protobuf(3,varint,opt) + + // Protocol for port. Must be UDP, TCP, or SCTP. + // Defaults to "TCP". + // +optional + // +default="TCP" + protocol?: #Protocol @go(Protocol) @protobuf(4,bytes,opt,casttype=Protocol) + + // What host IP to bind the external port to. + // +optional + hostIP?: string @go(HostIP) @protobuf(5,bytes,opt) +} + +// VolumeMount describes a mounting of a Volume within a container. +#VolumeMount: { + // This must match the Name of a Volume. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Mounted read-only if true, read-write otherwise (false or unspecified). + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt) + + // Path within the container at which the volume should be mounted. Must + // not contain ':'. + mountPath: string @go(MountPath) @protobuf(3,bytes,opt) + + // Path within the volume from which the container's volume should be mounted. + // Defaults to "" (volume's root). + // +optional + subPath?: string @go(SubPath) @protobuf(4,bytes,opt) + + // mountPropagation determines how mounts are propagated from the host + // to container and the other way around. + // When not set, MountPropagationNone is used. + // This field is beta in 1.10. + // +optional + mountPropagation?: null | #MountPropagationMode @go(MountPropagation,*MountPropagationMode) @protobuf(5,bytes,opt,casttype=MountPropagationMode) + + // Expanded path within the volume from which the container's volume should be mounted. + // Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + // Defaults to "" (volume's root). + // SubPathExpr and SubPath are mutually exclusive. + // +optional + subPathExpr?: string @go(SubPathExpr) @protobuf(6,bytes,opt) +} + +// MountPropagationMode describes mount propagation. +// +enum +#MountPropagationMode: string // #enumMountPropagationMode + +#enumMountPropagationMode: + #MountPropagationNone | + #MountPropagationHostToContainer | + #MountPropagationBidirectional + +// MountPropagationNone means that the volume in a container will +// not receive new mounts from the host or other containers, and filesystems +// mounted inside the container won't be propagated to the host or other +// containers. +// Note that this mode corresponds to "private" in Linux terminology. +#MountPropagationNone: #MountPropagationMode & "None" + +// MountPropagationHostToContainer means that the volume in a container will +// receive new mounts from the host or other containers, but filesystems +// mounted inside the container won't be propagated to the host or other +// containers. +// Note that this mode is recursively applied to all mounts in the volume +// ("rslave" in Linux terminology). +#MountPropagationHostToContainer: #MountPropagationMode & "HostToContainer" + +// MountPropagationBidirectional means that the volume in a container will +// receive new mounts from the host or other containers, and its own mounts +// will be propagated from the container to the host or other containers. +// Note that this mode is recursively applied to all mounts in the volume +// ("rshared" in Linux terminology). +#MountPropagationBidirectional: #MountPropagationMode & "Bidirectional" + +// volumeDevice describes a mapping of a raw block device within a container. +#VolumeDevice: { + // name must match the name of a persistentVolumeClaim in the pod + name: string @go(Name) @protobuf(1,bytes,opt) + + // devicePath is the path inside of the container that the device will be mapped to. + devicePath: string @go(DevicePath) @protobuf(2,bytes,opt) +} + +// EnvVar represents an environment variable present in a Container. +#EnvVar: { + // Name of the environment variable. Must be a C_IDENTIFIER. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Variable references $(VAR_NAME) are expanded + // using the previously defined environment variables in the container and + // any service environment variables. If a variable cannot be resolved, + // the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + // "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + // Escaped references will never be expanded, regardless of whether the variable + // exists or not. + // Defaults to "". + // +optional + value?: string @go(Value) @protobuf(2,bytes,opt) + + // Source for the environment variable's value. Cannot be used if value is not empty. + // +optional + valueFrom?: null | #EnvVarSource @go(ValueFrom,*EnvVarSource) @protobuf(3,bytes,opt) +} + +// EnvVarSource represents a source for the value of an EnvVar. +#EnvVarSource: { + // Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + // spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + // +optional + fieldRef?: null | #ObjectFieldSelector @go(FieldRef,*ObjectFieldSelector) @protobuf(1,bytes,opt) + + // Selects a resource of the container: only resources limits and requests + // (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + // +optional + resourceFieldRef?: null | #ResourceFieldSelector @go(ResourceFieldRef,*ResourceFieldSelector) @protobuf(2,bytes,opt) + + // Selects a key of a ConfigMap. + // +optional + configMapKeyRef?: null | #ConfigMapKeySelector @go(ConfigMapKeyRef,*ConfigMapKeySelector) @protobuf(3,bytes,opt) + + // Selects a key of a secret in the pod's namespace + // +optional + secretKeyRef?: null | #SecretKeySelector @go(SecretKeyRef,*SecretKeySelector) @protobuf(4,bytes,opt) +} + +// ObjectFieldSelector selects an APIVersioned field of an object. +// +structType=atomic +#ObjectFieldSelector: { + // Version of the schema the FieldPath is written in terms of, defaults to "v1". + // +optional + apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt) + + // Path of the field to select in the specified API version. + fieldPath: string @go(FieldPath) @protobuf(2,bytes,opt) +} + +// ResourceFieldSelector represents container resources (cpu, memory) and their output format +// +structType=atomic +#ResourceFieldSelector: { + // Container name: required for volumes, optional for env vars + // +optional + containerName?: string @go(ContainerName) @protobuf(1,bytes,opt) + + // Required: resource to select + "resource": string @go(Resource) @protobuf(2,bytes,opt) + + // Specifies the output format of the exposed resources, defaults to "1" + // +optional + divisor?: resource.#Quantity @go(Divisor) @protobuf(3,bytes,opt) +} + +// Selects a key from a ConfigMap. +// +structType=atomic +#ConfigMapKeySelector: { + #LocalObjectReference + + // The key to select. + key: string @go(Key) @protobuf(2,bytes,opt) + + // Specify whether the ConfigMap or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(3,varint,opt) +} + +// SecretKeySelector selects a key of a Secret. +// +structType=atomic +#SecretKeySelector: { + #LocalObjectReference + + // The key of the secret to select from. Must be a valid secret key. + key: string @go(Key) @protobuf(2,bytes,opt) + + // Specify whether the Secret or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(3,varint,opt) +} + +// EnvFromSource represents the source of a set of ConfigMaps +#EnvFromSource: { + // An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + // +optional + prefix?: string @go(Prefix) @protobuf(1,bytes,opt) + + // The ConfigMap to select from + // +optional + configMapRef?: null | #ConfigMapEnvSource @go(ConfigMapRef,*ConfigMapEnvSource) @protobuf(2,bytes,opt) + + // The Secret to select from + // +optional + secretRef?: null | #SecretEnvSource @go(SecretRef,*SecretEnvSource) @protobuf(3,bytes,opt) +} + +// ConfigMapEnvSource selects a ConfigMap to populate the environment +// variables with. +// +// The contents of the target ConfigMap's Data field will represent the +// key-value pairs as environment variables. +#ConfigMapEnvSource: { + #LocalObjectReference + + // Specify whether the ConfigMap must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(2,varint,opt) +} + +// SecretEnvSource selects a Secret to populate the environment +// variables with. +// +// The contents of the target Secret's Data field will represent the +// key-value pairs as environment variables. +#SecretEnvSource: { + #LocalObjectReference + + // Specify whether the Secret must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(2,varint,opt) +} + +// HTTPHeader describes a custom header to be used in HTTP probes +#HTTPHeader: { + // The header field name. + // This will be canonicalized upon output, so case-variant names will be understood as the same header. + name: string @go(Name) @protobuf(1,bytes,opt) + + // The header field value + value: string @go(Value) @protobuf(2,bytes,opt) +} + +// HTTPGetAction describes an action based on HTTP Get requests. +#HTTPGetAction: { + // Path to access on the HTTP server. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // Name or number of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port: intstr.#IntOrString @go(Port) @protobuf(2,bytes,opt) + + // Host name to connect to, defaults to the pod IP. You probably want to set + // "Host" in httpHeaders instead. + // +optional + host?: string @go(Host) @protobuf(3,bytes,opt) + + // Scheme to use for connecting to the host. + // Defaults to HTTP. + // +optional + scheme?: #URIScheme @go(Scheme) @protobuf(4,bytes,opt,casttype=URIScheme) + + // Custom headers to set in the request. HTTP allows repeated headers. + // +optional + httpHeaders?: [...#HTTPHeader] @go(HTTPHeaders,[]HTTPHeader) @protobuf(5,bytes,rep) +} + +// URIScheme identifies the scheme used for connection to a host for Get actions +// +enum +#URIScheme: string // #enumURIScheme + +#enumURIScheme: + #URISchemeHTTP | + #URISchemeHTTPS + +// URISchemeHTTP means that the scheme used will be http:// +#URISchemeHTTP: #URIScheme & "HTTP" + +// URISchemeHTTPS means that the scheme used will be https:// +#URISchemeHTTPS: #URIScheme & "HTTPS" + +// TCPSocketAction describes an action based on opening a socket +#TCPSocketAction: { + // Number or name of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port: intstr.#IntOrString @go(Port) @protobuf(1,bytes,opt) + + // Optional: Host name to connect to, defaults to the pod IP. + // +optional + host?: string @go(Host) @protobuf(2,bytes,opt) +} + +#GRPCAction: { + // Port number of the gRPC service. Number must be in the range 1 to 65535. + port: int32 @go(Port) @protobuf(1,bytes,opt) + + // Service is the name of the service to place in the gRPC HealthCheckRequest + // (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + // + // If this is not specified, the default behavior is defined by gRPC. + // +optional + // +default="" + service?: null | string @go(Service,*string) @protobuf(2,bytes,opt) +} + +// ExecAction describes a "run in container" action. +#ExecAction: { + // Command is the command line to execute inside the container, the working directory for the + // command is root ('/') in the container's filesystem. The command is simply exec'd, it is + // not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + // a shell, you need to explicitly call out to that shell. + // Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + // +optional + command?: [...string] @go(Command,[]string) @protobuf(1,bytes,rep) +} + +// Probe describes a health check to be performed against a container to determine whether it is +// alive or ready to receive traffic. +#Probe: { + #ProbeHandler + + // Number of seconds after the container has started before liveness probes are initiated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + initialDelaySeconds?: int32 @go(InitialDelaySeconds) @protobuf(2,varint,opt) + + // Number of seconds after which the probe times out. + // Defaults to 1 second. Minimum value is 1. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + timeoutSeconds?: int32 @go(TimeoutSeconds) @protobuf(3,varint,opt) + + // How often (in seconds) to perform the probe. + // Default to 10 seconds. Minimum value is 1. + // +optional + periodSeconds?: int32 @go(PeriodSeconds) @protobuf(4,varint,opt) + + // Minimum consecutive successes for the probe to be considered successful after having failed. + // Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + // +optional + successThreshold?: int32 @go(SuccessThreshold) @protobuf(5,varint,opt) + + // Minimum consecutive failures for the probe to be considered failed after having succeeded. + // Defaults to 3. Minimum value is 1. + // +optional + failureThreshold?: int32 @go(FailureThreshold) @protobuf(6,varint,opt) + + // Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + // The grace period is the duration in seconds after the processes running in the pod are sent + // a termination signal and the time when the processes are forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your process. + // If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + // value overrides the value provided by the pod spec. + // Value must be non-negative integer. The value zero indicates stop immediately via + // the kill signal (no opportunity to shut down). + // This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + // Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + // +optional + terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) @protobuf(7,varint,opt) +} + +// PullPolicy describes a policy for if/when to pull a container image +// +enum +#PullPolicy: string // #enumPullPolicy + +#enumPullPolicy: + #PullAlways | + #PullNever | + #PullIfNotPresent + +// PullAlways means that kubelet always attempts to pull the latest image. Container will fail If the pull fails. +#PullAlways: #PullPolicy & "Always" + +// PullNever means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present +#PullNever: #PullPolicy & "Never" + +// PullIfNotPresent means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails. +#PullIfNotPresent: #PullPolicy & "IfNotPresent" + +// ResourceResizeRestartPolicy specifies how to handle container resource resize. +#ResourceResizeRestartPolicy: string // #enumResourceResizeRestartPolicy + +#enumResourceResizeRestartPolicy: + #NotRequired | + #RestartContainer + +// 'NotRequired' means Kubernetes will try to resize the container +// without restarting it, if possible. Kubernetes may however choose to +// restart the container if it is unable to actuate resize without a +// restart. For e.g. the runtime doesn't support restart-free resizing. +#NotRequired: #ResourceResizeRestartPolicy & "NotRequired" + +// 'RestartContainer' means Kubernetes will resize the container in-place +// by stopping and starting the container when new resources are applied. +// This is needed for legacy applications. For e.g. java apps using the +// -xmxN flag which are unable to use resized memory without restarting. +#RestartContainer: #ResourceResizeRestartPolicy & "RestartContainer" + +// ContainerResizePolicy represents resource resize policy for the container. +#ContainerResizePolicy: { + // Name of the resource to which this resource resize policy applies. + // Supported values: cpu, memory. + resourceName: #ResourceName @go(ResourceName) @protobuf(1,bytes,opt,casttype=ResourceName) + + // Restart policy to apply when specified resource is resized. + // If not specified, it defaults to NotRequired. + restartPolicy: #ResourceResizeRestartPolicy @go(RestartPolicy) @protobuf(2,bytes,opt,casttype=ResourceResizeRestartPolicy) +} + +// PreemptionPolicy describes a policy for if/when to preempt a pod. +// +enum +#PreemptionPolicy: string // #enumPreemptionPolicy + +#enumPreemptionPolicy: + #PreemptLowerPriority | + #PreemptNever + +// PreemptLowerPriority means that pod can preempt other pods with lower priority. +#PreemptLowerPriority: #PreemptionPolicy & "PreemptLowerPriority" + +// PreemptNever means that pod never preempts other pods with lower priority. +#PreemptNever: #PreemptionPolicy & "Never" + +// TerminationMessagePolicy describes how termination messages are retrieved from a container. +// +enum +#TerminationMessagePolicy: string // #enumTerminationMessagePolicy + +#enumTerminationMessagePolicy: + #TerminationMessageReadFile | + #TerminationMessageFallbackToLogsOnError + +// TerminationMessageReadFile is the default behavior and will set the container status message to +// the contents of the container's terminationMessagePath when the container exits. +#TerminationMessageReadFile: #TerminationMessagePolicy & "File" + +// TerminationMessageFallbackToLogsOnError will read the most recent contents of the container logs +// for the container status message when the container exits with an error and the +// terminationMessagePath has no contents. +#TerminationMessageFallbackToLogsOnError: #TerminationMessagePolicy & "FallbackToLogsOnError" + +// Capability represent POSIX capabilities type +#Capability: string + +// Adds and removes POSIX capabilities from running containers. +#Capabilities: { + // Added capabilities + // +optional + add?: [...#Capability] @go(Add,[]Capability) @protobuf(1,bytes,rep,casttype=Capability) + + // Removed capabilities + // +optional + drop?: [...#Capability] @go(Drop,[]Capability) @protobuf(2,bytes,rep,casttype=Capability) +} + +// ResourceRequirements describes the compute resource requirements. +#ResourceRequirements: { + // Limits describes the maximum amount of compute resources allowed. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + limits?: #ResourceList @go(Limits) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Requests describes the minimum amount of compute resources required. + // If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + // otherwise to an implementation-defined value. Requests cannot exceed Limits. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + requests?: #ResourceList @go(Requests) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Claims lists the names of resources, defined in spec.resourceClaims, + // that are used by this container. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. It can only be set for containers. + // + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + claims?: [...#ResourceClaim] @go(Claims,[]ResourceClaim) @protobuf(3,bytes,opt) +} + +// ResourceClaim references one entry in PodSpec.ResourceClaims. +#ResourceClaim: { + // Name must match the name of one entry in pod.spec.resourceClaims of + // the Pod where this field is used. It makes that resource available + // inside a container. + name: string @go(Name) @protobuf(1,bytes,opt) +} + +// TerminationMessagePathDefault means the default path to capture the application termination message running in a container +#TerminationMessagePathDefault: "/dev/termination-log" + +// A single application container that you want to run within a pod. +#Container: { + // Name of the container specified as a DNS_LABEL. + // Each container in a pod must have a unique name (DNS_LABEL). + // Cannot be updated. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Container image name. + // More info: https://kubernetes.io/docs/concepts/containers/images + // This field is optional to allow higher level config management to default or override + // container images in workload controllers like Deployments and StatefulSets. + // +optional + image?: string @go(Image) @protobuf(2,bytes,opt) + + // Entrypoint array. Not executed within a shell. + // The container image's ENTRYPOINT is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + command?: [...string] @go(Command,[]string) @protobuf(3,bytes,rep) + + // Arguments to the entrypoint. + // The container image's CMD is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + args?: [...string] @go(Args,[]string) @protobuf(4,bytes,rep) + + // Container's working directory. + // If not specified, the container runtime's default will be used, which + // might be configured in the container image. + // Cannot be updated. + // +optional + workingDir?: string @go(WorkingDir) @protobuf(5,bytes,opt) + + // List of ports to expose from the container. Not specifying a port here + // DOES NOT prevent that port from being exposed. Any port which is + // listening on the default "0.0.0.0" address inside a container will be + // accessible from the network. + // Modifying this array with strategic merge patch may corrupt the data. + // For more information See https://github.com/kubernetes/kubernetes/issues/108255. + // Cannot be updated. + // +optional + // +patchMergeKey=containerPort + // +patchStrategy=merge + // +listType=map + // +listMapKey=containerPort + // +listMapKey=protocol + ports?: [...#ContainerPort] @go(Ports,[]ContainerPort) @protobuf(6,bytes,rep) + + // List of sources to populate environment variables in the container. + // The keys defined within a source must be a C_IDENTIFIER. All invalid keys + // will be reported as an event when the container is starting. When a key exists in multiple + // sources, the value associated with the last source will take precedence. + // Values defined by an Env with a duplicate key will take precedence. + // Cannot be updated. + // +optional + envFrom?: [...#EnvFromSource] @go(EnvFrom,[]EnvFromSource) @protobuf(19,bytes,rep) + + // List of environment variables to set in the container. + // Cannot be updated. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + env?: [...#EnvVar] @go(Env,[]EnvVar) @protobuf(7,bytes,rep) + + // Compute Resources required by this container. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(8,bytes,opt) + + // Resources resize policy for the container. + // +featureGate=InPlacePodVerticalScaling + // +optional + // +listType=atomic + resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep) + + // RestartPolicy defines the restart behavior of individual containers in a pod. + // This field may only be set for init containers, and the only allowed value is "Always". + // For non-init containers or when this field is not specified, + // the restart behavior is defined by the Pod's restart policy and the container type. + // Setting the RestartPolicy as "Always" for the init container will have the following effect: + // this init container will be continually restarted on + // exit until all regular containers have terminated. Once all regular + // containers have completed, all init containers with restartPolicy "Always" + // will be shut down. This lifecycle differs from normal init containers and + // is often referred to as a "sidecar" container. Although this init + // container still starts in the init container sequence, it does not wait + // for the container to complete before proceeding to the next init + // container. Instead, the next init container starts immediately after this + // init container is started, or after any startupProbe has successfully + // completed. + // +featureGate=SidecarContainers + // +optional + restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy) + + // Pod volumes to mount into the container's filesystem. + // Cannot be updated. + // +optional + // +patchMergeKey=mountPath + // +patchStrategy=merge + volumeMounts?: [...#VolumeMount] @go(VolumeMounts,[]VolumeMount) @protobuf(9,bytes,rep) + + // volumeDevices is the list of block devices to be used by the container. + // +patchMergeKey=devicePath + // +patchStrategy=merge + // +optional + volumeDevices?: [...#VolumeDevice] @go(VolumeDevices,[]VolumeDevice) @protobuf(21,bytes,rep) + + // Periodic probe of container liveness. + // Container will be restarted if the probe fails. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + livenessProbe?: null | #Probe @go(LivenessProbe,*Probe) @protobuf(10,bytes,opt) + + // Periodic probe of container service readiness. + // Container will be removed from service endpoints if the probe fails. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + readinessProbe?: null | #Probe @go(ReadinessProbe,*Probe) @protobuf(11,bytes,opt) + + // StartupProbe indicates that the Pod has successfully initialized. + // If specified, no other probes are executed until this completes successfully. + // If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. + // This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, + // when it might take a long time to load data or warm a cache, than during steady-state operation. + // This cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + startupProbe?: null | #Probe @go(StartupProbe,*Probe) @protobuf(22,bytes,opt) + + // Actions that the management system should take in response to container lifecycle events. + // Cannot be updated. + // +optional + lifecycle?: null | #Lifecycle @go(Lifecycle,*Lifecycle) @protobuf(12,bytes,opt) + + // Optional: Path at which the file to which the container's termination message + // will be written is mounted into the container's filesystem. + // Message written is intended to be brief final status, such as an assertion failure message. + // Will be truncated by the node if greater than 4096 bytes. The total message length across + // all containers will be limited to 12kb. + // Defaults to /dev/termination-log. + // Cannot be updated. + // +optional + terminationMessagePath?: string @go(TerminationMessagePath) @protobuf(13,bytes,opt) + + // Indicate how the termination message should be populated. File will use the contents of + // terminationMessagePath to populate the container status message on both success and failure. + // FallbackToLogsOnError will use the last chunk of container log output if the termination + // message file is empty and the container exited with an error. + // The log output is limited to 2048 bytes or 80 lines, whichever is smaller. + // Defaults to File. + // Cannot be updated. + // +optional + terminationMessagePolicy?: #TerminationMessagePolicy @go(TerminationMessagePolicy) @protobuf(20,bytes,opt,casttype=TerminationMessagePolicy) + + // Image pull policy. + // One of Always, Never, IfNotPresent. + // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + // +optional + imagePullPolicy?: #PullPolicy @go(ImagePullPolicy) @protobuf(14,bytes,opt,casttype=PullPolicy) + + // SecurityContext defines the security options the container should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + // +optional + securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt) + + // Whether this container should allocate a buffer for stdin in the container runtime. If this + // is not set, reads from stdin in the container will always result in EOF. + // Default is false. + // +optional + stdin?: bool @go(Stdin) @protobuf(16,varint,opt) + + // Whether the container runtime should close the stdin channel after it has been opened by + // a single attach. When stdin is true the stdin stream will remain open across multiple attach + // sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the + // first client attaches to stdin, and then remains open and accepts data until the client disconnects, + // at which time stdin is closed and remains closed until the container is restarted. If this + // flag is false, a container processes that reads from stdin will never receive an EOF. + // Default is false + // +optional + stdinOnce?: bool @go(StdinOnce) @protobuf(17,varint,opt) + + // Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. + // Default is false. + // +optional + tty?: bool @go(TTY) @protobuf(18,varint,opt) +} + +// ProbeHandler defines a specific action that should be taken in a probe. +// One and only one of the fields must be specified. +#ProbeHandler: { + // Exec specifies the action to take. + // +optional + exec?: null | #ExecAction @go(Exec,*ExecAction) @protobuf(1,bytes,opt) + + // HTTPGet specifies the http request to perform. + // +optional + httpGet?: null | #HTTPGetAction @go(HTTPGet,*HTTPGetAction) @protobuf(2,bytes,opt) + + // TCPSocket specifies an action involving a TCP port. + // +optional + tcpSocket?: null | #TCPSocketAction @go(TCPSocket,*TCPSocketAction) @protobuf(3,bytes,opt) + + // GRPC specifies an action involving a GRPC port. + // +optional + grpc?: null | #GRPCAction @go(GRPC,*GRPCAction) @protobuf(4,bytes,opt) +} + +// LifecycleHandler defines a specific action that should be taken in a lifecycle +// hook. One and only one of the fields, except TCPSocket must be specified. +#LifecycleHandler: { + // Exec specifies the action to take. + // +optional + exec?: null | #ExecAction @go(Exec,*ExecAction) @protobuf(1,bytes,opt) + + // HTTPGet specifies the http request to perform. + // +optional + httpGet?: null | #HTTPGetAction @go(HTTPGet,*HTTPGetAction) @protobuf(2,bytes,opt) + + // Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + // for the backward compatibility. There are no validation of this field and + // lifecycle hooks will fail in runtime when tcp handler is specified. + // +optional + tcpSocket?: null | #TCPSocketAction @go(TCPSocket,*TCPSocketAction) @protobuf(3,bytes,opt) +} + +// Lifecycle describes actions that the management system should take in response to container lifecycle +// events. For the PostStart and PreStop lifecycle handlers, management of the container blocks +// until the action is complete, unless the container process fails, in which case the handler is aborted. +#Lifecycle: { + // PostStart is called immediately after a container is created. If the handler fails, + // the container is terminated and restarted according to its restart policy. + // Other management of the container blocks until the hook completes. + // More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + // +optional + postStart?: null | #LifecycleHandler @go(PostStart,*LifecycleHandler) @protobuf(1,bytes,opt) + + // PreStop is called immediately before a container is terminated due to an + // API request or management event such as liveness/startup probe failure, + // preemption, resource contention, etc. The handler is not called if the + // container crashes or exits. The Pod's termination grace period countdown begins before the + // PreStop hook is executed. Regardless of the outcome of the handler, the + // container will eventually terminate within the Pod's termination grace + // period (unless delayed by finalizers). Other management of the container blocks until the hook completes + // or until the termination grace period is reached. + // More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + // +optional + preStop?: null | #LifecycleHandler @go(PreStop,*LifecycleHandler) @protobuf(2,bytes,opt) +} + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// ContainerStateWaiting is a waiting state of a container. +#ContainerStateWaiting: { + // (brief) reason the container is not yet running. + // +optional + reason?: string @go(Reason) @protobuf(1,bytes,opt) + + // Message regarding why the container is not yet running. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) +} + +// ContainerStateRunning is a running state of a container. +#ContainerStateRunning: { + // Time at which the container was last (re-)started + // +optional + startedAt?: metav1.#Time @go(StartedAt) @protobuf(1,bytes,opt) +} + +// ContainerStateTerminated is a terminated state of a container. +#ContainerStateTerminated: { + // Exit status from the last termination of the container + exitCode: int32 @go(ExitCode) @protobuf(1,varint,opt) + + // Signal from the last termination of the container + // +optional + signal?: int32 @go(Signal) @protobuf(2,varint,opt) + + // (brief) reason from the last termination of the container + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // Message regarding the last termination of the container + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) + + // Time at which previous execution of the container started + // +optional + startedAt?: metav1.#Time @go(StartedAt) @protobuf(5,bytes,opt) + + // Time at which the container last terminated + // +optional + finishedAt?: metav1.#Time @go(FinishedAt) @protobuf(6,bytes,opt) + + // Container's ID in the format '://' + // +optional + containerID?: string @go(ContainerID) @protobuf(7,bytes,opt) +} + +// ContainerState holds a possible state of container. +// Only one of its members may be specified. +// If none of them is specified, the default one is ContainerStateWaiting. +#ContainerState: { + // Details about a waiting container + // +optional + waiting?: null | #ContainerStateWaiting @go(Waiting,*ContainerStateWaiting) @protobuf(1,bytes,opt) + + // Details about a running container + // +optional + running?: null | #ContainerStateRunning @go(Running,*ContainerStateRunning) @protobuf(2,bytes,opt) + + // Details about a terminated container + // +optional + terminated?: null | #ContainerStateTerminated @go(Terminated,*ContainerStateTerminated) @protobuf(3,bytes,opt) +} + +// ContainerStatus contains details for the current status of this container. +#ContainerStatus: { + // Name is a DNS_LABEL representing the unique name of the container. + // Each container in a pod must have a unique name across all container types. + // Cannot be updated. + name: string @go(Name) @protobuf(1,bytes,opt) + + // State holds details about the container's current condition. + // +optional + state?: #ContainerState @go(State) @protobuf(2,bytes,opt) + + // LastTerminationState holds the last termination state of the container to + // help debug container crashes and restarts. This field is not + // populated if the container is still running and RestartCount is 0. + // +optional + lastState?: #ContainerState @go(LastTerminationState) @protobuf(3,bytes,opt) + + // Ready specifies whether the container is currently passing its readiness check. + // The value will change as readiness probes keep executing. If no readiness + // probes are specified, this field defaults to true once the container is + // fully started (see Started field). + // + // The value is typically used to determine whether a container is ready to + // accept traffic. + ready: bool @go(Ready) @protobuf(4,varint,opt) + + // RestartCount holds the number of times the container has been restarted. + // Kubelet makes an effort to always increment the value, but there + // are cases when the state may be lost due to node restarts and then the value + // may be reset to 0. The value is never negative. + restartCount: int32 @go(RestartCount) @protobuf(5,varint,opt) + + // Image is the name of container image that the container is running. + // The container image may not match the image used in the PodSpec, + // as it may have been resolved by the runtime. + // More info: https://kubernetes.io/docs/concepts/containers/images. + image: string @go(Image) @protobuf(6,bytes,opt) + + // ImageID is the image ID of the container's image. The image ID may not + // match the image ID of the image used in the PodSpec, as it may have been + // resolved by the runtime. + imageID: string @go(ImageID) @protobuf(7,bytes,opt) + + // ContainerID is the ID of the container in the format '://'. + // Where type is a container runtime identifier, returned from Version call of CRI API + // (for example "containerd"). + // +optional + containerID?: string @go(ContainerID) @protobuf(8,bytes,opt) + + // Started indicates whether the container has finished its postStart lifecycle hook + // and passed its startup probe. + // Initialized as false, becomes true after startupProbe is considered + // successful. Resets to false when the container is restarted, or if kubelet + // loses state temporarily. In both cases, startup probes will run again. + // Is always true when no startupProbe is defined and container is running and + // has passed the postStart lifecycle hook. The null value must be treated the + // same as false. + // +optional + started?: null | bool @go(Started,*bool) @protobuf(9,varint,opt) + + // AllocatedResources represents the compute resources allocated for this container by the + // node. Kubelet sets this value to Container.Resources.Requests upon successful pod admission + // and after successfully admitting desired pod resize. + // +featureGate=InPlacePodVerticalScaling + // +optional + allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(10,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Resources represents the compute resource requests and limits that have been successfully + // enacted on the running container after it has been started or has been successfully resized. + // +featureGate=InPlacePodVerticalScaling + // +optional + resources?: null | #ResourceRequirements @go(Resources,*ResourceRequirements) @protobuf(11,bytes,opt) +} + +// PodPhase is a label for the condition of a pod at the current time. +// +enum +#PodPhase: string // #enumPodPhase + +#enumPodPhase: + #PodPending | + #PodRunning | + #PodSucceeded | + #PodFailed | + #PodUnknown + +// PodPending means the pod has been accepted by the system, but one or more of the containers +// has not been started. This includes time before being bound to a node, as well as time spent +// pulling images onto the host. +#PodPending: #PodPhase & "Pending" + +// PodRunning means the pod has been bound to a node and all of the containers have been started. +// At least one container is still running or is in the process of being restarted. +#PodRunning: #PodPhase & "Running" + +// PodSucceeded means that all containers in the pod have voluntarily terminated +// with a container exit code of 0, and the system is not going to restart any of these containers. +#PodSucceeded: #PodPhase & "Succeeded" + +// PodFailed means that all containers in the pod have terminated, and at least one container has +// terminated in a failure (exited with a non-zero exit code or was stopped by the system). +#PodFailed: #PodPhase & "Failed" + +// PodUnknown means that for some reason the state of the pod could not be obtained, typically due +// to an error in communicating with the host of the pod. +// Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095) +#PodUnknown: #PodPhase & "Unknown" + +// PodConditionType is a valid value for PodCondition.Type +#PodConditionType: string // #enumPodConditionType + +#enumPodConditionType: + #ContainersReady | + #PodInitialized | + #PodReady | + #PodScheduled | + #DisruptionTarget + +// ContainersReady indicates whether all containers in the pod are ready. +#ContainersReady: #PodConditionType & "ContainersReady" + +// PodInitialized means that all init containers in the pod have started successfully. +#PodInitialized: #PodConditionType & "Initialized" + +// PodReady means the pod is able to service requests and should be added to the +// load balancing pools of all matching services. +#PodReady: #PodConditionType & "Ready" + +// PodScheduled represents status of the scheduling process for this pod. +#PodScheduled: #PodConditionType & "PodScheduled" + +// DisruptionTarget indicates the pod is about to be terminated due to a +// disruption (such as preemption, eviction API or garbage-collection). +#DisruptionTarget: #PodConditionType & "DisruptionTarget" + +// PodReasonUnschedulable reason in PodScheduled PodCondition means that the scheduler +// can't schedule the pod right now, for example due to insufficient resources in the cluster. +#PodReasonUnschedulable: "Unschedulable" + +// PodReasonSchedulingGated reason in PodScheduled PodCondition means that the scheduler +// skips scheduling the pod because one or more scheduling gates are still present. +#PodReasonSchedulingGated: "SchedulingGated" + +// PodReasonSchedulerError reason in PodScheduled PodCondition means that some internal error happens +// during scheduling, for example due to nodeAffinity parsing errors. +#PodReasonSchedulerError: "SchedulerError" + +// TerminationByKubelet reason in DisruptionTarget pod condition indicates that the termination +// is initiated by kubelet +#PodReasonTerminationByKubelet: "TerminationByKubelet" + +// PodReasonPreemptionByScheduler reason in DisruptionTarget pod condition indicates that the +// disruption was initiated by scheduler's preemption. +#PodReasonPreemptionByScheduler: "PreemptionByScheduler" + +// PodCondition contains details for the current condition of this pod. +#PodCondition: { + // Type is the type of the condition. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + type: #PodConditionType @go(Type) @protobuf(1,bytes,opt,casttype=PodConditionType) + + // Status is the status of the condition. + // Can be True, False, Unknown. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Last time we probed the condition. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // Last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // Unique, one-word, CamelCase reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// PodResizeStatus shows status of desired resize of a pod's containers. +#PodResizeStatus: string // #enumPodResizeStatus + +#enumPodResizeStatus: + #PodResizeStatusProposed | + #PodResizeStatusInProgress | + #PodResizeStatusDeferred | + #PodResizeStatusInfeasible + +// Pod resources resize has been requested and will be evaluated by node. +#PodResizeStatusProposed: #PodResizeStatus & "Proposed" + +// Pod resources resize has been accepted by node and is being actuated. +#PodResizeStatusInProgress: #PodResizeStatus & "InProgress" + +// Node cannot resize the pod at this time and will keep retrying. +#PodResizeStatusDeferred: #PodResizeStatus & "Deferred" + +// Requested pod resize is not feasible and will not be re-evaluated. +#PodResizeStatusInfeasible: #PodResizeStatus & "Infeasible" + +// RestartPolicy describes how the container should be restarted. +// Only one of the following restart policies may be specified. +// If none of the following policies is specified, the default one +// is RestartPolicyAlways. +// +enum +#RestartPolicy: string // #enumRestartPolicy + +#enumRestartPolicy: + #RestartPolicyAlways | + #RestartPolicyOnFailure | + #RestartPolicyNever + +#RestartPolicyAlways: #RestartPolicy & "Always" +#RestartPolicyOnFailure: #RestartPolicy & "OnFailure" +#RestartPolicyNever: #RestartPolicy & "Never" + +// ContainerRestartPolicy is the restart policy for a single container. +// This may only be set for init containers and only allowed value is "Always". +#ContainerRestartPolicy: string // #enumContainerRestartPolicy + +#enumContainerRestartPolicy: + #ContainerRestartPolicyAlways + +#ContainerRestartPolicyAlways: #ContainerRestartPolicy & "Always" + +// DNSPolicy defines how a pod's DNS will be configured. +// +enum +#DNSPolicy: string // #enumDNSPolicy + +#enumDNSPolicy: + #DNSClusterFirstWithHostNet | + #DNSClusterFirst | + #DNSDefault | + #DNSNone + +// DNSClusterFirstWithHostNet indicates that the pod should use cluster DNS +// first, if it is available, then fall back on the default +// (as determined by kubelet) DNS settings. +#DNSClusterFirstWithHostNet: #DNSPolicy & "ClusterFirstWithHostNet" + +// DNSClusterFirst indicates that the pod should use cluster DNS +// first unless hostNetwork is true, if it is available, then +// fall back on the default (as determined by kubelet) DNS settings. +#DNSClusterFirst: #DNSPolicy & "ClusterFirst" + +// DNSDefault indicates that the pod should use the default (as +// determined by kubelet) DNS settings. +#DNSDefault: #DNSPolicy & "Default" + +// DNSNone indicates that the pod should use empty DNS settings. DNS +// parameters such as nameservers and search paths should be defined via +// DNSConfig. +#DNSNone: #DNSPolicy & "None" + +// DefaultTerminationGracePeriodSeconds indicates the default duration in +// seconds a pod needs to terminate gracefully. +#DefaultTerminationGracePeriodSeconds: 30 + +// A node selector represents the union of the results of one or more label queries +// over a set of nodes; that is, it represents the OR of the selectors represented +// by the node selector terms. +// +structType=atomic +#NodeSelector: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms: [...#NodeSelectorTerm] @go(NodeSelectorTerms,[]NodeSelectorTerm) @protobuf(1,bytes,rep) +} + +// A null or empty node selector term matches no objects. The requirements of +// them are ANDed. +// The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. +// +structType=atomic +#NodeSelectorTerm: { + // A list of node selector requirements by node's labels. + // +optional + matchExpressions?: [...#NodeSelectorRequirement] @go(MatchExpressions,[]NodeSelectorRequirement) @protobuf(1,bytes,rep) + + // A list of node selector requirements by node's fields. + // +optional + matchFields?: [...#NodeSelectorRequirement] @go(MatchFields,[]NodeSelectorRequirement) @protobuf(2,bytes,rep) +} + +// A node selector requirement is a selector that contains values, a key, and an operator +// that relates the key and values. +#NodeSelectorRequirement: { + // The label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + operator: #NodeSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=NodeSelectorOperator) + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, the values + // array must have a single element, which will be interpreted as an integer. + // This array is replaced during a strategic merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A node selector operator is the set of operators that can be used in +// a node selector requirement. +// +enum +#NodeSelectorOperator: string // #enumNodeSelectorOperator + +#enumNodeSelectorOperator: + #NodeSelectorOpIn | + #NodeSelectorOpNotIn | + #NodeSelectorOpExists | + #NodeSelectorOpDoesNotExist | + #NodeSelectorOpGt | + #NodeSelectorOpLt + +#NodeSelectorOpIn: #NodeSelectorOperator & "In" +#NodeSelectorOpNotIn: #NodeSelectorOperator & "NotIn" +#NodeSelectorOpExists: #NodeSelectorOperator & "Exists" +#NodeSelectorOpDoesNotExist: #NodeSelectorOperator & "DoesNotExist" +#NodeSelectorOpGt: #NodeSelectorOperator & "Gt" +#NodeSelectorOpLt: #NodeSelectorOperator & "Lt" + +// A topology selector term represents the result of label queries. +// A null or empty topology selector term matches no objects. +// The requirements of them are ANDed. +// It provides a subset of functionality as NodeSelectorTerm. +// This is an alpha feature and may change in the future. +// +structType=atomic +#TopologySelectorTerm: { + // A list of topology selector requirements by labels. + // +optional + matchLabelExpressions?: [...#TopologySelectorLabelRequirement] @go(MatchLabelExpressions,[]TopologySelectorLabelRequirement) @protobuf(1,bytes,rep) +} + +// A topology selector requirement is a selector that matches given label. +// This is an alpha feature and may change in the future. +#TopologySelectorLabelRequirement: { + // The label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // An array of string values. One value must match the label to be selected. + // Each entry in Values is ORed. + values: [...string] @go(Values,[]string) @protobuf(2,bytes,rep) +} + +// Affinity is a group of affinity scheduling rules. +#Affinity: { + // Describes node affinity scheduling rules for the pod. + // +optional + nodeAffinity?: null | #NodeAffinity @go(NodeAffinity,*NodeAffinity) @protobuf(1,bytes,opt) + + // Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + // +optional + podAffinity?: null | #PodAffinity @go(PodAffinity,*PodAffinity) @protobuf(2,bytes,opt) + + // Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + // +optional + podAntiAffinity?: null | #PodAntiAffinity @go(PodAntiAffinity,*PodAntiAffinity) @protobuf(3,bytes,opt) +} + +// Pod affinity is a group of inter pod affinity scheduling rules. +#PodAffinity: { + // If the affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to a pod label update), the + // system may or may not try to eventually evict the pod from its node. + // When there are multiple elements, the lists of nodes corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be satisfied. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: [...#PodAffinityTerm] @go(RequiredDuringSchedulingIgnoredDuringExecution,[]PodAffinityTerm) @protobuf(1,bytes,rep) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#WeightedPodAffinityTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]WeightedPodAffinityTerm) @protobuf(2,bytes,rep) +} + +// Pod anti affinity is a group of inter pod anti affinity scheduling rules. +#PodAntiAffinity: { + // If the anti-affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to a pod label update), the + // system may or may not try to eventually evict the pod from its node. + // When there are multiple elements, the lists of nodes corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be satisfied. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: [...#PodAffinityTerm] @go(RequiredDuringSchedulingIgnoredDuringExecution,[]PodAffinityTerm) @protobuf(1,bytes,rep) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the anti-affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling anti-affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#WeightedPodAffinityTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]WeightedPodAffinityTerm) @protobuf(2,bytes,rep) +} + +// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) +#WeightedPodAffinityTerm: { + // weight associated with matching the corresponding podAffinityTerm, + // in the range 1-100. + weight: int32 @go(Weight) @protobuf(1,varint,opt) + + // Required. A pod affinity term, associated with the corresponding weight. + podAffinityTerm: #PodAffinityTerm @go(PodAffinityTerm) @protobuf(2,bytes,opt) +} + +// Defines a set of pods (namely those matching the labelSelector +// relative to the given namespace(s)) that this pod should be +// co-located (affinity) or not co-located (anti-affinity) with, +// where co-located is defined as running on a node whose value of +// the label with key matches that of any node on which +// a pod of the set of pods is running +#PodAffinityTerm: { + // A label query over a set of resources, in this case pods. + // +optional + labelSelector?: null | metav1.#LabelSelector @go(LabelSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // namespaces specifies a static list of namespace names that the term applies to. + // The term is applied to the union of the namespaces listed in this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means "this pod's namespace". + // +optional + namespaces?: [...string] @go(Namespaces,[]string) @protobuf(2,bytes,rep) + + // This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located is defined as running on a node + // whose value of the label with key topologyKey matches that of any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey: string @go(TopologyKey) @protobuf(3,bytes,opt) + + // A label query over the set of namespaces that the term applies to. + // The term is applied to the union of the namespaces selected by this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this pod's namespace". + // An empty selector ({}) matches all namespaces. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(4,bytes,opt) +} + +// Node affinity is a group of node affinity scheduling rules. +#NodeAffinity: { + // If the affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to an update), the system + // may or may not try to eventually evict the pod from its node. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: null | #NodeSelector @go(RequiredDuringSchedulingIgnoredDuringExecution,*NodeSelector) @protobuf(1,bytes,opt) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node matches the corresponding matchExpressions; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#PreferredSchedulingTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]PreferredSchedulingTerm) @protobuf(2,bytes,rep) +} + +// An empty preferred scheduling term matches all objects with implicit weight 0 +// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). +#PreferredSchedulingTerm: { + // Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + weight: int32 @go(Weight) @protobuf(1,varint,opt) + + // A node selector term, associated with the corresponding weight. + preference: #NodeSelectorTerm @go(Preference) @protobuf(2,bytes,opt) +} + +// The node this Taint is attached to has the "effect" on +// any pod that does not tolerate the Taint. +#Taint: { + // Required. The taint key to be applied to a node. + key: string @go(Key) @protobuf(1,bytes,opt) + + // The taint value corresponding to the taint key. + // +optional + value?: string @go(Value) @protobuf(2,bytes,opt) + + // Required. The effect of the taint on pods + // that do not tolerate the taint. + // Valid effects are NoSchedule, PreferNoSchedule and NoExecute. + effect: #TaintEffect @go(Effect) @protobuf(3,bytes,opt,casttype=TaintEffect) + + // TimeAdded represents the time at which the taint was added. + // It is only written for NoExecute taints. + // +optional + timeAdded?: null | metav1.#Time @go(TimeAdded,*metav1.Time) @protobuf(4,bytes,opt) +} + +// +enum +#TaintEffect: string // #enumTaintEffect + +#enumTaintEffect: + #TaintEffectNoSchedule | + #TaintEffectPreferNoSchedule | + #TaintEffectNoExecute + +// Do not allow new pods to schedule onto the node unless they tolerate the taint, +// but allow all pods submitted to Kubelet without going through the scheduler +// to start, and allow all already-running pods to continue running. +// Enforced by the scheduler. +#TaintEffectNoSchedule: #TaintEffect & "NoSchedule" + +// Like TaintEffectNoSchedule, but the scheduler tries not to schedule +// new pods onto the node, rather than prohibiting new pods from scheduling +// onto the node entirely. Enforced by the scheduler. +#TaintEffectPreferNoSchedule: #TaintEffect & "PreferNoSchedule" + +// Evict any already-running pods that do not tolerate the taint. +// Currently enforced by NodeController. +#TaintEffectNoExecute: #TaintEffect & "NoExecute" + +// The pod this Toleration is attached to tolerates any taint that matches +// the triple using the matching operator . +#Toleration: { + // Key is the taint key that the toleration applies to. Empty means match all taint keys. + // If the key is empty, operator must be Exists; this combination means to match all values and all keys. + // +optional + key?: string @go(Key) @protobuf(1,bytes,opt) + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + // +optional + operator?: #TolerationOperator @go(Operator) @protobuf(2,bytes,opt,casttype=TolerationOperator) + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise just a regular string. + // +optional + value?: string @go(Value) @protobuf(3,bytes,opt) + + // Effect indicates the taint effect to match. Empty means match all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + // +optional + effect?: #TaintEffect @go(Effect) @protobuf(4,bytes,opt,casttype=TaintEffect) + + // TolerationSeconds represents the period of time the toleration (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + // it is not set, which means tolerate the taint forever (do not evict). Zero and + // negative values will be treated as 0 (evict immediately) by the system. + // +optional + tolerationSeconds?: null | int64 @go(TolerationSeconds,*int64) @protobuf(5,varint,opt) +} + +// A toleration operator is the set of operators that can be used in a toleration. +// +enum +#TolerationOperator: string // #enumTolerationOperator + +#enumTolerationOperator: + #TolerationOpExists | + #TolerationOpEqual + +#TolerationOpExists: #TolerationOperator & "Exists" +#TolerationOpEqual: #TolerationOperator & "Equal" + +// PodReadinessGate contains the reference to a pod condition +#PodReadinessGate: { + // ConditionType refers to a condition in the pod's condition list with matching type. + conditionType: #PodConditionType @go(ConditionType) @protobuf(1,bytes,opt,casttype=PodConditionType) +} + +// PodSpec is a description of a pod. +#PodSpec: { + // List of volumes that can be mounted by containers belonging to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes + // +optional + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + volumes?: [...#Volume] @go(Volumes,[]Volume) @protobuf(1,bytes,rep) + + // List of initialization containers belonging to the pod. + // Init containers are executed in order prior to containers being started. If any + // init container fails, the pod is considered to have failed and is handled according + // to its restartPolicy. The name for an init container or normal container must be + // unique among all containers. + // Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. + // The resourceRequirements of an init container are taken into account during scheduling + // by finding the highest request/limit for each resource type, and then using the max of + // of that value or the sum of the normal containers. Limits are applied to init containers + // in a similar fashion. + // Init containers cannot currently be added or removed. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + // +patchMergeKey=name + // +patchStrategy=merge + initContainers?: [...#Container] @go(InitContainers,[]Container) @protobuf(20,bytes,rep) + + // List of containers belonging to the pod. + // Containers cannot currently be added or removed. + // There must be at least one container in a Pod. + // Cannot be updated. + // +patchMergeKey=name + // +patchStrategy=merge + containers: [...#Container] @go(Containers,[]Container) @protobuf(2,bytes,rep) + + // List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing + // pod to perform user-initiated actions such as debugging. This list cannot be specified when + // creating a pod, and it cannot be modified by updating the pod spec. In order to add an + // ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + ephemeralContainers?: [...#EphemeralContainer] @go(EphemeralContainers,[]EphemeralContainer) @protobuf(34,bytes,rep) + + // Restart policy for all containers within the pod. + // One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. + // Default to Always. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy + // +optional + restartPolicy?: #RestartPolicy @go(RestartPolicy) @protobuf(3,bytes,opt,casttype=RestartPolicy) + + // Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. + // Value must be non-negative integer. The value zero indicates stop immediately via + // the kill signal (no opportunity to shut down). + // If this value is nil, the default grace period will be used instead. + // The grace period is the duration in seconds after the processes running in the pod are sent + // a termination signal and the time when the processes are forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your process. + // Defaults to 30 seconds. + // +optional + terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) @protobuf(4,varint,opt) + + // Optional duration in seconds the pod may be active on the node relative to + // StartTime before the system will actively try to mark it failed and kill associated containers. + // Value must be a positive integer. + // +optional + activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(5,varint,opt) + + // Set DNS policy for the pod. + // Defaults to "ClusterFirst". + // Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. + // DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. + // To have DNS options set along with hostNetwork, you have to specify DNS policy + // explicitly to 'ClusterFirstWithHostNet'. + // +optional + dnsPolicy?: #DNSPolicy @go(DNSPolicy) @protobuf(6,bytes,opt,casttype=DNSPolicy) + + // NodeSelector is a selector which must be true for the pod to fit on a node. + // Selector which must match a node's labels for the pod to be scheduled on that node. + // More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + // +optional + // +mapType=atomic + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(7,bytes,rep) + + // ServiceAccountName is the name of the ServiceAccount to use to run this pod. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + // +optional + serviceAccountName?: string @go(ServiceAccountName) @protobuf(8,bytes,opt) + + // DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. + // Deprecated: Use serviceAccountName instead. + // +k8s:conversion-gen=false + // +optional + serviceAccount?: string @go(DeprecatedServiceAccount) @protobuf(9,bytes,opt) + + // AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. + // +optional + automountServiceAccountToken?: null | bool @go(AutomountServiceAccountToken,*bool) @protobuf(21,varint,opt) + + // NodeName is a request to schedule this pod onto a specific node. If it is non-empty, + // the scheduler simply schedules this pod onto that node, assuming that it fits resource + // requirements. + // +optional + nodeName?: string @go(NodeName) @protobuf(10,bytes,opt) + + // Host networking requested for this pod. Use the host's network namespace. + // If this option is set, the ports that will be used must be specified. + // Default to false. + // +k8s:conversion-gen=false + // +optional + hostNetwork?: bool @go(HostNetwork) @protobuf(11,varint,opt) + + // Use the host's pid namespace. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + hostPID?: bool @go(HostPID) @protobuf(12,varint,opt) + + // Use the host's ipc namespace. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + hostIPC?: bool @go(HostIPC) @protobuf(13,varint,opt) + + // Share a single process namespace between all of the containers in a pod. + // When this is set containers will be able to view and signal processes from other containers + // in the same pod, and the first process in each container will not be assigned PID 1. + // HostPID and ShareProcessNamespace cannot both be set. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + shareProcessNamespace?: null | bool @go(ShareProcessNamespace,*bool) @protobuf(27,varint,opt) + + // SecurityContext holds pod-level security attributes and common container settings. + // Optional: Defaults to empty. See type description for default values of each field. + // +optional + securityContext?: null | #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt) + + // ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. + // If specified, these secrets will be passed to individual puller implementations for them to use. + // More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + imagePullSecrets?: [...#LocalObjectReference] @go(ImagePullSecrets,[]LocalObjectReference) @protobuf(15,bytes,rep) + + // Specifies the hostname of the Pod + // If not specified, the pod's hostname will be set to a system-defined value. + // +optional + hostname?: string @go(Hostname) @protobuf(16,bytes,opt) + + // If specified, the fully qualified Pod hostname will be "...svc.". + // If not specified, the pod will not have a domainname at all. + // +optional + subdomain?: string @go(Subdomain) @protobuf(17,bytes,opt) + + // If specified, the pod's scheduling constraints + // +optional + affinity?: null | #Affinity @go(Affinity,*Affinity) @protobuf(18,bytes,opt) + + // If specified, the pod will be dispatched by specified scheduler. + // If not specified, the pod will be dispatched by default scheduler. + // +optional + schedulerName?: string @go(SchedulerName) @protobuf(19,bytes,opt) + + // If specified, the pod's tolerations. + // +optional + tolerations?: [...#Toleration] @go(Tolerations,[]Toleration) @protobuf(22,bytes,opt) + + // HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts + // file if specified. This is only valid for non-hostNetwork pods. + // +optional + // +patchMergeKey=ip + // +patchStrategy=merge + hostAliases?: [...#HostAlias] @go(HostAliases,[]HostAlias) @protobuf(23,bytes,rep) + + // If specified, indicates the pod's priority. "system-node-critical" and + // "system-cluster-critical" are two special keywords which indicate the + // highest priorities with the former being the highest priority. Any other + // name must be defined by creating a PriorityClass object with that name. + // If not specified, the pod priority will be default or zero if there is no + // default. + // +optional + priorityClassName?: string @go(PriorityClassName) @protobuf(24,bytes,opt) + + // The priority value. Various system components use this field to find the + // priority of the pod. When Priority Admission Controller is enabled, it + // prevents users from setting this field. The admission controller populates + // this field from PriorityClassName. + // The higher the value, the higher the priority. + // +optional + priority?: null | int32 @go(Priority,*int32) @protobuf(25,bytes,opt) + + // Specifies the DNS parameters of a pod. + // Parameters specified here will be merged to the generated DNS + // configuration based on DNSPolicy. + // +optional + dnsConfig?: null | #PodDNSConfig @go(DNSConfig,*PodDNSConfig) @protobuf(26,bytes,opt) + + // If specified, all readiness gates will be evaluated for pod readiness. + // A pod is ready when all its containers are ready AND + // all conditions specified in the readiness gates have status equal to "True" + // More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates + // +optional + readinessGates?: [...#PodReadinessGate] @go(ReadinessGates,[]PodReadinessGate) @protobuf(28,bytes,opt) + + // RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used + // to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. + // If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an + // empty definition that uses the default runtime handler. + // More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class + // +optional + runtimeClassName?: null | string @go(RuntimeClassName,*string) @protobuf(29,bytes,opt) + + // EnableServiceLinks indicates whether information about services should be injected into pod's + // environment variables, matching the syntax of Docker links. + // Optional: Defaults to true. + // +optional + enableServiceLinks?: null | bool @go(EnableServiceLinks,*bool) @protobuf(30,varint,opt) + + // PreemptionPolicy is the Policy for preempting pods with lower priority. + // One of Never, PreemptLowerPriority. + // Defaults to PreemptLowerPriority if unset. + // +optional + preemptionPolicy?: null | #PreemptionPolicy @go(PreemptionPolicy,*PreemptionPolicy) @protobuf(31,bytes,opt) + + // Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. + // This field will be autopopulated at admission time by the RuntimeClass admission controller. If + // the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. + // The RuntimeClass admission controller will reject Pod create requests which have the overhead already + // set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value + // defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. + // More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md + // +optional + overhead?: #ResourceList @go(Overhead) @protobuf(32,bytes,opt) + + // TopologySpreadConstraints describes how a group of pods ought to spread across topology + // domains. Scheduler will schedule pods in a way which abides by the constraints. + // All topologySpreadConstraints are ANDed. + // +optional + // +patchMergeKey=topologyKey + // +patchStrategy=merge + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + topologySpreadConstraints?: [...#TopologySpreadConstraint] @go(TopologySpreadConstraints,[]TopologySpreadConstraint) @protobuf(33,bytes,opt) + + // If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). + // In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). + // In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters to FQDN. + // If a pod does not have FQDN, this has no effect. + // Default to false. + // +optional + setHostnameAsFQDN?: null | bool @go(SetHostnameAsFQDN,*bool) @protobuf(35,varint,opt) + + // Specifies the OS of the containers in the pod. + // Some pod and container fields are restricted if this is set. + // + // If the OS field is set to linux, the following fields must be unset: + // -securityContext.windowsOptions + // + // If the OS field is set to windows, following fields must be unset: + // - spec.hostPID + // - spec.hostIPC + // - spec.hostUsers + // - spec.securityContext.seLinuxOptions + // - spec.securityContext.seccompProfile + // - spec.securityContext.fsGroup + // - spec.securityContext.fsGroupChangePolicy + // - spec.securityContext.sysctls + // - spec.shareProcessNamespace + // - spec.securityContext.runAsUser + // - spec.securityContext.runAsGroup + // - spec.securityContext.supplementalGroups + // - spec.containers[*].securityContext.seLinuxOptions + // - spec.containers[*].securityContext.seccompProfile + // - spec.containers[*].securityContext.capabilities + // - spec.containers[*].securityContext.readOnlyRootFilesystem + // - spec.containers[*].securityContext.privileged + // - spec.containers[*].securityContext.allowPrivilegeEscalation + // - spec.containers[*].securityContext.procMount + // - spec.containers[*].securityContext.runAsUser + // - spec.containers[*].securityContext.runAsGroup + // +optional + os?: null | #PodOS @go(OS,*PodOS) @protobuf(36,bytes,opt) + + // Use the host's user namespace. + // Optional: Default to true. + // If set to true or not present, the pod will be run in the host user namespace, useful + // for when the pod needs a feature only available to the host user namespace, such as + // loading a kernel module with CAP_SYS_MODULE. + // When set to false, a new userns is created for the pod. Setting false is useful for + // mitigating container breakout vulnerabilities even allowing users to run their + // containers as root without actually having root privileges on the host. + // This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature. + // +k8s:conversion-gen=false + // +optional + hostUsers?: null | bool @go(HostUsers,*bool) @protobuf(37,bytes,opt) + + // SchedulingGates is an opaque list of values that if specified will block scheduling the pod. + // If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the + // scheduler will not attempt to schedule the pod. + // + // SchedulingGates can only be set at pod creation time, and be removed only afterwards. + // + // This is a beta feature enabled by the PodSchedulingReadiness feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=PodSchedulingReadiness + // +optional + schedulingGates?: [...#PodSchedulingGate] @go(SchedulingGates,[]PodSchedulingGate) @protobuf(38,bytes,opt) + + // ResourceClaims defines which ResourceClaims must be allocated + // and reserved before the Pod is allowed to start. The resources + // will be made available to those containers which consume them + // by name. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. + // + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + resourceClaims?: [...#PodResourceClaim] @go(ResourceClaims,[]PodResourceClaim) @protobuf(39,bytes,rep) +} + +// PodResourceClaim references exactly one ResourceClaim through a ClaimSource. +// It adds a name to it that uniquely identifies the ResourceClaim inside the Pod. +// Containers that need access to the ResourceClaim reference it with this name. +#PodResourceClaim: { + // Name uniquely identifies this resource claim inside the pod. + // This must be a DNS_LABEL. + name: string @go(Name) @protobuf(1,bytes) + + // Source describes where to find the ResourceClaim. + source?: #ClaimSource @go(Source) @protobuf(2,bytes) +} + +// ClaimSource describes a reference to a ResourceClaim. +// +// Exactly one of these fields should be set. Consumers of this type must +// treat an empty object as if it has an unknown value. +#ClaimSource: { + // ResourceClaimName is the name of a ResourceClaim object in the same + // namespace as this pod. + resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(1,bytes,opt) + + // ResourceClaimTemplateName is the name of a ResourceClaimTemplate + // object in the same namespace as this pod. + // + // The template will be used to create a new ResourceClaim, which will + // be bound to this pod. When this pod is deleted, the ResourceClaim + // will also be deleted. The pod name and resource name, along with a + // generated component, will be used to form a unique name for the + // ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. + // + // This field is immutable and no changes will be made to the + // corresponding ResourceClaim by the control plane after creating the + // ResourceClaim. + resourceClaimTemplateName?: null | string @go(ResourceClaimTemplateName,*string) @protobuf(2,bytes,opt) +} + +// PodResourceClaimStatus is stored in the PodStatus for each PodResourceClaim +// which references a ResourceClaimTemplate. It stores the generated name for +// the corresponding ResourceClaim. +#PodResourceClaimStatus: { + // Name uniquely identifies this resource claim inside the pod. + // This must match the name of an entry in pod.spec.resourceClaims, + // which implies that the string must be a DNS_LABEL. + name: string @go(Name) @protobuf(1,bytes) + + // ResourceClaimName is the name of the ResourceClaim that was + // generated for the Pod in the namespace of the Pod. It this is + // unset, then generating a ResourceClaim was not necessary. The + // pod.spec.resourceClaims entry can be ignored in this case. + // + // +optional + resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(2,bytes,opt) +} + +// OSName is the set of OS'es that can be used in OS. +#OSName: string // #enumOSName + +#enumOSName: + #Linux | + #Windows + +#Linux: #OSName & "linux" +#Windows: #OSName & "windows" + +// PodOS defines the OS parameters of a pod. +#PodOS: { + // Name is the name of the operating system. The currently supported values are linux and windows. + // Additional value may be defined in future and can be one of: + // https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + // Clients should expect to handle additional values and treat unrecognized values in this field as os: null + name: #OSName @go(Name) @protobuf(1,bytes,opt) +} + +// PodSchedulingGate is associated to a Pod to guard its scheduling. +#PodSchedulingGate: { + // Name of the scheduling gate. + // Each scheduling gate must have a unique name field. + name: string @go(Name) @protobuf(1,bytes,opt) +} + +// +enum +#UnsatisfiableConstraintAction: string // #enumUnsatisfiableConstraintAction + +#enumUnsatisfiableConstraintAction: + #DoNotSchedule | + #ScheduleAnyway + +// DoNotSchedule instructs the scheduler not to schedule the pod +// when constraints are not satisfied. +#DoNotSchedule: #UnsatisfiableConstraintAction & "DoNotSchedule" + +// ScheduleAnyway instructs the scheduler to schedule the pod +// even if constraints are not satisfied. +#ScheduleAnyway: #UnsatisfiableConstraintAction & "ScheduleAnyway" + +// NodeInclusionPolicy defines the type of node inclusion policy +// +enum +#NodeInclusionPolicy: string // #enumNodeInclusionPolicy + +#enumNodeInclusionPolicy: + #NodeInclusionPolicyIgnore | + #NodeInclusionPolicyHonor + +// NodeInclusionPolicyIgnore means ignore this scheduling directive when calculating pod topology spread skew. +#NodeInclusionPolicyIgnore: #NodeInclusionPolicy & "Ignore" + +// NodeInclusionPolicyHonor means use this scheduling directive when calculating pod topology spread skew. +#NodeInclusionPolicyHonor: #NodeInclusionPolicy & "Honor" + +// TopologySpreadConstraint specifies how to spread matching pods among the given topology. +#TopologySpreadConstraint: { + // MaxSkew describes the degree to which pods may be unevenly distributed. + // When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + // between the number of matching pods in the target topology and the global minimum. + // The global minimum is the minimum number of matching pods in an eligible domain + // or zero if the number of eligible domains is less than MinDomains. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + // labelSelector spread as 2/2/1: + // In this case, the global minimum is 1. + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P | P P | P | + // +-------+-------+-------+ + // - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + // scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + // violate MaxSkew(1). + // - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + // When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + // to topologies that satisfy it. + // It's a required field. Default value is 1 and 0 is not allowed. + maxSkew: int32 @go(MaxSkew) @protobuf(1,varint,opt) + + // TopologyKey is the key of node labels. Nodes that have a label with this key + // and identical values are considered to be in the same topology. + // We consider each as a "bucket", and try to put balanced number + // of pods into each bucket. + // We define a domain as a particular instance of a topology. + // Also, we define an eligible domain as a domain whose nodes meet the requirements of + // nodeAffinityPolicy and nodeTaintsPolicy. + // e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + // And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + // It's a required field. + topologyKey: string @go(TopologyKey) @protobuf(2,bytes,opt) + + // WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + // the spread constraint. + // - DoNotSchedule (default) tells the scheduler not to schedule it. + // - ScheduleAnyway tells the scheduler to schedule the pod in any location, + // but giving higher precedence to topologies that would help reduce the + // skew. + // A constraint is considered "Unsatisfiable" for an incoming pod + // if and only if every possible node assignment for that pod would violate + // "MaxSkew" on some topology. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + // labelSelector spread as 3/1/1: + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P P | P | P | + // +-------+-------+-------+ + // If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + // to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + // MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + // won't make it *more* imbalanced. + // It's a required field. + whenUnsatisfiable: #UnsatisfiableConstraintAction @go(WhenUnsatisfiable) @protobuf(3,bytes,opt,casttype=UnsatisfiableConstraintAction) + + // LabelSelector is used to find matching pods. + // Pods that match this label selector are counted to determine the number of pods + // in their corresponding topology domain. + // +optional + labelSelector?: null | metav1.#LabelSelector @go(LabelSelector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // MinDomains indicates a minimum number of eligible domains. + // When the number of eligible domains with matching topology keys is less than minDomains, + // Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + // And when the number of eligible domains with matching topology keys equals or greater than minDomains, + // this value has no effect on scheduling. + // As a result, when the number of eligible domains is less than minDomains, + // scheduler won't schedule more than maxSkew Pods to those domains. + // If value is nil, the constraint behaves as if MinDomains is equal to 1. + // Valid values are integers greater than 0. + // When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + // + // For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + // labelSelector spread as 2/2/2: + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P | P P | P P | + // +-------+-------+-------+ + // The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + // In this situation, new pod with the same labelSelector cannot be scheduled, + // because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + // it will violate MaxSkew. + // + // This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). + // +optional + minDomains?: null | int32 @go(MinDomains,*int32) @protobuf(5,varint,opt) + + // NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + // when calculating pod topology spread skew. Options are: + // - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + // - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + // + // If this value is nil, the behavior is equivalent to the Honor policy. + // This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + // +optional + nodeAffinityPolicy?: null | #NodeInclusionPolicy @go(NodeAffinityPolicy,*NodeInclusionPolicy) @protobuf(6,bytes,opt) + + // NodeTaintsPolicy indicates how we will treat node taints when calculating + // pod topology spread skew. Options are: + // - Honor: nodes without taints, along with tainted nodes for which the incoming pod + // has a toleration, are included. + // - Ignore: node taints are ignored. All nodes are included. + // + // If this value is nil, the behavior is equivalent to the Ignore policy. + // This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + // +optional + nodeTaintsPolicy?: null | #NodeInclusionPolicy @go(NodeTaintsPolicy,*NodeInclusionPolicy) @protobuf(7,bytes,opt) + + // MatchLabelKeys is a set of pod label keys to select the pods over which + // spreading will be calculated. The keys are used to lookup values from the + // incoming pod labels, those key-value labels are ANDed with labelSelector + // to select the group of existing pods over which spreading will be calculated + // for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + // MatchLabelKeys cannot be set when LabelSelector isn't set. + // Keys that don't exist in the incoming pod labels will + // be ignored. A null or empty list means only match against labelSelector. + // + // This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + // +listType=atomic + // +optional + matchLabelKeys?: [...string] @go(MatchLabelKeys,[]string) @protobuf(8,bytes,opt) +} + +// The default value for enableServiceLinks attribute. +#DefaultEnableServiceLinks: true + +// HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the +// pod's hosts file. +#HostAlias: { + // IP address of the host file entry. + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // Hostnames for the above IP address. + hostnames?: [...string] @go(Hostnames,[]string) @protobuf(2,bytes,rep) +} + +// PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume +// when volume is mounted. +// +enum +#PodFSGroupChangePolicy: string // #enumPodFSGroupChangePolicy + +#enumPodFSGroupChangePolicy: + #FSGroupChangeOnRootMismatch | + #FSGroupChangeAlways + +// FSGroupChangeOnRootMismatch indicates that volume's ownership and permissions will be changed +// only when permission and ownership of root directory does not match with expected +// permissions on the volume. This can help shorten the time it takes to change +// ownership and permissions of a volume. +#FSGroupChangeOnRootMismatch: #PodFSGroupChangePolicy & "OnRootMismatch" + +// FSGroupChangeAlways indicates that volume's ownership and permissions +// should always be changed whenever volume is mounted inside a Pod. This the default +// behavior. +#FSGroupChangeAlways: #PodFSGroupChangePolicy & "Always" + +// PodSecurityContext holds pod-level security attributes and common container settings. +// Some fields are also present in container.securityContext. Field values of +// container.securityContext take precedence over field values of PodSecurityContext. +#PodSecurityContext: { + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seLinuxOptions?: null | #SELinuxOptions @go(SELinuxOptions,*SELinuxOptions) @protobuf(1,bytes,opt) + + // The Windows specific settings applied to all containers. + // If unspecified, the options within a container's SecurityContext will be used. + // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + // +optional + windowsOptions?: null | #WindowsSecurityContextOptions @go(WindowsOptions,*WindowsSecurityContextOptions) @protobuf(8,bytes,opt) + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsUser?: null | int64 @go(RunAsUser,*int64) @protobuf(2,varint,opt) + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsGroup?: null | int64 @go(RunAsGroup,*int64) @protobuf(6,varint,opt) + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to ensure that it + // does not run as UID 0 (root) and fail to start the container if it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsNonRoot?: null | bool @go(RunAsNonRoot,*bool) @protobuf(3,varint,opt) + + // A list of groups applied to the first process run in each container, in addition + // to the container's primary GID, the fsGroup (if specified), and group memberships + // defined in the container image for the uid of the container process. If unspecified, + // no additional groups are added to any container. Note that group memberships + // defined in the container image for the uid of the container process are still effective, + // even if they are not included in this list. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + supplementalGroups?: [...int64] @go(SupplementalGroups,[]int64) @protobuf(4,varint,rep) + + // A special supplemental group that applies to all containers in a pod. + // Some volume types allow the Kubelet to change the ownership of that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and permissions of any volume. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + fsGroup?: null | int64 @go(FSGroup,*int64) @protobuf(5,varint,opt) + + // Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + sysctls?: [...#Sysctl] @go(Sysctls,[]Sysctl) @protobuf(7,bytes,rep) + + // fsGroupChangePolicy defines behavior of changing ownership and permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and permissions). + // It will have no effect on ephemeral volume types such as: secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + fsGroupChangePolicy?: null | #PodFSGroupChangePolicy @go(FSGroupChangePolicy,*PodFSGroupChangePolicy) @protobuf(9,bytes,opt) + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seccompProfile?: null | #SeccompProfile @go(SeccompProfile,*SeccompProfile) @protobuf(10,bytes,opt) +} + +// SeccompProfile defines a pod/container's seccomp profile settings. +// Only one profile source may be set. +// +union +#SeccompProfile: { + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be used. + // RuntimeDefault - the container runtime default profile should be used. + // Unconfined - no profile should be applied. + // +unionDiscriminator + type: #SeccompProfileType @go(Type) @protobuf(1,bytes,opt,casttype=SeccompProfileType) + + // localhostProfile indicates a profile defined in a file on the node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any other type. + // +optional + localhostProfile?: null | string @go(LocalhostProfile,*string) @protobuf(2,bytes,opt) +} + +// SeccompProfileType defines the supported seccomp profile types. +// +enum +#SeccompProfileType: string // #enumSeccompProfileType + +#enumSeccompProfileType: + #SeccompProfileTypeUnconfined | + #SeccompProfileTypeRuntimeDefault | + #SeccompProfileTypeLocalhost + +// SeccompProfileTypeUnconfined indicates no seccomp profile is applied (A.K.A. unconfined). +#SeccompProfileTypeUnconfined: #SeccompProfileType & "Unconfined" + +// SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile. +#SeccompProfileTypeRuntimeDefault: #SeccompProfileType & "RuntimeDefault" + +// SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used. +// The file's location relative to /seccomp. +#SeccompProfileTypeLocalhost: #SeccompProfileType & "Localhost" + +// PodQOSClass defines the supported qos classes of Pods. +// +enum +#PodQOSClass: string // #enumPodQOSClass + +#enumPodQOSClass: + #PodQOSGuaranteed | + #PodQOSBurstable | + #PodQOSBestEffort + +// PodQOSGuaranteed is the Guaranteed qos class. +#PodQOSGuaranteed: #PodQOSClass & "Guaranteed" + +// PodQOSBurstable is the Burstable qos class. +#PodQOSBurstable: #PodQOSClass & "Burstable" + +// PodQOSBestEffort is the BestEffort qos class. +#PodQOSBestEffort: #PodQOSClass & "BestEffort" + +// PodDNSConfig defines the DNS parameters of a pod in addition to +// those generated from DNSPolicy. +#PodDNSConfig: { + // A list of DNS name server IP addresses. + // This will be appended to the base nameservers generated from DNSPolicy. + // Duplicated nameservers will be removed. + // +optional + nameservers?: [...string] @go(Nameservers,[]string) @protobuf(1,bytes,rep) + + // A list of DNS search domains for host-name lookup. + // This will be appended to the base search paths generated from DNSPolicy. + // Duplicated search paths will be removed. + // +optional + searches?: [...string] @go(Searches,[]string) @protobuf(2,bytes,rep) + + // A list of DNS resolver options. + // This will be merged with the base options generated from DNSPolicy. + // Duplicated entries will be removed. Resolution options given in Options + // will override those that appear in the base DNSPolicy. + // +optional + options?: [...#PodDNSConfigOption] @go(Options,[]PodDNSConfigOption) @protobuf(3,bytes,rep) +} + +// PodDNSConfigOption defines DNS resolver options of a pod. +#PodDNSConfigOption: { + // Required. + name?: string @go(Name) @protobuf(1,bytes,opt) + + // +optional + value?: null | string @go(Value,*string) @protobuf(2,bytes,opt) +} + +// PodIP represents a single IP address allocated to the pod. +#PodIP: { + // IP is the IP address assigned to the pod + ip?: string @go(IP) @protobuf(1,bytes,opt) +} + +// HostIP represents a single IP address allocated to the host. +#HostIP: { + // IP is the IP address assigned to the host + ip?: string @go(IP) @protobuf(1,bytes,opt) +} + +// EphemeralContainerCommon is a copy of all fields in Container to be inlined in +// EphemeralContainer. This separate type allows easy conversion from EphemeralContainer +// to Container and allows separate documentation for the fields of EphemeralContainer. +// When a new field is added to Container it must be added here as well. +#EphemeralContainerCommon: { + // Name of the ephemeral container specified as a DNS_LABEL. + // This name must be unique among all containers, init containers and ephemeral containers. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Container image name. + // More info: https://kubernetes.io/docs/concepts/containers/images + image?: string @go(Image) @protobuf(2,bytes,opt) + + // Entrypoint array. Not executed within a shell. + // The image's ENTRYPOINT is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + command?: [...string] @go(Command,[]string) @protobuf(3,bytes,rep) + + // Arguments to the entrypoint. + // The image's CMD is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + args?: [...string] @go(Args,[]string) @protobuf(4,bytes,rep) + + // Container's working directory. + // If not specified, the container runtime's default will be used, which + // might be configured in the container image. + // Cannot be updated. + // +optional + workingDir?: string @go(WorkingDir) @protobuf(5,bytes,opt) + + // Ports are not allowed for ephemeral containers. + // +optional + // +patchMergeKey=containerPort + // +patchStrategy=merge + // +listType=map + // +listMapKey=containerPort + // +listMapKey=protocol + ports?: [...#ContainerPort] @go(Ports,[]ContainerPort) @protobuf(6,bytes,rep) + + // List of sources to populate environment variables in the container. + // The keys defined within a source must be a C_IDENTIFIER. All invalid keys + // will be reported as an event when the container is starting. When a key exists in multiple + // sources, the value associated with the last source will take precedence. + // Values defined by an Env with a duplicate key will take precedence. + // Cannot be updated. + // +optional + envFrom?: [...#EnvFromSource] @go(EnvFrom,[]EnvFromSource) @protobuf(19,bytes,rep) + + // List of environment variables to set in the container. + // Cannot be updated. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + env?: [...#EnvVar] @go(Env,[]EnvVar) @protobuf(7,bytes,rep) + + // Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources + // already allocated to the pod. + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(8,bytes,opt) + + // Resources resize policy for the container. + // +featureGate=InPlacePodVerticalScaling + // +optional + // +listType=atomic + resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep) + + // Restart policy for the container to manage the restart behavior of each + // container within a pod. + // This may only be set for init containers. You cannot set this field on + // ephemeral containers. + // +featureGate=SidecarContainers + // +optional + restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy) + + // Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers. + // Cannot be updated. + // +optional + // +patchMergeKey=mountPath + // +patchStrategy=merge + volumeMounts?: [...#VolumeMount] @go(VolumeMounts,[]VolumeMount) @protobuf(9,bytes,rep) + + // volumeDevices is the list of block devices to be used by the container. + // +patchMergeKey=devicePath + // +patchStrategy=merge + // +optional + volumeDevices?: [...#VolumeDevice] @go(VolumeDevices,[]VolumeDevice) @protobuf(21,bytes,rep) + + // Probes are not allowed for ephemeral containers. + // +optional + livenessProbe?: null | #Probe @go(LivenessProbe,*Probe) @protobuf(10,bytes,opt) + + // Probes are not allowed for ephemeral containers. + // +optional + readinessProbe?: null | #Probe @go(ReadinessProbe,*Probe) @protobuf(11,bytes,opt) + + // Probes are not allowed for ephemeral containers. + // +optional + startupProbe?: null | #Probe @go(StartupProbe,*Probe) @protobuf(22,bytes,opt) + + // Lifecycle is not allowed for ephemeral containers. + // +optional + lifecycle?: null | #Lifecycle @go(Lifecycle,*Lifecycle) @protobuf(12,bytes,opt) + + // Optional: Path at which the file to which the container's termination message + // will be written is mounted into the container's filesystem. + // Message written is intended to be brief final status, such as an assertion failure message. + // Will be truncated by the node if greater than 4096 bytes. The total message length across + // all containers will be limited to 12kb. + // Defaults to /dev/termination-log. + // Cannot be updated. + // +optional + terminationMessagePath?: string @go(TerminationMessagePath) @protobuf(13,bytes,opt) + + // Indicate how the termination message should be populated. File will use the contents of + // terminationMessagePath to populate the container status message on both success and failure. + // FallbackToLogsOnError will use the last chunk of container log output if the termination + // message file is empty and the container exited with an error. + // The log output is limited to 2048 bytes or 80 lines, whichever is smaller. + // Defaults to File. + // Cannot be updated. + // +optional + terminationMessagePolicy?: #TerminationMessagePolicy @go(TerminationMessagePolicy) @protobuf(20,bytes,opt,casttype=TerminationMessagePolicy) + + // Image pull policy. + // One of Always, Never, IfNotPresent. + // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + // +optional + imagePullPolicy?: #PullPolicy @go(ImagePullPolicy) @protobuf(14,bytes,opt,casttype=PullPolicy) + + // Optional: SecurityContext defines the security options the ephemeral container should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + // +optional + securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt) + + // Whether this container should allocate a buffer for stdin in the container runtime. If this + // is not set, reads from stdin in the container will always result in EOF. + // Default is false. + // +optional + stdin?: bool @go(Stdin) @protobuf(16,varint,opt) + + // Whether the container runtime should close the stdin channel after it has been opened by + // a single attach. When stdin is true the stdin stream will remain open across multiple attach + // sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the + // first client attaches to stdin, and then remains open and accepts data until the client disconnects, + // at which time stdin is closed and remains closed until the container is restarted. If this + // flag is false, a container processes that reads from stdin will never receive an EOF. + // Default is false + // +optional + stdinOnce?: bool @go(StdinOnce) @protobuf(17,varint,opt) + + // Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. + // Default is false. + // +optional + tty?: bool @go(TTY) @protobuf(18,varint,opt) +} + +// An EphemeralContainer is a temporary container that you may add to an existing Pod for +// user-initiated activities such as debugging. Ephemeral containers have no resource or +// scheduling guarantees, and they will not be restarted when they exit or when a Pod is +// removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the +// Pod to exceed its resource allocation. +// +// To add an ephemeral container, use the ephemeralcontainers subresource of an existing +// Pod. Ephemeral containers may not be removed or restarted. +#EphemeralContainer: { + #EphemeralContainerCommon + + // If set, the name of the container from PodSpec that this ephemeral container targets. + // The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. + // If not set then the ephemeral container uses the namespaces configured in the Pod spec. + // + // The container runtime must implement support for this feature. If the runtime does not + // support namespace targeting then the result of setting this field is undefined. + // +optional + targetContainerName?: string @go(TargetContainerName) @protobuf(2,bytes,opt) +} + +// PodStatus represents information about the status of a pod. Status may trail the actual +// state of a system, especially if the node that hosts the pod cannot contact the control +// plane. +#PodStatus: { + // The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. + // The conditions array, the reason and message fields, and the individual container status + // arrays contain more detail about the pod's status. + // There are five possible phase values: + // + // Pending: The pod has been accepted by the Kubernetes system, but one or more of the + // container images has not been created. This includes time before being scheduled as + // well as time spent downloading images over the network, which could take a while. + // Running: The pod has been bound to a node, and all of the containers have been created. + // At least one container is still running, or is in the process of starting or restarting. + // Succeeded: All containers in the pod have terminated in success, and will not be restarted. + // Failed: All containers in the pod have terminated, and at least one container has + // terminated in failure. The container either exited with non-zero status or was terminated + // by the system. + // Unknown: For some reason the state of the pod could not be obtained, typically due to an + // error in communicating with the host of the pod. + // + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase + // +optional + phase?: #PodPhase @go(Phase) @protobuf(1,bytes,opt,casttype=PodPhase) + + // Current service state of pod. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#PodCondition] @go(Conditions,[]PodCondition) @protobuf(2,bytes,rep) + + // A human readable message indicating details about why the pod is in this condition. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // A brief CamelCase message indicating details about why the pod is in this state. + // e.g. 'Evicted' + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be + // scheduled right away as preemption victims receive their graceful termination periods. + // This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide + // to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to + // give the resources on this node to a higher priority pod that is created after preemption. + // As a result, this field may be different than PodSpec.nodeName when the pod is + // scheduled. + // +optional + nominatedNodeName?: string @go(NominatedNodeName) @protobuf(11,bytes,opt) + + // hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet. + // A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will + // not be updated even if there is a node is assigned to pod + // +optional + hostIP?: string @go(HostIP) @protobuf(5,bytes,opt) + + // hostIPs holds the IP addresses allocated to the host. If this field is specified, the first entry must + // match the hostIP field. This list is empty if the pod has not started yet. + // A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will + // not be updated even if there is a node is assigned to this pod. + // +optional + // +patchStrategy=merge + // +patchMergeKey=ip + // +listType=atomic + hostIPs?: [...#HostIP] @go(HostIPs,[]HostIP) @protobuf(16,bytes,rep) + + // podIP address allocated to the pod. Routable at least within the cluster. + // Empty if not yet allocated. + // +optional + podIP?: string @go(PodIP) @protobuf(6,bytes,opt) + + // podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must + // match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list + // is empty if no IPs have been allocated yet. + // +optional + // +patchStrategy=merge + // +patchMergeKey=ip + podIPs?: [...#PodIP] @go(PodIPs,[]PodIP) @protobuf(12,bytes,rep) + + // RFC 3339 date and time at which the object was acknowledged by the Kubelet. + // This is before the Kubelet pulled the container image(s) for the pod. + // +optional + startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(7,bytes,opt) + + // The list has one entry per init container in the manifest. The most recent successful + // init container will have ready = true, the most recently started container will have + // startTime set. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status + initContainerStatuses?: [...#ContainerStatus] @go(InitContainerStatuses,[]ContainerStatus) @protobuf(10,bytes,rep) + + // The list has one entry per container in the manifest. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status + // +optional + containerStatuses?: [...#ContainerStatus] @go(ContainerStatuses,[]ContainerStatus) @protobuf(8,bytes,rep) + + // The Quality of Service (QOS) classification assigned to the pod based on resource requirements + // See PodQOSClass type for available QOS classes + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes + // +optional + qosClass?: #PodQOSClass @go(QOSClass) @protobuf(9,bytes,rep) + + // Status for any ephemeral containers that have run in this pod. + // +optional + ephemeralContainerStatuses?: [...#ContainerStatus] @go(EphemeralContainerStatuses,[]ContainerStatus) @protobuf(13,bytes,rep) + + // Status of resources resize desired for pod's containers. + // It is empty if no resources resize is pending. + // Any changes to container resources will automatically set this to "Proposed" + // +featureGate=InPlacePodVerticalScaling + // +optional + resize?: #PodResizeStatus @go(Resize) @protobuf(14,bytes,opt,casttype=PodResizeStatus) + + // Status of resource claims. + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + resourceClaimStatuses?: [...#PodResourceClaimStatus] @go(ResourceClaimStatuses,[]PodResourceClaimStatus) @protobuf(15,bytes,rep) +} + +// PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded +#PodStatusResult: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Most recently observed status of the pod. + // This data may not be up to date. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #PodStatus @go(Status) @protobuf(2,bytes,opt) +} + +// Pod is a collection of containers that can run on a host. This resource is created +// by clients and scheduled onto hosts. +#Pod: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the pod. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #PodSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the pod. + // This data may not be up to date. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #PodStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodList is a list of Pods. +#PodList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of pods. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + items: [...#Pod] @go(Items,[]Pod) @protobuf(2,bytes,rep) +} + +// PodTemplateSpec describes the data a pod should have when created from a template +#PodTemplateSpec: { + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the pod. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #PodSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// PodTemplate describes a template for creating copies of a predefined pod. +#PodTemplate: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Template defines the pods that will be created from this pod template. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + template?: #PodTemplateSpec @go(Template) @protobuf(2,bytes,opt) +} + +// PodTemplateList is a list of PodTemplates. +#PodTemplateList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of pod templates + items: [...#PodTemplate] @go(Items,[]PodTemplate) @protobuf(2,bytes,rep) +} + +// ReplicationControllerSpec is the specification of a replication controller. +#ReplicationControllerSpec: { + // Replicas is the number of desired replicas. + // This is a pointer to distinguish between explicit zero and unspecified. + // Defaults to 1. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing, for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt) + + // Selector is a label query over pods that should match the Replicas count. + // If Selector is empty, it is defaulted to the labels present on the Pod template. + // Label keys and values that must match in order to be controlled by this replication + // controller, if empty defaulted to labels on Pod template. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + // +optional + // +mapType=atomic + selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep) + + // Template is the object that describes the pod that will be created if + // insufficient replicas are detected. This takes precedence over a TemplateRef. + // The only allowed template.spec.restartPolicy value is "Always". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template + // +optional + template?: null | #PodTemplateSpec @go(Template,*PodTemplateSpec) @protobuf(3,bytes,opt) +} + +// ReplicationControllerStatus represents the current status of a replication +// controller. +#ReplicationControllerStatus: { + // Replicas is the most recently observed number of replicas. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // The number of pods that have labels matching the labels of the pod template of the replication controller. + // +optional + fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt) + + // The number of ready replicas for this replication controller. + // +optional + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt) + + // The number of available replicas (ready for at least minReadySeconds) for this replication controller. + // +optional + availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt) + + // ObservedGeneration reflects the generation of the most recently observed replication controller. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // Represents the latest available observations of a replication controller's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ReplicationControllerCondition] @go(Conditions,[]ReplicationControllerCondition) @protobuf(6,bytes,rep) +} + +#ReplicationControllerConditionType: string // #enumReplicationControllerConditionType + +#enumReplicationControllerConditionType: + #ReplicationControllerReplicaFailure + +// ReplicationControllerReplicaFailure is added in a replication controller when one of its pods +// fails to be created due to insufficient quota, limit ranges, pod security policy, node selectors, +// etc. or deleted due to kubelet being down or finalizers are failing. +#ReplicationControllerReplicaFailure: #ReplicationControllerConditionType & "ReplicaFailure" + +// ReplicationControllerCondition describes the state of a replication controller at a certain point. +#ReplicationControllerCondition: { + // Type of replication controller condition. + type: #ReplicationControllerConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicationControllerConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // The last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ReplicationController represents the configuration of a replication controller. +#ReplicationController: { + metav1.#TypeMeta + + // If the Labels of a ReplicationController are empty, they are defaulted to + // be the same as the Pod(s) that the replication controller manages. + // Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the specification of the desired behavior of the replication controller. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ReplicationControllerSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is the most recently observed status of the replication controller. + // This data may be out of date by some window of time. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ReplicationControllerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ReplicationControllerList is a collection of replication controllers. +#ReplicationControllerList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of replication controllers. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller + items: [...#ReplicationController] @go(Items,[]ReplicationController) @protobuf(2,bytes,rep) +} + +// Session Affinity Type string +// +enum +#ServiceAffinity: string // #enumServiceAffinity + +#enumServiceAffinity: + #ServiceAffinityClientIP | + #ServiceAffinityNone + +// ServiceAffinityClientIP is the Client IP based. +#ServiceAffinityClientIP: #ServiceAffinity & "ClientIP" + +// ServiceAffinityNone - no session affinity. +#ServiceAffinityNone: #ServiceAffinity & "None" + +#DefaultClientIPServiceAffinitySeconds: int32 & 10800 + +// SessionAffinityConfig represents the configurations of session affinity. +#SessionAffinityConfig: { + // clientIP contains the configurations of Client IP based session affinity. + // +optional + clientIP?: null | #ClientIPConfig @go(ClientIP,*ClientIPConfig) @protobuf(1,bytes,opt) +} + +// ClientIPConfig represents the configurations of Client IP based session affinity. +#ClientIPConfig: { + // timeoutSeconds specifies the seconds of ClientIP type session sticky time. + // The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". + // Default value is 10800(for 3 hours). + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(1,varint,opt) +} + +// Service Type string describes ingress methods for a service +// +enum +#ServiceType: string // #enumServiceType + +#enumServiceType: + #ServiceTypeClusterIP | + #ServiceTypeNodePort | + #ServiceTypeLoadBalancer | + #ServiceTypeExternalName + +// ServiceTypeClusterIP means a service will only be accessible inside the +// cluster, via the cluster IP. +#ServiceTypeClusterIP: #ServiceType & "ClusterIP" + +// ServiceTypeNodePort means a service will be exposed on one port of +// every node, in addition to 'ClusterIP' type. +#ServiceTypeNodePort: #ServiceType & "NodePort" + +// ServiceTypeLoadBalancer means a service will be exposed via an +// external load balancer (if the cloud provider supports it), in addition +// to 'NodePort' type. +#ServiceTypeLoadBalancer: #ServiceType & "LoadBalancer" + +// ServiceTypeExternalName means a service consists of only a reference to +// an external name that kubedns or equivalent will return as a CNAME +// record, with no exposing or proxying of any pods involved. +#ServiceTypeExternalName: #ServiceType & "ExternalName" + +// ServiceInternalTrafficPolicy describes how nodes distribute service traffic they +// receive on the ClusterIP. +// +enum +#ServiceInternalTrafficPolicy: string // #enumServiceInternalTrafficPolicy + +#enumServiceInternalTrafficPolicy: + #ServiceInternalTrafficPolicyCluster | + #ServiceInternalTrafficPolicyLocal + +// ServiceInternalTrafficPolicyCluster routes traffic to all endpoints. +#ServiceInternalTrafficPolicyCluster: #ServiceInternalTrafficPolicy & "Cluster" + +// ServiceInternalTrafficPolicyLocal routes traffic only to endpoints on the same +// node as the client pod (dropping the traffic if there are no local endpoints). +#ServiceInternalTrafficPolicyLocal: #ServiceInternalTrafficPolicy & "Local" + +// for backwards compat +// +enum +#ServiceInternalTrafficPolicyType: #ServiceInternalTrafficPolicy // #enumServiceInternalTrafficPolicyType + +#enumServiceInternalTrafficPolicyType: + #ServiceInternalTrafficPolicyCluster | + #ServiceInternalTrafficPolicyLocal + +// ServiceExternalTrafficPolicy describes how nodes distribute service traffic they +// receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, +// and LoadBalancer IPs. +// +enum +#ServiceExternalTrafficPolicy: string // #enumServiceExternalTrafficPolicy + +#enumServiceExternalTrafficPolicy: + #ServiceExternalTrafficPolicyCluster | + #ServiceExternalTrafficPolicyLocal | + #ServiceExternalTrafficPolicyTypeLocal | + #ServiceExternalTrafficPolicyTypeCluster + +// ServiceExternalTrafficPolicyCluster routes traffic to all endpoints. +#ServiceExternalTrafficPolicyCluster: #ServiceExternalTrafficPolicy & "Cluster" + +// ServiceExternalTrafficPolicyLocal preserves the source IP of the traffic by +// routing only to endpoints on the same node as the traffic was received on +// (dropping the traffic if there are no local endpoints). +#ServiceExternalTrafficPolicyLocal: #ServiceExternalTrafficPolicy & "Local" + +// for backwards compat +// +enum +#ServiceExternalTrafficPolicyType: #ServiceExternalTrafficPolicy // #enumServiceExternalTrafficPolicyType + +#enumServiceExternalTrafficPolicyType: + #ServiceExternalTrafficPolicyCluster | + #ServiceExternalTrafficPolicyLocal | + #ServiceExternalTrafficPolicyTypeLocal | + #ServiceExternalTrafficPolicyTypeCluster + +#ServiceExternalTrafficPolicyTypeLocal: #ServiceExternalTrafficPolicy & "Local" +#ServiceExternalTrafficPolicyTypeCluster: #ServiceExternalTrafficPolicy & "Cluster" + +// LoadBalancerPortsError represents the condition of the requested ports +// on the cloud load balancer instance. +#LoadBalancerPortsError: "LoadBalancerPortsError" + +// LoadBalancerPortsErrorReason reason in ServiceStatus condition LoadBalancerPortsError +// means the LoadBalancer was not able to be configured correctly. +#LoadBalancerPortsErrorReason: "LoadBalancerMixedProtocolNotSupported" + +// ServiceStatus represents the current status of a service. +#ServiceStatus: { + // LoadBalancer contains the current status of the load-balancer, + // if one is present. + // +optional + loadBalancer?: #LoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt) + + // Current service state + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(2,bytes,rep) +} + +// LoadBalancerStatus represents the status of a load-balancer. +#LoadBalancerStatus: { + // Ingress is a list containing ingress points for the load-balancer. + // Traffic intended for the service should be sent to these ingress points. + // +optional + ingress?: [...#LoadBalancerIngress] @go(Ingress,[]LoadBalancerIngress) @protobuf(1,bytes,rep) +} + +// LoadBalancerIngress represents the status of a load-balancer ingress point: +// traffic intended for the service should be sent to an ingress point. +#LoadBalancerIngress: { + // IP is set for load-balancer ingress points that are IP based + // (typically GCE or OpenStack load-balancers) + // +optional + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // Hostname is set for load-balancer ingress points that are DNS based + // (typically AWS load-balancers) + // +optional + hostname?: string @go(Hostname) @protobuf(2,bytes,opt) + + // Ports is a list of records of service ports + // If used, every port defined in the service should have an entry in it + // +listType=atomic + // +optional + ports?: [...#PortStatus] @go(Ports,[]PortStatus) @protobuf(4,bytes,rep) +} + +// IPFamily represents the IP Family (IPv4 or IPv6). This type is used +// to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). +// +enum +#IPFamily: string // #enumIPFamily + +#enumIPFamily: + #IPv4Protocol | + #IPv6Protocol + +// IPv4Protocol indicates that this IP is IPv4 protocol +#IPv4Protocol: #IPFamily & "IPv4" + +// IPv6Protocol indicates that this IP is IPv6 protocol +#IPv6Protocol: #IPFamily & "IPv6" + +// IPFamilyPolicy represents the dual-stack-ness requested or required by a Service +// +enum +#IPFamilyPolicy: string // #enumIPFamilyPolicy + +#enumIPFamilyPolicy: + #IPFamilyPolicySingleStack | + #IPFamilyPolicyPreferDualStack | + #IPFamilyPolicyRequireDualStack + +// IPFamilyPolicySingleStack indicates that this service is required to have a single IPFamily. +// The IPFamily assigned is based on the default IPFamily used by the cluster +// or as identified by service.spec.ipFamilies field +#IPFamilyPolicySingleStack: #IPFamilyPolicy & "SingleStack" + +// IPFamilyPolicyPreferDualStack indicates that this service prefers dual-stack when +// the cluster is configured for dual-stack. If the cluster is not configured +// for dual-stack the service will be assigned a single IPFamily. If the IPFamily is not +// set in service.spec.ipFamilies then the service will be assigned the default IPFamily +// configured on the cluster +#IPFamilyPolicyPreferDualStack: #IPFamilyPolicy & "PreferDualStack" + +// IPFamilyPolicyRequireDualStack indicates that this service requires dual-stack. Using +// IPFamilyPolicyRequireDualStack on a single stack cluster will result in validation errors. The +// IPFamilies (and their order) assigned to this service is based on service.spec.ipFamilies. If +// service.spec.ipFamilies was not provided then it will be assigned according to how they are +// configured on the cluster. If service.spec.ipFamilies has only one entry then the alternative +// IPFamily will be added by apiserver +#IPFamilyPolicyRequireDualStack: #IPFamilyPolicy & "RequireDualStack" + +// for backwards compat +// +enum +#IPFamilyPolicyType: #IPFamilyPolicy // #enumIPFamilyPolicyType + +#enumIPFamilyPolicyType: + #IPFamilyPolicySingleStack | + #IPFamilyPolicyPreferDualStack | + #IPFamilyPolicyRequireDualStack + +// ServiceSpec describes the attributes that a user creates on a service. +#ServiceSpec: { + // The list of ports that are exposed by this service. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +patchMergeKey=port + // +patchStrategy=merge + // +listType=map + // +listMapKey=port + // +listMapKey=protocol + ports?: [...#ServicePort] @go(Ports,[]ServicePort) @protobuf(1,bytes,rep) + + // Route service traffic to pods with label keys and values matching this + // selector. If empty or not present, the service is assumed to have an + // external process managing its endpoints, which Kubernetes will not + // modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. + // Ignored if type is ExternalName. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/ + // +optional + // +mapType=atomic + selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep) + + // clusterIP is the IP address of the service and is usually assigned + // randomly. If an address is specified manually, is in-range (as per + // system configuration), and is not in use, it will be allocated to the + // service; otherwise creation of the service will fail. This field may not + // be changed through updates unless the type field is also being changed + // to ExternalName (which requires this field to be blank) or the type + // field is being changed from ExternalName (in which case this field may + // optionally be specified, as describe above). Valid values are "None", + // empty string (""), or a valid IP address. Setting this to "None" makes a + // "headless service" (no virtual IP), which is useful when direct endpoint + // connections are preferred and proxying is not required. Only applies to + // types ClusterIP, NodePort, and LoadBalancer. If this field is specified + // when creating a Service of type ExternalName, creation will fail. This + // field will be wiped when updating a Service to type ExternalName. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +optional + clusterIP?: string @go(ClusterIP) @protobuf(3,bytes,opt) + + // ClusterIPs is a list of IP addresses assigned to this service, and are + // usually assigned randomly. If an address is specified manually, is + // in-range (as per system configuration), and is not in use, it will be + // allocated to the service; otherwise creation of the service will fail. + // This field may not be changed through updates unless the type field is + // also being changed to ExternalName (which requires this field to be + // empty) or the type field is being changed from ExternalName (in which + // case this field may optionally be specified, as describe above). Valid + // values are "None", empty string (""), or a valid IP address. Setting + // this to "None" makes a "headless service" (no virtual IP), which is + // useful when direct endpoint connections are preferred and proxying is + // not required. Only applies to types ClusterIP, NodePort, and + // LoadBalancer. If this field is specified when creating a Service of type + // ExternalName, creation will fail. This field will be wiped when updating + // a Service to type ExternalName. If this field is not specified, it will + // be initialized from the clusterIP field. If this field is specified, + // clients must ensure that clusterIPs[0] and clusterIP have the same + // value. + // + // This field may hold a maximum of two entries (dual-stack IPs, in either order). + // These IPs must correspond to the values of the ipFamilies field. Both + // clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +listType=atomic + // +optional + clusterIPs?: [...string] @go(ClusterIPs,[]string) @protobuf(18,bytes,opt) + + // type determines how the Service is exposed. Defaults to ClusterIP. Valid + // options are ExternalName, ClusterIP, NodePort, and LoadBalancer. + // "ClusterIP" allocates a cluster-internal IP address for load-balancing + // to endpoints. Endpoints are determined by the selector or if that is not + // specified, by manual construction of an Endpoints object or + // EndpointSlice objects. If clusterIP is "None", no virtual IP is + // allocated and the endpoints are published as a set of endpoints rather + // than a virtual IP. + // "NodePort" builds on ClusterIP and allocates a port on every node which + // routes to the same endpoints as the clusterIP. + // "LoadBalancer" builds on NodePort and creates an external load-balancer + // (if supported in the current cloud) which routes to the same endpoints + // as the clusterIP. + // "ExternalName" aliases this service to the specified externalName. + // Several other fields do not apply to ExternalName services. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + // +optional + type?: #ServiceType @go(Type) @protobuf(4,bytes,opt,casttype=ServiceType) + + // externalIPs is a list of IP addresses for which nodes in the cluster + // will also accept traffic for this service. These IPs are not managed by + // Kubernetes. The user is responsible for ensuring that traffic arrives + // at a node with this IP. A common example is external load-balancers + // that are not part of the Kubernetes system. + // +optional + externalIPs?: [...string] @go(ExternalIPs,[]string) @protobuf(5,bytes,rep) + + // Supports "ClientIP" and "None". Used to maintain session affinity. + // Enable client IP based session affinity. + // Must be ClientIP or None. + // Defaults to None. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +optional + sessionAffinity?: #ServiceAffinity @go(SessionAffinity) @protobuf(7,bytes,opt,casttype=ServiceAffinity) + + // Only applies to Service Type: LoadBalancer. + // This feature depends on whether the underlying cloud-provider supports specifying + // the loadBalancerIP when a load balancer is created. + // This field will be ignored if the cloud-provider does not support the feature. + // Deprecated: This field was under-specified and its meaning varies across implementations. + // Using it is non-portable and it may not support dual-stack. + // Users are encouraged to use implementation-specific annotations when available. + // +optional + loadBalancerIP?: string @go(LoadBalancerIP) @protobuf(8,bytes,opt) + + // If specified and supported by the platform, this will restrict traffic through the cloud-provider + // load-balancer will be restricted to the specified client IPs. This field will be ignored if the + // cloud-provider does not support the feature." + // More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ + // +optional + loadBalancerSourceRanges?: [...string] @go(LoadBalancerSourceRanges,[]string) @protobuf(9,bytes,opt) + + // externalName is the external reference that discovery mechanisms will + // return as an alias for this service (e.g. a DNS CNAME record). No + // proxying will be involved. Must be a lowercase RFC-1123 hostname + // (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". + // +optional + externalName?: string @go(ExternalName) @protobuf(10,bytes,opt) + + // externalTrafficPolicy describes how nodes distribute service traffic they + // receive on one of the Service's "externally-facing" addresses (NodePorts, + // ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure + // the service in a way that assumes that external load balancers will take care + // of balancing the service traffic between nodes, and so each node will deliver + // traffic only to the node-local endpoints of the service, without masquerading + // the client source IP. (Traffic mistakenly sent to a node with no endpoints will + // be dropped.) The default value, "Cluster", uses the standard behavior of + // routing to all endpoints evenly (possibly modified by topology and other + // features). Note that traffic sent to an External IP or LoadBalancer IP from + // within the cluster will always get "Cluster" semantics, but clients sending to + // a NodePort from within the cluster may need to take traffic policy into account + // when picking a node. + // +optional + externalTrafficPolicy?: #ServiceExternalTrafficPolicy @go(ExternalTrafficPolicy) @protobuf(11,bytes,opt) + + // healthCheckNodePort specifies the healthcheck nodePort for the service. + // This only applies when type is set to LoadBalancer and + // externalTrafficPolicy is set to Local. If a value is specified, is + // in-range, and is not in use, it will be used. If not specified, a value + // will be automatically allocated. External systems (e.g. load-balancers) + // can use this port to determine if a given node holds endpoints for this + // service or not. If this field is specified when creating a Service + // which does not need it, creation will fail. This field will be wiped + // when updating a Service to no longer need it (e.g. changing type). + // This field cannot be updated once set. + // +optional + healthCheckNodePort?: int32 @go(HealthCheckNodePort) @protobuf(12,bytes,opt) + + // publishNotReadyAddresses indicates that any agent which deals with endpoints for this + // Service should disregard any indications of ready/not-ready. + // The primary use case for setting this field is for a StatefulSet's Headless Service to + // propagate SRV DNS records for its Pods for the purpose of peer discovery. + // The Kubernetes controllers that generate Endpoints and EndpointSlice resources for + // Services interpret this to mean that all endpoints are considered "ready" even if the + // Pods themselves are not. Agents which consume only Kubernetes generated endpoints + // through the Endpoints or EndpointSlice resources can safely assume this behavior. + // +optional + publishNotReadyAddresses?: bool @go(PublishNotReadyAddresses) @protobuf(13,varint,opt) + + // sessionAffinityConfig contains the configurations of session affinity. + // +optional + sessionAffinityConfig?: null | #SessionAffinityConfig @go(SessionAffinityConfig,*SessionAffinityConfig) @protobuf(14,bytes,opt) + + // IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this + // service. This field is usually assigned automatically based on cluster + // configuration and the ipFamilyPolicy field. If this field is specified + // manually, the requested family is available in the cluster, + // and ipFamilyPolicy allows it, it will be used; otherwise creation of + // the service will fail. This field is conditionally mutable: it allows + // for adding or removing a secondary IP family, but it does not allow + // changing the primary IP family of the Service. Valid values are "IPv4" + // and "IPv6". This field only applies to Services of types ClusterIP, + // NodePort, and LoadBalancer, and does apply to "headless" services. + // This field will be wiped when updating a Service to type ExternalName. + // + // This field may hold a maximum of two entries (dual-stack families, in + // either order). These families must correspond to the values of the + // clusterIPs field, if specified. Both clusterIPs and ipFamilies are + // governed by the ipFamilyPolicy field. + // +listType=atomic + // +optional + ipFamilies?: [...#IPFamily] @go(IPFamilies,[]IPFamily) @protobuf(19,bytes,opt,casttype=IPFamily) + + // IPFamilyPolicy represents the dual-stack-ness requested or required by + // this Service. If there is no value provided, then this field will be set + // to SingleStack. Services can be "SingleStack" (a single IP family), + // "PreferDualStack" (two IP families on dual-stack configured clusters or + // a single IP family on single-stack clusters), or "RequireDualStack" + // (two IP families on dual-stack configured clusters, otherwise fail). The + // ipFamilies and clusterIPs fields depend on the value of this field. This + // field will be wiped when updating a service to type ExternalName. + // +optional + ipFamilyPolicy?: null | #IPFamilyPolicy @go(IPFamilyPolicy,*IPFamilyPolicy) @protobuf(17,bytes,opt,casttype=IPFamilyPolicy) + + // allocateLoadBalancerNodePorts defines if NodePorts will be automatically + // allocated for services with type LoadBalancer. Default is "true". It + // may be set to "false" if the cluster load-balancer does not rely on + // NodePorts. If the caller requests specific NodePorts (by specifying a + // value), those requests will be respected, regardless of this field. + // This field may only be set for services with type LoadBalancer and will + // be cleared if the type is changed to any other type. + // +optional + allocateLoadBalancerNodePorts?: null | bool @go(AllocateLoadBalancerNodePorts,*bool) @protobuf(20,bytes,opt) + + // loadBalancerClass is the class of the load balancer implementation this Service belongs to. + // If specified, the value of this field must be a label-style identifier, with an optional prefix, + // e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. + // This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load + // balancer implementation is used, today this is typically done through the cloud provider integration, + // but should apply for any default implementation. If set, it is assumed that a load balancer + // implementation is watching for Services with a matching class. Any default load balancer + // implementation (e.g. cloud providers) should ignore Services that set this field. + // This field can only be set when creating or updating a Service to type 'LoadBalancer'. + // Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. + // +optional + loadBalancerClass?: null | string @go(LoadBalancerClass,*string) @protobuf(21,bytes,opt) + + // InternalTrafficPolicy describes how nodes distribute service traffic they + // receive on the ClusterIP. If set to "Local", the proxy will assume that pods + // only want to talk to endpoints of the service on the same node as the pod, + // dropping the traffic if there are no local endpoints. The default value, + // "Cluster", uses the standard behavior of routing to all endpoints evenly + // (possibly modified by topology and other features). + // +optional + internalTrafficPolicy?: null | #ServiceInternalTrafficPolicy @go(InternalTrafficPolicy,*ServiceInternalTrafficPolicy) @protobuf(22,bytes,opt) +} + +// ServicePort contains information on service's port. +#ServicePort: { + // The name of this port within the service. This must be a DNS_LABEL. + // All ports within a ServiceSpec must have unique names. When considering + // the endpoints for a Service, this must match the 'name' field in the + // EndpointPort. + // Optional if only one ServicePort is defined on this service. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". + // Default is TCP. + // +default="TCP" + // +optional + protocol?: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(6,bytes,opt) + + // The port that will be exposed by this service. + port: int32 @go(Port) @protobuf(3,varint,opt) + + // Number or name of the port to access on the pods targeted by the service. + // Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + // If this is a string, it will be looked up as a named port in the + // target Pod's container ports. If this is not specified, the value + // of the 'port' field is used (an identity map). + // This field is ignored for services with clusterIP=None, and should be + // omitted or set equal to the 'port' field. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + // +optional + targetPort?: intstr.#IntOrString @go(TargetPort) @protobuf(4,bytes,opt) + + // The port on each node on which this service is exposed when type is + // NodePort or LoadBalancer. Usually assigned by the system. If a value is + // specified, in-range, and not in use it will be used, otherwise the + // operation will fail. If not specified, a port will be allocated if this + // Service requires one. If this field is specified when creating a + // Service which does not need it, creation will fail. This field will be + // wiped when updating a Service to no longer need it (e.g. changing type + // from NodePort to ClusterIP). + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + // +optional + nodePort?: int32 @go(NodePort) @protobuf(5,varint,opt) +} + +// Service is a named abstraction of software service (for example, mysql) consisting of local port +// (for example 3306) that the proxy listens on, and the selector that determines which pods +// will answer requests sent through the proxy. +#Service: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of a service. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ServiceSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the service. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ServiceStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ClusterIPNone - do not assign a cluster IP +// no proxying required and no environment variables should be created for pods +#ClusterIPNone: "None" + +// ServiceList holds a list of services. +#ServiceList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of services + items: [...#Service] @go(Items,[]Service) @protobuf(2,bytes,rep) +} + +// ServiceAccount binds together: +// * a name, understood by users, and perhaps by peripheral systems, for an identity +// * a principal that can be authenticated and authorized +// * a set of secrets +#ServiceAccount: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. + // Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true". + // This field should not be used to find auto-generated service account token secrets for use outside of pods. + // Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. + // More info: https://kubernetes.io/docs/concepts/configuration/secret + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + secrets?: [...#ObjectReference] @go(Secrets,[]ObjectReference) @protobuf(2,bytes,rep) + + // ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images + // in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets + // can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. + // More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + // +optional + imagePullSecrets?: [...#LocalObjectReference] @go(ImagePullSecrets,[]LocalObjectReference) @protobuf(3,bytes,rep) + + // AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. + // Can be overridden at the pod level. + // +optional + automountServiceAccountToken?: null | bool @go(AutomountServiceAccountToken,*bool) @protobuf(4,varint,opt) +} + +// ServiceAccountList is a list of ServiceAccount objects +#ServiceAccountList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ServiceAccounts. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + items: [...#ServiceAccount] @go(Items,[]ServiceAccount) @protobuf(2,bytes,rep) +} + +// Endpoints is a collection of endpoints that implement the actual service. Example: +// +// Name: "mysvc", +// Subsets: [ +// { +// Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}], +// Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}] +// }, +// { +// Addresses: [{"ip": "10.10.3.3"}], +// Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}] +// }, +// ] +#Endpoints: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The set of all endpoints is the union of all subsets. Addresses are placed into + // subsets according to the IPs they share. A single address with multiple ports, + // some of which are ready and some of which are not (because they come from + // different containers) will result in the address being displayed in different + // subsets for the different ports. No address will appear in both Addresses and + // NotReadyAddresses in the same subset. + // Sets of addresses and ports that comprise a service. + // +optional + subsets?: [...#EndpointSubset] @go(Subsets,[]EndpointSubset) @protobuf(2,bytes,rep) +} + +// EndpointSubset is a group of addresses with a common set of ports. The +// expanded set of endpoints is the Cartesian product of Addresses x Ports. +// For example, given: +// +// { +// Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}], +// Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}] +// } +// +// The resulting set of endpoints can be viewed as: +// +// a: [ 10.10.1.1:8675, 10.10.2.2:8675 ], +// b: [ 10.10.1.1:309, 10.10.2.2:309 ] +#EndpointSubset: { + // IP addresses which offer the related ports that are marked as ready. These endpoints + // should be considered safe for load balancers and clients to utilize. + // +optional + addresses?: [...#EndpointAddress] @go(Addresses,[]EndpointAddress) @protobuf(1,bytes,rep) + + // IP addresses which offer the related ports but are not currently marked as ready + // because they have not yet finished starting, have recently failed a readiness check, + // or have recently failed a liveness check. + // +optional + notReadyAddresses?: [...#EndpointAddress] @go(NotReadyAddresses,[]EndpointAddress) @protobuf(2,bytes,rep) + + // Port numbers available on the related IP addresses. + // +optional + ports?: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep) +} + +// EndpointAddress is a tuple that describes single IP address. +// +structType=atomic +#EndpointAddress: { + // The IP of this endpoint. + // May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), + // or link-local multicast (224.0.0.0/24 or ff02::/16). + ip: string @go(IP) @protobuf(1,bytes,opt) + + // The Hostname of this endpoint + // +optional + hostname?: string @go(Hostname) @protobuf(3,bytes,opt) + + // Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node. + // +optional + nodeName?: null | string @go(NodeName,*string) @protobuf(4,bytes,opt) + + // Reference to object providing the endpoint. + // +optional + targetRef?: null | #ObjectReference @go(TargetRef,*ObjectReference) @protobuf(2,bytes,opt) +} + +// EndpointPort is a tuple that describes a single port. +// +structType=atomic +#EndpointPort: { + // The name of this port. This must match the 'name' field in the + // corresponding ServicePort. + // Must be a DNS_LABEL. + // Optional only if one port is defined. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The port number of the endpoint. + port: int32 @go(Port) @protobuf(2,varint,opt) + + // The IP protocol for this port. + // Must be UDP, TCP, or SCTP. + // Default is TCP. + // +optional + protocol?: #Protocol @go(Protocol) @protobuf(3,bytes,opt,casttype=Protocol) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes,opt) +} + +// EndpointsList is a list of endpoints. +#EndpointsList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of endpoints. + items: [...#Endpoints] @go(Items,[]Endpoints) @protobuf(2,bytes,rep) +} + +// NodeSpec describes the attributes that a node is created with. +#NodeSpec: { + // PodCIDR represents the pod IP range assigned to the node. + // +optional + podCIDR?: string @go(PodCIDR) @protobuf(1,bytes,opt) + + // podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this + // field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for + // each of IPv4 and IPv6. + // +optional + // +patchStrategy=merge + podCIDRs?: [...string] @go(PodCIDRs,[]string) @protobuf(7,bytes,opt) + + // ID of the node assigned by the cloud provider in the format: :// + // +optional + providerID?: string @go(ProviderID) @protobuf(3,bytes,opt) + + // Unschedulable controls node schedulability of new pods. By default, node is schedulable. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration + // +optional + unschedulable?: bool @go(Unschedulable) @protobuf(4,varint,opt) + + // If specified, the node's taints. + // +optional + taints?: [...#Taint] @go(Taints,[]Taint) @protobuf(5,bytes,opt) + + // Deprecated: Previously used to specify the source of the node's configuration for the DynamicKubeletConfig feature. This feature is removed. + // +optional + configSource?: null | #NodeConfigSource @go(ConfigSource,*NodeConfigSource) @protobuf(6,bytes,opt) + + // Deprecated. Not all kubelets will set this field. Remove field after 1.13. + // see: https://issues.k8s.io/61966 + // +optional + externalID?: string @go(DoNotUseExternalID) @protobuf(2,bytes,opt) +} + +// NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. +// This API is deprecated since 1.22 +#NodeConfigSource: { + // ConfigMap is a reference to a Node's ConfigMap + configMap?: null | #ConfigMapNodeConfigSource @go(ConfigMap,*ConfigMapNodeConfigSource) @protobuf(2,bytes,opt) +} + +// ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node. +// This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration +#ConfigMapNodeConfigSource: { + // Namespace is the metadata.namespace of the referenced ConfigMap. + // This field is required in all cases. + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // Name is the metadata.name of the referenced ConfigMap. + // This field is required in all cases. + name: string @go(Name) @protobuf(2,bytes,opt) + + // UID is the metadata.UID of the referenced ConfigMap. + // This field is forbidden in Node.Spec, and required in Node.Status. + // +optional + uid?: types.#UID @go(UID) @protobuf(3,bytes,opt) + + // ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. + // This field is forbidden in Node.Spec, and required in Node.Status. + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(4,bytes,opt) + + // KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure + // This field is required in all cases. + kubeletConfigKey: string @go(KubeletConfigKey) @protobuf(5,bytes,opt) +} + +// DaemonEndpoint contains information about a single Daemon endpoint. +#DaemonEndpoint: { + // Port number of the given endpoint. + Port: int32 @protobuf(1,varint,opt) +} + +// NodeDaemonEndpoints lists ports opened by daemons running on the Node. +#NodeDaemonEndpoints: { + // Endpoint on which Kubelet is listening. + // +optional + kubeletEndpoint?: #DaemonEndpoint @go(KubeletEndpoint) @protobuf(1,bytes,opt) +} + +// NodeSystemInfo is a set of ids/uuids to uniquely identify the node. +#NodeSystemInfo: { + // MachineID reported by the node. For unique machine identification + // in the cluster this field is preferred. Learn more from man(5) + // machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html + machineID: string @go(MachineID) @protobuf(1,bytes,opt) + + // SystemUUID reported by the node. For unique machine identification + // MachineID is preferred. This field is specific to Red Hat hosts + // https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid + systemUUID: string @go(SystemUUID) @protobuf(2,bytes,opt) + + // Boot ID reported by the node. + bootID: string @go(BootID) @protobuf(3,bytes,opt) + + // Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64). + kernelVersion: string @go(KernelVersion) @protobuf(4,bytes,opt) + + // OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)). + osImage: string @go(OSImage) @protobuf(5,bytes,opt) + + // ContainerRuntime Version reported by the node through runtime remote API (e.g. containerd://1.4.2). + containerRuntimeVersion: string @go(ContainerRuntimeVersion) @protobuf(6,bytes,opt) + + // Kubelet Version reported by the node. + kubeletVersion: string @go(KubeletVersion) @protobuf(7,bytes,opt) + + // KubeProxy Version reported by the node. + kubeProxyVersion: string @go(KubeProxyVersion) @protobuf(8,bytes,opt) + + // The Operating System reported by the node + operatingSystem: string @go(OperatingSystem) @protobuf(9,bytes,opt) + + // The Architecture reported by the node + architecture: string @go(Architecture) @protobuf(10,bytes,opt) +} + +// NodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource. +#NodeConfigStatus: { + // Assigned reports the checkpointed config the node will try to use. + // When Node.Spec.ConfigSource is updated, the node checkpoints the associated + // config payload to local disk, along with a record indicating intended + // config. The node refers to this record to choose its config checkpoint, and + // reports this record in Assigned. Assigned only updates in the status after + // the record has been checkpointed to disk. When the Kubelet is restarted, + // it tries to make the Assigned config the Active config by loading and + // validating the checkpointed payload identified by Assigned. + // +optional + assigned?: null | #NodeConfigSource @go(Assigned,*NodeConfigSource) @protobuf(1,bytes,opt) + + // Active reports the checkpointed config the node is actively using. + // Active will represent either the current version of the Assigned config, + // or the current LastKnownGood config, depending on whether attempting to use the + // Assigned config results in an error. + // +optional + active?: null | #NodeConfigSource @go(Active,*NodeConfigSource) @protobuf(2,bytes,opt) + + // LastKnownGood reports the checkpointed config the node will fall back to + // when it encounters an error attempting to use the Assigned config. + // The Assigned config becomes the LastKnownGood config when the node determines + // that the Assigned config is stable and correct. + // This is currently implemented as a 10-minute soak period starting when the local + // record of Assigned config is updated. If the Assigned config is Active at the end + // of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is + // reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, + // because the local default config is always assumed good. + // You should not make assumptions about the node's method of determining config stability + // and correctness, as this may change or become configurable in the future. + // +optional + lastKnownGood?: null | #NodeConfigSource @go(LastKnownGood,*NodeConfigSource) @protobuf(3,bytes,opt) + + // Error describes any problems reconciling the Spec.ConfigSource to the Active config. + // Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned + // record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting + // to load or validate the Assigned config, etc. + // Errors may occur at different points while syncing config. Earlier errors (e.g. download or + // checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across + // Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in + // a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error + // by fixing the config assigned in Spec.ConfigSource. + // You can find additional information for debugging by searching the error message in the Kubelet log. + // Error is a human-readable description of the error state; machines can check whether or not Error + // is empty, but should not rely on the stability of the Error text across Kubelet versions. + // +optional + error?: string @go(Error) @protobuf(4,bytes,opt) +} + +// NodeStatus is information about the current status of a node. +#NodeStatus: { + // Capacity represents the total resources of a node. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Allocatable represents the resources of a node that are available for scheduling. + // Defaults to Capacity. + // +optional + allocatable?: #ResourceList @go(Allocatable) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // NodePhase is the recently observed lifecycle phase of the node. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#phase + // The field is never populated, and now is deprecated. + // +optional + phase?: #NodePhase @go(Phase) @protobuf(3,bytes,opt,casttype=NodePhase) + + // Conditions is an array of current observed node conditions. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#condition + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#NodeCondition] @go(Conditions,[]NodeCondition) @protobuf(4,bytes,rep) + + // List of addresses reachable to the node. + // Queried from cloud provider, if available. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses + // Note: This field is declared as mergeable, but the merge key is not sufficiently + // unique, which can cause data corruption when it is merged. Callers should instead + // use a full-replacement patch. See https://pr.k8s.io/79391 for an example. + // Consumers should assume that addresses can change during the + // lifetime of a Node. However, there are some exceptions where this may not + // be possible, such as Pods that inherit a Node's address in its own status or + // consumers of the downward API (status.hostIP). + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + addresses?: [...#NodeAddress] @go(Addresses,[]NodeAddress) @protobuf(5,bytes,rep) + + // Endpoints of daemons running on the Node. + // +optional + daemonEndpoints?: #NodeDaemonEndpoints @go(DaemonEndpoints) @protobuf(6,bytes,opt) + + // Set of ids/uuids to uniquely identify the node. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#info + // +optional + nodeInfo?: #NodeSystemInfo @go(NodeInfo) @protobuf(7,bytes,opt) + + // List of container images on this node + // +optional + images?: [...#ContainerImage] @go(Images,[]ContainerImage) @protobuf(8,bytes,rep) + + // List of attachable volumes in use (mounted) by the node. + // +optional + volumesInUse?: [...#UniqueVolumeName] @go(VolumesInUse,[]UniqueVolumeName) @protobuf(9,bytes,rep) + + // List of volumes that are attached to the node. + // +optional + volumesAttached?: [...#AttachedVolume] @go(VolumesAttached,[]AttachedVolume) @protobuf(10,bytes,rep) + + // Status of the config assigned to the node via the dynamic Kubelet config feature. + // +optional + config?: null | #NodeConfigStatus @go(Config,*NodeConfigStatus) @protobuf(11,bytes,opt) +} + +#UniqueVolumeName: string + +// AttachedVolume describes a volume attached to a node +#AttachedVolume: { + // Name of the attached volume + name: #UniqueVolumeName @go(Name) @protobuf(1,bytes,rep) + + // DevicePath represents the device path where the volume should be available + devicePath: string @go(DevicePath) @protobuf(2,bytes,rep) +} + +// AvoidPods describes pods that should avoid this node. This is the value for a +// Node annotation with key scheduler.alpha.kubernetes.io/preferAvoidPods and +// will eventually become a field of NodeStatus. +#AvoidPods: { + // Bounded-sized list of signatures of pods that should avoid this node, sorted + // in timestamp order from oldest to newest. Size of the slice is unspecified. + // +optional + preferAvoidPods?: [...#PreferAvoidPodsEntry] @go(PreferAvoidPods,[]PreferAvoidPodsEntry) @protobuf(1,bytes,rep) +} + +// Describes a class of pods that should avoid this node. +#PreferAvoidPodsEntry: { + // The class of pods. + podSignature: #PodSignature @go(PodSignature) @protobuf(1,bytes,opt) + + // Time at which this entry was added to the list. + // +optional + evictionTime?: metav1.#Time @go(EvictionTime) @protobuf(2,bytes,opt) + + // (brief) reason why this entry was added to the list. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // Human readable message indicating why this entry was added to the list. + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) +} + +// Describes the class of pods that should avoid this node. +// Exactly one field should be set. +#PodSignature: { + // Reference to controller whose pods should avoid this node. + // +optional + podController?: null | metav1.#OwnerReference @go(PodController,*metav1.OwnerReference) @protobuf(1,bytes,opt) +} + +// Describe a container image +#ContainerImage: { + // Names by which this image is known. + // e.g. ["kubernetes.example/hyperkube:v1.0.7", "cloud-vendor.registry.example/cloud-vendor/hyperkube:v1.0.7"] + // +optional + names: [...string] @go(Names,[]string) @protobuf(1,bytes,rep) + + // The size of the image in bytes. + // +optional + sizeBytes?: int64 @go(SizeBytes) @protobuf(2,varint,opt) +} + +// +enum +#NodePhase: string // #enumNodePhase + +#enumNodePhase: + #NodePending | + #NodeRunning | + #NodeTerminated + +// NodePending means the node has been created/added by the system, but not configured. +#NodePending: #NodePhase & "Pending" + +// NodeRunning means the node has been configured and has Kubernetes components running. +#NodeRunning: #NodePhase & "Running" + +// NodeTerminated means the node has been removed from the cluster. +#NodeTerminated: #NodePhase & "Terminated" + +#NodeConditionType: string // #enumNodeConditionType + +#enumNodeConditionType: + #NodeReady | + #NodeMemoryPressure | + #NodeDiskPressure | + #NodePIDPressure | + #NodeNetworkUnavailable + +// NodeReady means kubelet is healthy and ready to accept pods. +#NodeReady: #NodeConditionType & "Ready" + +// NodeMemoryPressure means the kubelet is under pressure due to insufficient available memory. +#NodeMemoryPressure: #NodeConditionType & "MemoryPressure" + +// NodeDiskPressure means the kubelet is under pressure due to insufficient available disk. +#NodeDiskPressure: #NodeConditionType & "DiskPressure" + +// NodePIDPressure means the kubelet is under pressure due to insufficient available PID. +#NodePIDPressure: #NodeConditionType & "PIDPressure" + +// NodeNetworkUnavailable means that network for the node is not correctly configured. +#NodeNetworkUnavailable: #NodeConditionType & "NetworkUnavailable" + +// NodeCondition contains condition information for a node. +#NodeCondition: { + // Type of node condition. + type: #NodeConditionType @go(Type) @protobuf(1,bytes,opt,casttype=NodeConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Last time we got an update on a given condition. + // +optional + lastHeartbeatTime?: metav1.#Time @go(LastHeartbeatTime) @protobuf(3,bytes,opt) + + // Last time the condition transit from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // (brief) reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +#NodeAddressType: string // #enumNodeAddressType + +#enumNodeAddressType: + #NodeHostName | + #NodeInternalIP | + #NodeExternalIP | + #NodeInternalDNS | + #NodeExternalDNS + +// NodeHostName identifies a name of the node. Although every node can be assumed +// to have a NodeAddress of this type, its exact syntax and semantics are not +// defined, and are not consistent between different clusters. +#NodeHostName: #NodeAddressType & "Hostname" + +// NodeInternalIP identifies an IP address which is assigned to one of the node's +// network interfaces. Every node should have at least one address of this type. +// +// An internal IP is normally expected to be reachable from every other node, but +// may not be visible to hosts outside the cluster. By default it is assumed that +// kube-apiserver can reach node internal IPs, though it is possible to configure +// clusters where this is not the case. +// +// NodeInternalIP is the default type of node IP, and does not necessarily imply +// that the IP is ONLY reachable internally. If a node has multiple internal IPs, +// no specific semantics are assigned to the additional IPs. +#NodeInternalIP: #NodeAddressType & "InternalIP" + +// NodeExternalIP identifies an IP address which is, in some way, intended to be +// more usable from outside the cluster then an internal IP, though no specific +// semantics are defined. It may be a globally routable IP, though it is not +// required to be. +// +// External IPs may be assigned directly to an interface on the node, like a +// NodeInternalIP, or alternatively, packets sent to the external IP may be NAT'ed +// to an internal node IP rather than being delivered directly (making the IP less +// efficient for node-to-node traffic than a NodeInternalIP). +#NodeExternalIP: #NodeAddressType & "ExternalIP" + +// NodeInternalDNS identifies a DNS name which resolves to an IP address which has +// the characteristics of a NodeInternalIP. The IP it resolves to may or may not +// be a listed NodeInternalIP address. +#NodeInternalDNS: #NodeAddressType & "InternalDNS" + +// NodeExternalDNS identifies a DNS name which resolves to an IP address which has +// the characteristics of a NodeExternalIP. The IP it resolves to may or may not +// be a listed NodeExternalIP address. +#NodeExternalDNS: #NodeAddressType & "ExternalDNS" + +// NodeAddress contains information for the node's address. +#NodeAddress: { + // Node address type, one of Hostname, ExternalIP or InternalIP. + type: #NodeAddressType @go(Type) @protobuf(1,bytes,opt,casttype=NodeAddressType) + + // The node address. + address: string @go(Address) @protobuf(2,bytes,opt) +} + +// ResourceName is the name identifying various resources in a ResourceList. +#ResourceName: string // #enumResourceName + +#enumResourceName: + #ResourceCPU | + #ResourceMemory | + #ResourceStorage | + #ResourceEphemeralStorage | + #ResourcePods | + #ResourceServices | + #ResourceReplicationControllers | + #ResourceQuotas | + #ResourceSecrets | + #ResourceConfigMaps | + #ResourcePersistentVolumeClaims | + #ResourceServicesNodePorts | + #ResourceServicesLoadBalancers | + #ResourceRequestsCPU | + #ResourceRequestsMemory | + #ResourceRequestsStorage | + #ResourceRequestsEphemeralStorage | + #ResourceLimitsCPU | + #ResourceLimitsMemory | + #ResourceLimitsEphemeralStorage + +// CPU, in cores. (500m = .5 cores) +#ResourceCPU: #ResourceName & "cpu" + +// Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceMemory: #ResourceName & "memory" + +// Volume size, in bytes (e,g. 5Gi = 5GiB = 5 * 1024 * 1024 * 1024) +#ResourceStorage: #ResourceName & "storage" + +// Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +// The resource name for ResourceEphemeralStorage is alpha and it can change across releases. +#ResourceEphemeralStorage: #ResourceName & "ephemeral-storage" + +// Default namespace prefix. +#ResourceDefaultNamespacePrefix: "kubernetes.io/" + +// Name prefix for huge page resources (alpha). +#ResourceHugePagesPrefix: "hugepages-" + +// Name prefix for storage resource limits +#ResourceAttachableVolumesPrefix: "attachable-volumes-" + +// ResourceList is a set of (resource name, quantity) pairs. +#ResourceList: {[string]: resource.#Quantity} + +// Node is a worker node in Kubernetes. +// Each node will have a unique identifier in the cache (i.e. in etcd). +#Node: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of a node. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #NodeSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the node. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #NodeStatus @go(Status) @protobuf(3,bytes,opt) +} + +// NodeList is the whole list of all Nodes which have been registered with master. +#NodeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of nodes + items: [...#Node] @go(Items,[]Node) @protobuf(2,bytes,rep) +} + +// FinalizerName is the name identifying a finalizer during namespace lifecycle. +#FinalizerName: string // #enumFinalizerName + +#enumFinalizerName: + #FinalizerKubernetes + +#FinalizerKubernetes: #FinalizerName & "kubernetes" + +// NamespaceSpec describes the attributes on a Namespace. +#NamespaceSpec: { + // Finalizers is an opaque list of values that must be empty to permanently remove object from storage. + // More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/ + // +optional + finalizers?: [...#FinalizerName] @go(Finalizers,[]FinalizerName) @protobuf(1,bytes,rep,casttype=FinalizerName) +} + +// NamespaceStatus is information about the current status of a Namespace. +#NamespaceStatus: { + // Phase is the current lifecycle phase of the namespace. + // More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/ + // +optional + phase?: #NamespacePhase @go(Phase) @protobuf(1,bytes,opt,casttype=NamespacePhase) + + // Represents the latest available observations of a namespace's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#NamespaceCondition] @go(Conditions,[]NamespaceCondition) @protobuf(2,bytes,rep) +} + +// +enum +#NamespacePhase: string // #enumNamespacePhase + +#enumNamespacePhase: + #NamespaceActive | + #NamespaceTerminating + +// NamespaceActive means the namespace is available for use in the system +#NamespaceActive: #NamespacePhase & "Active" + +// NamespaceTerminating means the namespace is undergoing graceful termination +#NamespaceTerminating: #NamespacePhase & "Terminating" + +// NamespaceTerminatingCause is returned as a defaults.cause item when a change is +// forbidden due to the namespace being terminated. +#NamespaceTerminatingCause: metav1.#CauseType & "NamespaceTerminating" + +#NamespaceConditionType: string // #enumNamespaceConditionType + +#enumNamespaceConditionType: + #NamespaceDeletionDiscoveryFailure | + #NamespaceDeletionContentFailure | + #NamespaceDeletionGVParsingFailure | + #NamespaceContentRemaining | + #NamespaceFinalizersRemaining + +// NamespaceDeletionDiscoveryFailure contains information about namespace deleter errors during resource discovery. +#NamespaceDeletionDiscoveryFailure: #NamespaceConditionType & "NamespaceDeletionDiscoveryFailure" + +// NamespaceDeletionContentFailure contains information about namespace deleter errors during deletion of resources. +#NamespaceDeletionContentFailure: #NamespaceConditionType & "NamespaceDeletionContentFailure" + +// NamespaceDeletionGVParsingFailure contains information about namespace deleter errors parsing GV for legacy types. +#NamespaceDeletionGVParsingFailure: #NamespaceConditionType & "NamespaceDeletionGroupVersionParsingFailure" + +// NamespaceContentRemaining contains information about resources remaining in a namespace. +#NamespaceContentRemaining: #NamespaceConditionType & "NamespaceContentRemaining" + +// NamespaceFinalizersRemaining contains information about which finalizers are on resources remaining in a namespace. +#NamespaceFinalizersRemaining: #NamespaceConditionType & "NamespaceFinalizersRemaining" + +// NamespaceCondition contains details about state of namespace. +#NamespaceCondition: { + // Type of namespace controller condition. + type: #NamespaceConditionType @go(Type) @protobuf(1,bytes,opt,casttype=NamespaceConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// Namespace provides a scope for Names. +// Use of multiple namespaces is optional. +#Namespace: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of the Namespace. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #NamespaceSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status describes the current status of a Namespace. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #NamespaceStatus @go(Status) @protobuf(3,bytes,opt) +} + +// NamespaceList is a list of Namespaces. +#NamespaceList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of Namespace objects in the list. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + items: [...#Namespace] @go(Items,[]Namespace) @protobuf(2,bytes,rep) +} + +// Binding ties one object to another; for example, a pod is bound to a node by a scheduler. +// Deprecated in 1.7, please use the bindings subresource of pods instead. +#Binding: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The target object that you want to bind to the standard object. + target: #ObjectReference @go(Target) @protobuf(2,bytes,opt) +} + +// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out. +// +k8s:openapi-gen=false +#Preconditions: { + // Specifies the target UID. + // +optional + uid?: null | types.#UID @go(UID,*types.UID) @protobuf(1,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +// PodLogOptions is the query options for a Pod's logs REST call. +#PodLogOptions: { + metav1.#TypeMeta + + // The container for which to stream logs. Defaults to only container if there is one container in the pod. + // +optional + container?: string @go(Container) @protobuf(1,bytes,opt) + + // Follow the log stream of the pod. Defaults to false. + // +optional + follow?: bool @go(Follow) @protobuf(2,varint,opt) + + // Return previous terminated container logs. Defaults to false. + // +optional + previous?: bool @go(Previous) @protobuf(3,varint,opt) + + // A relative time in seconds before the current time from which to show logs. If this value + // precedes the time a pod was started, only logs since the pod start will be returned. + // If this value is in the future, no logs will be returned. + // Only one of sinceSeconds or sinceTime may be specified. + // +optional + sinceSeconds?: null | int64 @go(SinceSeconds,*int64) @protobuf(4,varint,opt) + + // An RFC3339 timestamp from which to show logs. If this value + // precedes the time a pod was started, only logs since the pod start will be returned. + // If this value is in the future, no logs will be returned. + // Only one of sinceSeconds or sinceTime may be specified. + // +optional + sinceTime?: null | metav1.#Time @go(SinceTime,*metav1.Time) @protobuf(5,bytes,opt) + + // If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line + // of log output. Defaults to false. + // +optional + timestamps?: bool @go(Timestamps) @protobuf(6,varint,opt) + + // If set, the number of lines from the end of the logs to show. If not specified, + // logs are shown from the creation of the container or sinceSeconds or sinceTime + // +optional + tailLines?: null | int64 @go(TailLines,*int64) @protobuf(7,varint,opt) + + // If set, the number of bytes to read from the server before terminating the + // log output. This may not display a complete final line of logging, and may return + // slightly more or slightly less than the specified limit. + // +optional + limitBytes?: null | int64 @go(LimitBytes,*int64) @protobuf(8,varint,opt) + + // insecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the + // serving certificate of the backend it is connecting to. This will make the HTTPS connection between the apiserver + // and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real + // kubelet. If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the + // connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept + // the actual log data coming from the real kubelet). + // +optional + insecureSkipTLSVerifyBackend?: bool @go(InsecureSkipTLSVerifyBackend) @protobuf(9,varint,opt) +} + +// PodAttachOptions is the query options to a Pod's remote attach call. +// --- +// TODO: merge w/ PodExecOptions below for stdin, stdout, etc +// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY +#PodAttachOptions: { + metav1.#TypeMeta + + // Stdin if true, redirects the standard input stream of the pod for this call. + // Defaults to false. + // +optional + stdin?: bool @go(Stdin) @protobuf(1,varint,opt) + + // Stdout if true indicates that stdout is to be redirected for the attach call. + // Defaults to true. + // +optional + stdout?: bool @go(Stdout) @protobuf(2,varint,opt) + + // Stderr if true indicates that stderr is to be redirected for the attach call. + // Defaults to true. + // +optional + stderr?: bool @go(Stderr) @protobuf(3,varint,opt) + + // TTY if true indicates that a tty will be allocated for the attach call. + // This is passed through the container runtime so the tty + // is allocated on the worker node by the container runtime. + // Defaults to false. + // +optional + tty?: bool @go(TTY) @protobuf(4,varint,opt) + + // The container in which to execute the command. + // Defaults to only container if there is only one container in the pod. + // +optional + container?: string @go(Container) @protobuf(5,bytes,opt) +} + +// PodExecOptions is the query options to a Pod's remote exec call. +// --- +// TODO: This is largely identical to PodAttachOptions above, make sure they stay in sync and see about merging +// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY +#PodExecOptions: { + metav1.#TypeMeta + + // Redirect the standard input stream of the pod for this call. + // Defaults to false. + // +optional + stdin?: bool @go(Stdin) @protobuf(1,varint,opt) + + // Redirect the standard output stream of the pod for this call. + // +optional + stdout?: bool @go(Stdout) @protobuf(2,varint,opt) + + // Redirect the standard error stream of the pod for this call. + // +optional + stderr?: bool @go(Stderr) @protobuf(3,varint,opt) + + // TTY if true indicates that a tty will be allocated for the exec call. + // Defaults to false. + // +optional + tty?: bool @go(TTY) @protobuf(4,varint,opt) + + // Container in which to execute the command. + // Defaults to only container if there is only one container in the pod. + // +optional + container?: string @go(Container) @protobuf(5,bytes,opt) + + // Command is the remote command to execute. argv array. Not executed within a shell. + command: [...string] @go(Command,[]string) @protobuf(6,bytes,rep) +} + +// PodPortForwardOptions is the query options to a Pod's port forward call +// when using WebSockets. +// The `port` query parameter must specify the port or +// ports (comma separated) to forward over. +// Port forwarding over SPDY does not use these options. It requires the port +// to be passed in the `port` header as part of request. +#PodPortForwardOptions: { + metav1.#TypeMeta + + // List of ports to forward + // Required when using WebSockets + // +optional + ports?: [...int32] @go(Ports,[]int32) @protobuf(1,varint,rep) +} + +// PodProxyOptions is the query options to a Pod's proxy call. +#PodProxyOptions: { + metav1.#TypeMeta + + // Path is the URL path to use for the current proxy request to pod. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// NodeProxyOptions is the query options to a Node's proxy call. +#NodeProxyOptions: { + metav1.#TypeMeta + + // Path is the URL path to use for the current proxy request to node. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// ServiceProxyOptions is the query options to a Service's proxy call. +#ServiceProxyOptions: { + metav1.#TypeMeta + + // Path is the part of URLs that include service endpoints, suffixes, + // and parameters to use for the current proxy request to service. + // For example, the whole request URL is + // http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. + // Path is _search?q=user:kimchy. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// ObjectReference contains enough information to let you inspect or modify the referred object. +// --- +// New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. +// 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. +// 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular +// restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". +// Those cannot be well described when embedded. +// 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. +// 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity +// during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple +// and the version of the actual struct is irrelevant. +// 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type +// will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. +// +// Instead of using this type, create a locally provided and used type that is well-focused on your reference. +// For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +structType=atomic +#ObjectReference: { + // Kind of the referent. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // Namespace of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + // +optional + namespace?: string @go(Namespace) @protobuf(2,bytes,opt) + + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + // +optional + name?: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // API version of the referent. + // +optional + apiVersion?: string @go(APIVersion) @protobuf(5,bytes,opt) + + // Specific resourceVersion to which this reference is made, if any. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(6,bytes,opt) + + // If referring to a piece of an object instead of an entire object, this string + // should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + // For example, if the object reference is to a container within a pod, this would take on a value like: + // "spec.containers{name}" (where "name" refers to the name of the container that triggered + // the event) or if no container name is specified "spec.containers[2]" (container with + // index 2 in this pod). This syntax is chosen only to have some well-defined way of + // referencing a part of an object. + // TODO: this design is not final and this field is subject to change in the future. + // +optional + fieldPath?: string @go(FieldPath) @protobuf(7,bytes,opt) +} + +// LocalObjectReference contains enough information to let you locate the +// referenced object inside the same namespace. +// +structType=atomic +#LocalObjectReference: { + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + // TODO: Add other useful fields. apiVersion, kind, uid? + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) +} + +// TypedLocalObjectReference contains enough information to let you locate the +// typed referenced object inside the same namespace. +// +structType=atomic +#TypedLocalObjectReference: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the core API group. + // For any other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) +} + +// SerializedReference is a reference to serialized object. +#SerializedReference: { + metav1.#TypeMeta + + // The reference to an object in the system. + // +optional + reference?: #ObjectReference @go(Reference) @protobuf(1,bytes,opt) +} + +// EventSource contains information for an event. +#EventSource: { + // Component from which the event is generated. + // +optional + component?: string @go(Component) @protobuf(1,bytes,opt) + + // Node name on which the event is generated. + // +optional + host?: string @go(Host) @protobuf(2,bytes,opt) +} + +// Information only and will not cause any problems +#EventTypeNormal: "Normal" + +// These events are to warn that something might go wrong +#EventTypeWarning: "Warning" + +// Event is a report of an event somewhere in the cluster. Events +// have a limited retention time and triggers and messages may evolve +// with time. Event consumers should not rely on the timing of an event +// with a given Reason reflecting a consistent underlying trigger, or the +// continued existence of events with that Reason. Events should be +// treated as informative, best-effort, supplemental data. +#Event: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The object that this event is about. + involvedObject: #ObjectReference @go(InvolvedObject) @protobuf(2,bytes,opt) + + // This should be a short, machine understandable string that gives the reason + // for the transition into the object's current status. + // TODO: provide exact specification for format. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // A human-readable description of the status of this operation. + // TODO: decide on maximum length. + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) + + // The component reporting this event. Should be a short machine understandable string. + // +optional + source?: #EventSource @go(Source) @protobuf(5,bytes,opt) + + // The time at which the event was first recorded. (Time of server receipt is in TypeMeta.) + // +optional + firstTimestamp?: metav1.#Time @go(FirstTimestamp) @protobuf(6,bytes,opt) + + // The time at which the most recent occurrence of this event was recorded. + // +optional + lastTimestamp?: metav1.#Time @go(LastTimestamp) @protobuf(7,bytes,opt) + + // The number of times this event has occurred. + // +optional + count?: int32 @go(Count) @protobuf(8,varint,opt) + + // Type of this event (Normal, Warning), new types could be added in the future + // +optional + type?: string @go(Type) @protobuf(9,bytes,opt) + + // Time when this Event was first observed. + // +optional + eventTime?: metav1.#MicroTime @go(EventTime) @protobuf(10,bytes,opt) + + // Data about the Event series this event represents or nil if it's a singleton Event. + // +optional + series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(11,bytes,opt) + + // What action was taken/failed regarding to the Regarding object. + // +optional + action?: string @go(Action) @protobuf(12,bytes,opt) + + // Optional secondary object for more complex actions. + // +optional + related?: null | #ObjectReference @go(Related,*ObjectReference) @protobuf(13,bytes,opt) + + // Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. + // +optional + reportingComponent: string @go(ReportingController) @protobuf(14,bytes,opt) + + // ID of the controller instance, e.g. `kubelet-xyzf`. + // +optional + reportingInstance: string @go(ReportingInstance) @protobuf(15,bytes,opt) +} + +// EventSeries contain information on series of events, i.e. thing that was/is happening +// continuously for some time. +#EventSeries: { + // Number of occurrences in this series up to the last heartbeat time + count?: int32 @go(Count) @protobuf(1,varint) + + // Time of the last occurrence observed + lastObservedTime?: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes) +} + +// EventList is a list of events. +#EventList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of events + items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep) +} + +// List holds a list of objects, which may not be known by the server. +#List: metav1.#List + +// LimitType is a type of object that is limited. It can be Pod, Container, PersistentVolumeClaim or +// a fully qualified resource name. +#LimitType: string // #enumLimitType + +#enumLimitType: + #LimitTypePod | + #LimitTypeContainer | + #LimitTypePersistentVolumeClaim + +// Limit that applies to all pods in a namespace +#LimitTypePod: #LimitType & "Pod" + +// Limit that applies to all containers in a namespace +#LimitTypeContainer: #LimitType & "Container" + +// Limit that applies to all persistent volume claims in a namespace +#LimitTypePersistentVolumeClaim: #LimitType & "PersistentVolumeClaim" + +// LimitRangeItem defines a min/max usage limit for any resource that matches on kind. +#LimitRangeItem: { + // Type of resource that this limit applies to. + type: #LimitType @go(Type) @protobuf(1,bytes,opt,casttype=LimitType) + + // Max usage constraints on this kind by resource name. + // +optional + max?: #ResourceList @go(Max) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Min usage constraints on this kind by resource name. + // +optional + min?: #ResourceList @go(Min) @protobuf(3,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Default resource requirement limit value by resource name if resource limit is omitted. + // +optional + default?: #ResourceList @go(Default) @protobuf(4,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // DefaultRequest is the default resource requirement request value by resource name if resource request is omitted. + // +optional + defaultRequest?: #ResourceList @go(DefaultRequest) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource. + // +optional + maxLimitRequestRatio?: #ResourceList @go(MaxLimitRequestRatio) @protobuf(6,bytes,rep,casttype=ResourceList,castkey=ResourceName) +} + +// LimitRangeSpec defines a min/max usage limit for resources that match on kind. +#LimitRangeSpec: { + // Limits is the list of LimitRangeItem objects that are enforced. + limits: [...#LimitRangeItem] @go(Limits,[]LimitRangeItem) @protobuf(1,bytes,rep) +} + +// LimitRange sets resource usage limits for each kind of resource in a Namespace. +#LimitRange: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the limits enforced. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #LimitRangeSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// LimitRangeList is a list of LimitRange items. +#LimitRangeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of LimitRange objects. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + items: [...#LimitRange] @go(Items,[]LimitRange) @protobuf(2,bytes,rep) +} + +// Pods, number +#ResourcePods: #ResourceName & "pods" + +// Services, number +#ResourceServices: #ResourceName & "services" + +// ReplicationControllers, number +#ResourceReplicationControllers: #ResourceName & "replicationcontrollers" + +// ResourceQuotas, number +#ResourceQuotas: #ResourceName & "resourcequotas" + +// ResourceSecrets, number +#ResourceSecrets: #ResourceName & "secrets" + +// ResourceConfigMaps, number +#ResourceConfigMaps: #ResourceName & "configmaps" + +// ResourcePersistentVolumeClaims, number +#ResourcePersistentVolumeClaims: #ResourceName & "persistentvolumeclaims" + +// ResourceServicesNodePorts, number +#ResourceServicesNodePorts: #ResourceName & "services.nodeports" + +// ResourceServicesLoadBalancers, number +#ResourceServicesLoadBalancers: #ResourceName & "services.loadbalancers" + +// CPU request, in cores. (500m = .5 cores) +#ResourceRequestsCPU: #ResourceName & "requests.cpu" + +// Memory request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceRequestsMemory: #ResourceName & "requests.memory" + +// Storage request, in bytes +#ResourceRequestsStorage: #ResourceName & "requests.storage" + +// Local ephemeral storage request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceRequestsEphemeralStorage: #ResourceName & "requests.ephemeral-storage" + +// CPU limit, in cores. (500m = .5 cores) +#ResourceLimitsCPU: #ResourceName & "limits.cpu" + +// Memory limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceLimitsMemory: #ResourceName & "limits.memory" + +// Local ephemeral storage limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceLimitsEphemeralStorage: #ResourceName & "limits.ephemeral-storage" + +// HugePages request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +// As burst is not supported for HugePages, we would only quota its request, and ignore the limit. +#ResourceRequestsHugePagesPrefix: "requests.hugepages-" + +// Default resource requests prefix +#DefaultResourceRequestsPrefix: "requests." + +// A ResourceQuotaScope defines a filter that must match each object tracked by a quota +// +enum +#ResourceQuotaScope: string // #enumResourceQuotaScope + +#enumResourceQuotaScope: + #ResourceQuotaScopeTerminating | + #ResourceQuotaScopeNotTerminating | + #ResourceQuotaScopeBestEffort | + #ResourceQuotaScopeNotBestEffort | + #ResourceQuotaScopePriorityClass | + #ResourceQuotaScopeCrossNamespacePodAffinity + +// Match all pod objects where spec.activeDeadlineSeconds >=0 +#ResourceQuotaScopeTerminating: #ResourceQuotaScope & "Terminating" + +// Match all pod objects where spec.activeDeadlineSeconds is nil +#ResourceQuotaScopeNotTerminating: #ResourceQuotaScope & "NotTerminating" + +// Match all pod objects that have best effort quality of service +#ResourceQuotaScopeBestEffort: #ResourceQuotaScope & "BestEffort" + +// Match all pod objects that do not have best effort quality of service +#ResourceQuotaScopeNotBestEffort: #ResourceQuotaScope & "NotBestEffort" + +// Match all pod objects that have priority class mentioned +#ResourceQuotaScopePriorityClass: #ResourceQuotaScope & "PriorityClass" + +// Match all pod objects that have cross-namespace pod (anti)affinity mentioned. +#ResourceQuotaScopeCrossNamespacePodAffinity: #ResourceQuotaScope & "CrossNamespacePodAffinity" + +// ResourceQuotaSpec defines the desired hard limits to enforce for Quota. +#ResourceQuotaSpec: { + // hard is the set of desired hard limits for each named resource. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + // +optional + hard?: #ResourceList @go(Hard) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // A collection of filters that must match each object tracked by a quota. + // If not specified, the quota matches all objects. + // +optional + scopes?: [...#ResourceQuotaScope] @go(Scopes,[]ResourceQuotaScope) @protobuf(2,bytes,rep,casttype=ResourceQuotaScope) + + // scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota + // but expressed using ScopeSelectorOperator in combination with possible values. + // For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. + // +optional + scopeSelector?: null | #ScopeSelector @go(ScopeSelector,*ScopeSelector) @protobuf(3,bytes,opt) +} + +// A scope selector represents the AND of the selectors represented +// by the scoped-resource selector requirements. +// +structType=atomic +#ScopeSelector: { + // A list of scope selector requirements by scope of the resources. + // +optional + matchExpressions?: [...#ScopedResourceSelectorRequirement] @go(MatchExpressions,[]ScopedResourceSelectorRequirement) @protobuf(1,bytes,rep) +} + +// A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator +// that relates the scope name and values. +#ScopedResourceSelectorRequirement: { + // The name of the scope that the selector applies to. + scopeName: #ResourceQuotaScope @go(ScopeName) @protobuf(1,bytes,opt) + + // Represents a scope's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. + operator: #ScopeSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=ScopedResourceSelectorOperator) + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. + // This array is replaced during a strategic merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A scope selector operator is the set of operators that can be used in +// a scope selector requirement. +// +enum +#ScopeSelectorOperator: string // #enumScopeSelectorOperator + +#enumScopeSelectorOperator: + #ScopeSelectorOpIn | + #ScopeSelectorOpNotIn | + #ScopeSelectorOpExists | + #ScopeSelectorOpDoesNotExist + +#ScopeSelectorOpIn: #ScopeSelectorOperator & "In" +#ScopeSelectorOpNotIn: #ScopeSelectorOperator & "NotIn" +#ScopeSelectorOpExists: #ScopeSelectorOperator & "Exists" +#ScopeSelectorOpDoesNotExist: #ScopeSelectorOperator & "DoesNotExist" + +// ResourceQuotaStatus defines the enforced hard limits and observed use. +#ResourceQuotaStatus: { + // Hard is the set of enforced hard limits for each named resource. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + // +optional + hard?: #ResourceList @go(Hard) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Used is the current observed total usage of the resource in the namespace. + // +optional + used?: #ResourceList @go(Used) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) +} + +// ResourceQuota sets aggregate quota restrictions enforced per namespace +#ResourceQuota: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the desired quota. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ResourceQuotaSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status defines the actual enforced quota and its current usage. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ResourceQuotaStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ResourceQuotaList is a list of ResourceQuota items. +#ResourceQuotaList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ResourceQuota objects. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + items: [...#ResourceQuota] @go(Items,[]ResourceQuota) @protobuf(2,bytes,rep) +} + +// Secret holds secret data of a certain type. The total bytes of the values in +// the Data field must be less than MaxSecretSize bytes. +#Secret: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Immutable, if set to true, ensures that data stored in the Secret cannot + // be updated (only object metadata can be modified). + // If not set to true, the field can be modified at any time. + // Defaulted to nil. + // +optional + immutable?: null | bool @go(Immutable,*bool) @protobuf(5,varint,opt) + + // Data contains the secret data. Each key must consist of alphanumeric + // characters, '-', '_' or '.'. The serialized form of the secret data is a + // base64 encoded string, representing the arbitrary (possibly non-string) + // data value here. Described in https://tools.ietf.org/html/rfc4648#section-4 + // +optional + data?: {[string]: bytes} @go(Data,map[string][]byte) @protobuf(2,bytes,rep) + + // stringData allows specifying non-binary secret data in string form. + // It is provided as a write-only input field for convenience. + // All keys and values are merged into the data field on write, overwriting any existing values. + // The stringData field is never output when reading from the API. + // +k8s:conversion-gen=false + // +optional + stringData?: {[string]: string} @go(StringData,map[string]string) @protobuf(4,bytes,rep) + + // Used to facilitate programmatic handling of secret data. + // More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types + // +optional + type?: #SecretType @go(Type) @protobuf(3,bytes,opt,casttype=SecretType) +} + +#MaxSecretSize: 1048576 + +#SecretType: string // #enumSecretType + +#enumSecretType: + #SecretTypeOpaque | + #SecretTypeServiceAccountToken | + #SecretTypeDockercfg | + #SecretTypeDockerConfigJson | + #SecretTypeBasicAuth | + #SecretTypeSSHAuth | + #SecretTypeTLS | + #SecretTypeBootstrapToken + +// SecretTypeOpaque is the default. Arbitrary user-defined data +#SecretTypeOpaque: #SecretType & "Opaque" + +// SecretTypeServiceAccountToken contains a token that identifies a service account to the API +// +// Required fields: +// - Secret.Annotations["kubernetes.io/service-account.name"] - the name of the ServiceAccount the token identifies +// - Secret.Annotations["kubernetes.io/service-account.uid"] - the UID of the ServiceAccount the token identifies +// - Secret.Data["token"] - a token that identifies the service account to the API +#SecretTypeServiceAccountToken: #SecretType & "kubernetes.io/service-account-token" + +// ServiceAccountNameKey is the key of the required annotation for SecretTypeServiceAccountToken secrets +#ServiceAccountNameKey: "kubernetes.io/service-account.name" + +// ServiceAccountUIDKey is the key of the required annotation for SecretTypeServiceAccountToken secrets +#ServiceAccountUIDKey: "kubernetes.io/service-account.uid" + +// ServiceAccountTokenKey is the key of the required data for SecretTypeServiceAccountToken secrets +#ServiceAccountTokenKey: "token" + +// ServiceAccountKubeconfigKey is the key of the optional kubeconfig data for SecretTypeServiceAccountToken secrets +#ServiceAccountKubeconfigKey: "kubernetes.kubeconfig" + +// ServiceAccountRootCAKey is the key of the optional root certificate authority for SecretTypeServiceAccountToken secrets +#ServiceAccountRootCAKey: "ca.crt" + +// ServiceAccountNamespaceKey is the key of the optional namespace to use as the default for namespaced API calls +#ServiceAccountNamespaceKey: "namespace" + +// SecretTypeDockercfg contains a dockercfg file that follows the same format rules as ~/.dockercfg +// +// Required fields: +// - Secret.Data[".dockercfg"] - a serialized ~/.dockercfg file +#SecretTypeDockercfg: #SecretType & "kubernetes.io/dockercfg" + +// DockerConfigKey is the key of the required data for SecretTypeDockercfg secrets +#DockerConfigKey: ".dockercfg" + +// SecretTypeDockerConfigJson contains a dockercfg file that follows the same format rules as ~/.docker/config.json +// +// Required fields: +// - Secret.Data[".dockerconfigjson"] - a serialized ~/.docker/config.json file +#SecretTypeDockerConfigJson: #SecretType & "kubernetes.io/dockerconfigjson" + +// DockerConfigJsonKey is the key of the required data for SecretTypeDockerConfigJson secrets +#DockerConfigJsonKey: ".dockerconfigjson" + +// SecretTypeBasicAuth contains data needed for basic authentication. +// +// Required at least one of fields: +// - Secret.Data["username"] - username used for authentication +// - Secret.Data["password"] - password or token needed for authentication +#SecretTypeBasicAuth: #SecretType & "kubernetes.io/basic-auth" + +// BasicAuthUsernameKey is the key of the username for SecretTypeBasicAuth secrets +#BasicAuthUsernameKey: "username" + +// BasicAuthPasswordKey is the key of the password or token for SecretTypeBasicAuth secrets +#BasicAuthPasswordKey: "password" + +// SecretTypeSSHAuth contains data needed for SSH authetication. +// +// Required field: +// - Secret.Data["ssh-privatekey"] - private SSH key needed for authentication +#SecretTypeSSHAuth: #SecretType & "kubernetes.io/ssh-auth" + +// SSHAuthPrivateKey is the key of the required SSH private key for SecretTypeSSHAuth secrets +#SSHAuthPrivateKey: "ssh-privatekey" + +// SecretTypeTLS contains information about a TLS client or server secret. It +// is primarily used with TLS termination of the Ingress resource, but may be +// used in other types. +// +// Required fields: +// - Secret.Data["tls.key"] - TLS private key. +// Secret.Data["tls.crt"] - TLS certificate. +// TODO: Consider supporting different formats, specifying CA/destinationCA. +#SecretTypeTLS: #SecretType & "kubernetes.io/tls" + +// TLSCertKey is the key for tls certificates in a TLS secret. +#TLSCertKey: "tls.crt" + +// TLSPrivateKeyKey is the key for the private key field in a TLS secret. +#TLSPrivateKeyKey: "tls.key" + +// SecretTypeBootstrapToken is used during the automated bootstrap process (first +// implemented by kubeadm). It stores tokens that are used to sign well known +// ConfigMaps. They are used for authn. +#SecretTypeBootstrapToken: #SecretType & "bootstrap.kubernetes.io/token" + +// SecretList is a list of Secret. +#SecretList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of secret objects. + // More info: https://kubernetes.io/docs/concepts/configuration/secret + items: [...#Secret] @go(Items,[]Secret) @protobuf(2,bytes,rep) +} + +// ConfigMap holds configuration data for pods to consume. +#ConfigMap: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Immutable, if set to true, ensures that data stored in the ConfigMap cannot + // be updated (only object metadata can be modified). + // If not set to true, the field can be modified at any time. + // Defaulted to nil. + // +optional + immutable?: null | bool @go(Immutable,*bool) @protobuf(4,varint,opt) + + // Data contains the configuration data. + // Each key must consist of alphanumeric characters, '-', '_' or '.'. + // Values with non-UTF-8 byte sequences must use the BinaryData field. + // The keys stored in Data must not overlap with the keys in + // the BinaryData field, this is enforced during validation process. + // +optional + data?: {[string]: string} @go(Data,map[string]string) @protobuf(2,bytes,rep) + + // BinaryData contains the binary data. + // Each key must consist of alphanumeric characters, '-', '_' or '.'. + // BinaryData can contain byte sequences that are not in the UTF-8 range. + // The keys stored in BinaryData must not overlap with the ones in + // the Data field, this is enforced during validation process. + // Using this field will require 1.10+ apiserver and + // kubelet. + // +optional + binaryData?: {[string]: bytes} @go(BinaryData,map[string][]byte) @protobuf(3,bytes,rep) +} + +// ConfigMapList is a resource containing a list of ConfigMap objects. +#ConfigMapList: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of ConfigMaps. + items: [...#ConfigMap] @go(Items,[]ConfigMap) @protobuf(2,bytes,rep) +} + +// Type and constants for component health validation. +#ComponentConditionType: string // #enumComponentConditionType + +#enumComponentConditionType: + #ComponentHealthy + +#ComponentHealthy: #ComponentConditionType & "Healthy" + +// Information about the condition of a component. +#ComponentCondition: { + // Type of condition for a component. + // Valid value: "Healthy" + type: #ComponentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ComponentConditionType) + + // Status of the condition for a component. + // Valid values for "Healthy": "True", "False", or "Unknown". + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Message about the condition for a component. + // For example, information about a health check. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // Condition error code for a component. + // For example, a health check error code. + // +optional + error?: string @go(Error) @protobuf(4,bytes,opt) +} + +// ComponentStatus (and ComponentStatusList) holds the cluster validation info. +// Deprecated: This API is deprecated in v1.19+ +#ComponentStatus: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // List of component conditions observed + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ComponentCondition] @go(Conditions,[]ComponentCondition) @protobuf(2,bytes,rep) +} + +// Status of all the conditions for the component as a list of ComponentStatus objects. +// Deprecated: This API is deprecated in v1.19+ +#ComponentStatusList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ComponentStatus objects. + items: [...#ComponentStatus] @go(Items,[]ComponentStatus) @protobuf(2,bytes,rep) +} + +// DownwardAPIVolumeSource represents a volume containing downward API info. +// Downward API volumes support ownership management and SELinux relabeling. +#DownwardAPIVolumeSource: { + // Items is a list of downward API volume file + // +optional + items?: [...#DownwardAPIVolumeFile] @go(Items,[]DownwardAPIVolumeFile) @protobuf(1,bytes,rep) + + // Optional: mode bits to use on created files by default. Must be a + // Optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(2,varint,opt) +} + +#DownwardAPIVolumeSourceDefaultMode: int32 & 0o644 + +// DownwardAPIVolumeFile represents information to create the file containing the pod field +#DownwardAPIVolumeFile: { + // Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..' + path: string @go(Path) @protobuf(1,bytes,opt) + + // Required: Selects a field of the pod: only annotations, labels, name and namespace are supported. + // +optional + fieldRef?: null | #ObjectFieldSelector @go(FieldRef,*ObjectFieldSelector) @protobuf(2,bytes,opt) + + // Selects a resource of the container: only resources limits and requests + // (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + // +optional + resourceFieldRef?: null | #ResourceFieldSelector @go(ResourceFieldRef,*ResourceFieldSelector) @protobuf(3,bytes,opt) + + // Optional: mode bits used to set permissions on this file, must be an octal value + // between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + mode?: null | int32 @go(Mode,*int32) @protobuf(4,varint,opt) +} + +// Represents downward API info for projecting into a projected volume. +// Note that this is identical to a downwardAPI volume source without the default +// mode. +#DownwardAPIProjection: { + // Items is a list of DownwardAPIVolume file + // +optional + items?: [...#DownwardAPIVolumeFile] @go(Items,[]DownwardAPIVolumeFile) @protobuf(1,bytes,rep) +} + +// SecurityContext holds security configuration that will be applied to a container. +// Some fields are present in both SecurityContext and PodSecurityContext. When both +// are set, the values in SecurityContext take precedence. +#SecurityContext: { + // The capabilities to add/drop when running containers. + // Defaults to the default set of capabilities granted by the container runtime. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + capabilities?: null | #Capabilities @go(Capabilities,*Capabilities) @protobuf(1,bytes,opt) + + // Run container in privileged mode. + // Processes in privileged containers are essentially equivalent to root on the host. + // Defaults to false. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + privileged?: null | bool @go(Privileged,*bool) @protobuf(2,varint,opt) + + // The SELinux context to be applied to the container. + // If unspecified, the container runtime will allocate a random SELinux context for each + // container. May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seLinuxOptions?: null | #SELinuxOptions @go(SELinuxOptions,*SELinuxOptions) @protobuf(3,bytes,opt) + + // The Windows specific settings applied to all containers. + // If unspecified, the options from the PodSecurityContext will be used. + // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + // +optional + windowsOptions?: null | #WindowsSecurityContextOptions @go(WindowsOptions,*WindowsSecurityContextOptions) @protobuf(10,bytes,opt) + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsUser?: null | int64 @go(RunAsUser,*int64) @protobuf(4,varint,opt) + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsGroup?: null | int64 @go(RunAsGroup,*int64) @protobuf(8,varint,opt) + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to ensure that it + // does not run as UID 0 (root) and fail to start the container if it does. + // If unset or false, no such validation will be performed. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsNonRoot?: null | bool @go(RunAsNonRoot,*bool) @protobuf(5,varint,opt) + + // Whether this container has a read-only root filesystem. + // Default is false. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + readOnlyRootFilesystem?: null | bool @go(ReadOnlyRootFilesystem,*bool) @protobuf(6,varint,opt) + + // AllowPrivilegeEscalation controls whether a process can gain more + // privileges than its parent process. This bool directly controls if + // the no_new_privs flag will be set on the container process. + // AllowPrivilegeEscalation is true always when the container is: + // 1) run as Privileged + // 2) has CAP_SYS_ADMIN + // Note that this field cannot be set when spec.os.name is windows. + // +optional + allowPrivilegeEscalation?: null | bool @go(AllowPrivilegeEscalation,*bool) @protobuf(7,varint,opt) + + // procMount denotes the type of proc mount to use for the containers. + // The default is DefaultProcMount which uses the container runtime defaults for + // readonly paths and masked paths. + // This requires the ProcMountType feature flag to be enabled. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + procMount?: null | #ProcMountType @go(ProcMount,*ProcMountType) @protobuf(9,bytes,opt) + + // The seccomp options to use by this container. If seccomp options are + // provided at both the pod & container level, the container options + // override the pod options. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seccompProfile?: null | #SeccompProfile @go(SeccompProfile,*SeccompProfile) @protobuf(11,bytes,opt) +} + +// +enum +#ProcMountType: string // #enumProcMountType + +#enumProcMountType: + #DefaultProcMount | + #UnmaskedProcMount + +// DefaultProcMount uses the container runtime defaults for readonly and masked +// paths for /proc. Most container runtimes mask certain paths in /proc to avoid +// accidental security exposure of special devices or information. +#DefaultProcMount: #ProcMountType & "Default" + +// UnmaskedProcMount bypasses the default masking behavior of the container +// runtime and ensures the newly created /proc the container stays in tact with +// no modifications. +#UnmaskedProcMount: #ProcMountType & "Unmasked" + +// SELinuxOptions are the labels to be applied to the container +#SELinuxOptions: { + // User is a SELinux user label that applies to the container. + // +optional + user?: string @go(User) @protobuf(1,bytes,opt) + + // Role is a SELinux role label that applies to the container. + // +optional + role?: string @go(Role) @protobuf(2,bytes,opt) + + // Type is a SELinux type label that applies to the container. + // +optional + type?: string @go(Type) @protobuf(3,bytes,opt) + + // Level is SELinux level label that applies to the container. + // +optional + level?: string @go(Level) @protobuf(4,bytes,opt) +} + +// WindowsSecurityContextOptions contain Windows-specific options and credentials. +#WindowsSecurityContextOptions: { + // GMSACredentialSpecName is the name of the GMSA credential spec to use. + // +optional + gmsaCredentialSpecName?: null | string @go(GMSACredentialSpecName,*string) @protobuf(1,bytes,opt) + + // GMSACredentialSpec is where the GMSA admission webhook + // (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + // GMSA credential spec named by the GMSACredentialSpecName field. + // +optional + gmsaCredentialSpec?: null | string @go(GMSACredentialSpec,*string) @protobuf(2,bytes,opt) + + // The UserName in Windows to run the entrypoint of the container process. + // Defaults to the user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsUserName?: null | string @go(RunAsUserName,*string) @protobuf(3,bytes,opt) + + // HostProcess determines if a container should be run as a 'Host Process' container. + // All of a Pod's containers must have the same effective HostProcess value + // (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + // In addition, if HostProcess is true then HostNetwork must also be set to true. + // +optional + hostProcess?: null | bool @go(HostProcess,*bool) @protobuf(4,bytes,opt) +} + +// RangeAllocation is not a public type. +#RangeAllocation: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Range is string that identifies the range represented by 'data'. + range: string @go(Range) @protobuf(2,bytes,opt) + + // Data is a bit array containing all allocated addresses in the previous segment. + data: bytes @go(Data,[]byte) @protobuf(3,bytes,opt) +} + +// DefaultSchedulerName defines the name of default scheduler. +#DefaultSchedulerName: "default-scheduler" + +// RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule +// corresponding to every RequiredDuringScheduling affinity rule. +// When the --hard-pod-affinity-weight scheduler flag is not specified, +// DefaultHardPodAffinityWeight defines the weight of the implicit PreferredDuringScheduling affinity rule. +#DefaultHardPodAffinitySymmetricWeight: int32 & 1 + +// Sysctl defines a kernel parameter to be set +#Sysctl: { + // Name of a property to set + name: string @go(Name) @protobuf(1,bytes,opt) + + // Value of a property to set + value: string @go(Value) @protobuf(2,bytes,opt) +} + +// NodeResources is an object for conveying resource information about a node. +// see https://kubernetes.io/docs/concepts/architecture/nodes/#capacity for more details. +#NodeResources: { + // Capacity represents the available resources of a node + Capacity: #ResourceList @protobuf(1,bytes,rep,name=capacity,casttype=ResourceList,castkey=ResourceName) +} + +// Enable stdin for remote command execution +#ExecStdinParam: "input" + +// Enable stdout for remote command execution +#ExecStdoutParam: "output" + +// Enable stderr for remote command execution +#ExecStderrParam: "error" + +// Enable TTY for remote command execution +#ExecTTYParam: "tty" + +// Command to run for remote command execution +#ExecCommandParam: "command" + +// Name of header that specifies stream type +#StreamType: "streamType" + +// Value for streamType header for stdin stream +#StreamTypeStdin: "stdin" + +// Value for streamType header for stdout stream +#StreamTypeStdout: "stdout" + +// Value for streamType header for stderr stream +#StreamTypeStderr: "stderr" + +// Value for streamType header for data stream +#StreamTypeData: "data" + +// Value for streamType header for error stream +#StreamTypeError: "error" + +// Value for streamType header for terminal resize stream +#StreamTypeResize: "resize" + +// Name of header that specifies the port being forwarded +#PortHeader: "port" + +// Name of header that specifies a request ID used to associate the error +// and data streams for a single forwarded connection +#PortForwardRequestIDHeader: "requestID" + +// MixedProtocolNotSupported error in PortStatus means that the cloud provider +// can't publish the port on the load balancer because mixed values of protocols +// on the same LoadBalancer type of Service are not supported by the cloud provider. +#MixedProtocolNotSupported: "MixedProtocolNotSupported" + +#PortStatus: { + // Port is the port number of the service port of which status is recorded here + port: int32 @go(Port) @protobuf(1,varint,opt) + + // Protocol is the protocol of the service port of which status is recorded here + // The supported values are: "TCP", "UDP", "SCTP" + protocol: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // Error is to record the problem with the service port + // The format of the error shall comply with the following rules: + // - built-in error values shall be specified in this file and those shall use + // CamelCase names + // - cloud provider specific error values must have names that comply with the + // format foo.example.com/CamelCase. + // --- + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +optional + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + error?: null | string @go(Error,*string) @protobuf(3,bytes,opt) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue new file mode 100644 index 000000000..2a1f060b6 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue @@ -0,0 +1,59 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +#LabelHostname: "kubernetes.io/hostname" + +// Label value is the network location of kube-apiserver stored as +// Stored in APIServer Identity lease objects to view what address is used for peer proxy +#AnnotationPeerAdvertiseAddress: "kubernetes.io/peer-advertise-address" +#LabelTopologyZone: "topology.kubernetes.io/zone" +#LabelTopologyRegion: "topology.kubernetes.io/region" + +// These label have been deprecated since 1.17, but will be supported for +// the foreseeable future, to accommodate things like long-lived PVs that +// use them. New users should prefer the "topology.kubernetes.io/*" +// equivalents. +#LabelFailureDomainBetaZone: "failure-domain.beta.kubernetes.io/zone" +#LabelFailureDomainBetaRegion: "failure-domain.beta.kubernetes.io/region" + +// Retained for compat when vendored. Do not use these consts in new code. +#LabelZoneFailureDomain: "failure-domain.beta.kubernetes.io/zone" +#LabelZoneRegion: "failure-domain.beta.kubernetes.io/region" +#LabelZoneFailureDomainStable: "topology.kubernetes.io/zone" +#LabelZoneRegionStable: "topology.kubernetes.io/region" +#LabelInstanceType: "beta.kubernetes.io/instance-type" +#LabelInstanceTypeStable: "node.kubernetes.io/instance-type" +#LabelOSStable: "kubernetes.io/os" +#LabelArchStable: "kubernetes.io/arch" + +// LabelWindowsBuild is used on Windows nodes to specify the Windows build number starting with v1.17.0. +// It's in the format MajorVersion.MinorVersion.BuildNumber (for ex: 10.0.17763) +#LabelWindowsBuild: "node.kubernetes.io/windows-build" + +// LabelNamespaceSuffixKubelet is an allowed label namespace suffix kubelets can self-set ([*.]kubelet.kubernetes.io/*) +#LabelNamespaceSuffixKubelet: "kubelet.kubernetes.io" + +// LabelNamespaceSuffixNode is an allowed label namespace suffix kubelets can self-set ([*.]node.kubernetes.io/*) +#LabelNamespaceSuffixNode: "node.kubernetes.io" + +// LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled +#LabelNamespaceNodeRestriction: "node-restriction.kubernetes.io" + +// IsHeadlessService is added by Controller to an Endpoint denoting if its parent +// Service is Headless. The existence of this label can be used further by other +// controllers and kube-proxy to check if the Endpoint objects should be replicated when +// using Headless Services +#IsHeadlessService: "service.kubernetes.io/headless" + +// LabelNodeExcludeBalancers specifies that the node should not be considered as a target +// for external load-balancers which use nodes as a second hop (e.g. many cloud LBs which only +// understand nodes). For services that use externalTrafficPolicy=Local, this may mean that +// any backends on excluded nodes are not reachable by those external load-balancers. +// Implementations of this exclusion may vary based on provider. +#LabelNodeExcludeBalancers: "node.kubernetes.io/exclude-from-external-load-balancers" + +// LabelMetadataName is the label name which, in-tree, is used to automatically label namespaces, so they can be selected easily by tools which require definitive labels +#LabelMetadataName: "kubernetes.io/metadata.name" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue new file mode 100644 index 000000000..b7c097336 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue @@ -0,0 +1,38 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +// TaintNodeNotReady will be added when node is not ready +// and removed when node becomes ready. +#TaintNodeNotReady: "node.kubernetes.io/not-ready" + +// TaintNodeUnreachable will be added when node becomes unreachable +// (corresponding to NodeReady status ConditionUnknown) +// and removed when node becomes reachable (NodeReady status ConditionTrue). +#TaintNodeUnreachable: "node.kubernetes.io/unreachable" + +// TaintNodeUnschedulable will be added when node becomes unschedulable +// and removed when node becomes schedulable. +#TaintNodeUnschedulable: "node.kubernetes.io/unschedulable" + +// TaintNodeMemoryPressure will be added when node has memory pressure +// and removed when node has enough memory. +#TaintNodeMemoryPressure: "node.kubernetes.io/memory-pressure" + +// TaintNodeDiskPressure will be added when node has disk pressure +// and removed when node has enough disk. +#TaintNodeDiskPressure: "node.kubernetes.io/disk-pressure" + +// TaintNodeNetworkUnavailable will be added when node's network is unavailable +// and removed when network becomes ready. +#TaintNodeNetworkUnavailable: "node.kubernetes.io/network-unavailable" + +// TaintNodePIDPressure will be added when node has pid pressure +// and removed when node has enough pid. +#TaintNodePIDPressure: "node.kubernetes.io/pid-pressure" + +// TaintNodeOutOfService can be added when node is out of service in case of +// a non-graceful shutdown +#TaintNodeOutOfService: "node.kubernetes.io/out-of-service" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue new file mode 100644 index 000000000..19a7d631a --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +#GroupName: "discovery.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue new file mode 100644 index 000000000..144ef53e7 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue @@ -0,0 +1,206 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" +) + +// EndpointSlice represents a subset of the endpoints that implement a service. +// For a given service there may be multiple EndpointSlice objects, selected by +// labels, which must be joined to produce the full set of endpoints. +#EndpointSlice: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // addressType specifies the type of address carried by this EndpointSlice. + // All addresses in this slice must be the same type. This field is + // immutable after creation. The following address types are currently + // supported: + // * IPv4: Represents an IPv4 Address. + // * IPv6: Represents an IPv6 Address. + // * FQDN: Represents a Fully Qualified Domain Name. + addressType: #AddressType @go(AddressType) @protobuf(4,bytes,rep) + + // endpoints is a list of unique endpoints in this slice. Each slice may + // include a maximum of 1000 endpoints. + // +listType=atomic + endpoints: [...#Endpoint] @go(Endpoints,[]Endpoint) @protobuf(2,bytes,rep) + + // ports specifies the list of network ports exposed by each endpoint in + // this slice. Each port must have a unique name. When ports is empty, it + // indicates that there are no defined ports. When a port is defined with a + // nil port value, it indicates "all ports". Each slice may include a + // maximum of 100 ports. + // +optional + // +listType=atomic + ports: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep) +} + +// AddressType represents the type of address referred to by an endpoint. +// +enum +#AddressType: string // #enumAddressType + +#enumAddressType: + #AddressTypeIPv4 | + #AddressTypeIPv6 | + #AddressTypeFQDN + +// AddressTypeIPv4 represents an IPv4 Address. +#AddressTypeIPv4: #AddressType & "IPv4" + +// AddressTypeIPv6 represents an IPv6 Address. +#AddressTypeIPv6: #AddressType & "IPv6" + +// AddressTypeFQDN represents a FQDN. +#AddressTypeFQDN: #AddressType & "FQDN" + +// Endpoint represents a single logical "backend" implementing a service. +#Endpoint: { + // addresses of this endpoint. The contents of this field are interpreted + // according to the corresponding EndpointSlice addressType field. Consumers + // must handle different types of addresses in the context of their own + // capabilities. This must contain at least one address but no more than + // 100. These are all assumed to be fungible and clients may choose to only + // use the first element. Refer to: https://issue.k8s.io/106267 + // +listType=set + addresses: [...string] @go(Addresses,[]string) @protobuf(1,bytes,rep) + + // conditions contains information about the current status of the endpoint. + conditions?: #EndpointConditions @go(Conditions) @protobuf(2,bytes,opt) + + // hostname of this endpoint. This field may be used by consumers of + // endpoints to distinguish endpoints from each other (e.g. in DNS names). + // Multiple endpoints which use the same hostname should be considered + // fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS + // Label (RFC 1123) validation. + // +optional + hostname?: null | string @go(Hostname,*string) @protobuf(3,bytes,opt) + + // targetRef is a reference to a Kubernetes object that represents this + // endpoint. + // +optional + targetRef?: null | v1.#ObjectReference @go(TargetRef,*v1.ObjectReference) @protobuf(4,bytes,opt) + + // deprecatedTopology contains topology information part of the v1beta1 + // API. This field is deprecated, and will be removed when the v1beta1 + // API is removed (no sooner than kubernetes v1.24). While this field can + // hold values, it is not writable through the v1 API, and any attempts to + // write to it will be silently ignored. Topology information can be found + // in the zone and nodeName fields instead. + // +optional + deprecatedTopology?: {[string]: string} @go(DeprecatedTopology,map[string]string) @protobuf(5,bytes,opt) + + // nodeName represents the name of the Node hosting this endpoint. This can + // be used to determine endpoints local to a Node. + // +optional + nodeName?: null | string @go(NodeName,*string) @protobuf(6,bytes,opt) + + // zone is the name of the Zone this endpoint exists in. + // +optional + zone?: null | string @go(Zone,*string) @protobuf(7,bytes,opt) + + // hints contains information associated with how an endpoint should be + // consumed. + // +optional + hints?: null | #EndpointHints @go(Hints,*EndpointHints) @protobuf(8,bytes,opt) +} + +// EndpointConditions represents the current condition of an endpoint. +#EndpointConditions: { + // ready indicates that this endpoint is prepared to receive traffic, + // according to whatever system is managing the endpoint. A nil value + // indicates an unknown state. In most cases consumers should interpret this + // unknown state as ready. For compatibility reasons, ready should never be + // "true" for terminating endpoints, except when the normal readiness + // behavior is being explicitly overridden, for example when the associated + // Service has set the publishNotReadyAddresses flag. + // +optional + ready?: null | bool @go(Ready,*bool) @protobuf(1,bytes) + + // serving is identical to ready except that it is set regardless of the + // terminating state of endpoints. This condition should be set to true for + // a ready endpoint that is terminating. If nil, consumers should defer to + // the ready condition. + // +optional + serving?: null | bool @go(Serving,*bool) @protobuf(2,bytes) + + // terminating indicates that this endpoint is terminating. A nil value + // indicates an unknown state. Consumers should interpret this unknown state + // to mean that the endpoint is not terminating. + // +optional + terminating?: null | bool @go(Terminating,*bool) @protobuf(3,bytes) +} + +// EndpointHints provides hints describing how an endpoint should be consumed. +#EndpointHints: { + // forZones indicates the zone(s) this endpoint should be consumed by to + // enable topology aware routing. + // +listType=atomic + forZones?: [...#ForZone] @go(ForZones,[]ForZone) @protobuf(1,bytes) +} + +// ForZone provides information about which zones should consume this endpoint. +#ForZone: { + // name represents the name of the zone. + name: string @go(Name) @protobuf(1,bytes) +} + +// EndpointPort represents a Port used by an EndpointSlice +// +structType=atomic +#EndpointPort: { + // name represents the name of this port. All ports in an EndpointSlice must have a unique name. + // If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. + // Name must either be an empty string or pass DNS_LABEL validation: + // * must be no more than 63 characters long. + // * must consist of lower case alphanumeric characters or '-'. + // * must start and end with an alphanumeric character. + // Default is empty string. + name?: null | string @go(Name,*string) @protobuf(1,bytes) + + // protocol represents the IP protocol for this port. + // Must be UDP, TCP, or SCTP. + // Default is TCP. + protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(2,bytes) + + // port represents the port number of the endpoint. + // If this is not specified, ports are not restricted and must be + // interpreted in the context of the specific consumer. + port?: null | int32 @go(Port,*int32) @protobuf(3,bytes,opt) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes) +} + +// EndpointSliceList represents a list of endpoint slices +#EndpointSliceList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of endpoint slices + items: [...#EndpointSlice] @go(Items,[]EndpointSlice) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue new file mode 100644 index 000000000..9c40d30e9 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue @@ -0,0 +1,20 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +// LabelServiceName is used to indicate the name of a Kubernetes service. +#LabelServiceName: "kubernetes.io/service-name" + +// LabelManagedBy is used to indicate the controller or entity that manages +// an EndpointSlice. This label aims to enable different EndpointSlice +// objects to be managed by different controllers or entities within the +// same cluster. It is highly recommended to configure this label for all +// EndpointSlices. +#LabelManagedBy: "endpointslice.kubernetes.io/managed-by" + +// LabelSkipMirror can be set to true on an Endpoints resource to indicate +// that the EndpointSliceMirroring controller should not mirror this +// resource with EndpointSlices. +#LabelSkipMirror: "endpointslice.kubernetes.io/skip-mirror" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue new file mode 100644 index 000000000..c4138c1c7 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/events/v1 + +package v1 + +#GroupName: "events.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue new file mode 100644 index 000000000..47acc8fc0 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue @@ -0,0 +1,111 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/events/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" +) + +// Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. +// Events have a limited retention time and triggers and messages may evolve +// with time. Event consumers should not rely on the timing of an event +// with a given Reason reflecting a consistent underlying trigger, or the +// continued existence of events with that Reason. Events should be +// treated as informative, best-effort, supplemental data. +#Event: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // eventTime is the time when this Event was first observed. It is required. + eventTime: metav1.#MicroTime @go(EventTime) @protobuf(2,bytes,opt) + + // series is data about the Event series this event represents or nil if it's a singleton Event. + // +optional + series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(3,bytes,opt) + + // reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. + // This field cannot be empty for new Events. + reportingController?: string @go(ReportingController) @protobuf(4,bytes,opt) + + // reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`. + // This field cannot be empty for new Events and it can have at most 128 characters. + reportingInstance?: string @go(ReportingInstance) @protobuf(5,bytes,opt) + + // action is what action was taken/failed regarding to the regarding object. It is machine-readable. + // This field cannot be empty for new Events and it can have at most 128 characters. + action?: string @go(Action) @protobuf(6,bytes) + + // reason is why the action was taken. It is human-readable. + // This field cannot be empty for new Events and it can have at most 128 characters. + reason?: string @go(Reason) @protobuf(7,bytes) + + // regarding contains the object this Event is about. In most cases it's an Object reporting controller + // implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because + // it acts on some changes in a ReplicaSet object. + // +optional + regarding?: corev1.#ObjectReference @go(Regarding) @protobuf(8,bytes,opt) + + // related is the optional secondary object for more complex actions. E.g. when regarding object triggers + // a creation or deletion of related object. + // +optional + related?: null | corev1.#ObjectReference @go(Related,*corev1.ObjectReference) @protobuf(9,bytes,opt) + + // note is a human-readable description of the status of this operation. + // Maximal length of the note is 1kB, but libraries should be prepared to + // handle values up to 64kB. + // +optional + note?: string @go(Note) @protobuf(10,bytes,opt) + + // type is the type of this event (Normal, Warning), new types could be added in the future. + // It is machine-readable. + // This field cannot be empty for new Events. + type?: string @go(Type) @protobuf(11,bytes,opt) + + // deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedSource?: corev1.#EventSource @go(DeprecatedSource) @protobuf(12,bytes,opt) + + // deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedFirstTimestamp?: metav1.#Time @go(DeprecatedFirstTimestamp) @protobuf(13,bytes,opt) + + // deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedLastTimestamp?: metav1.#Time @go(DeprecatedLastTimestamp) @protobuf(14,bytes,opt) + + // deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedCount?: int32 @go(DeprecatedCount) @protobuf(15,varint,opt) +} + +// EventSeries contain information on series of events, i.e. thing that was/is happening +// continuously for some time. How often to update the EventSeries is up to the event reporters. +// The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows +// how this struct is updated on heartbeats and can guide customized reporter implementations. +#EventSeries: { + // count is the number of occurrences in this series up to the last heartbeat time. + count: int32 @go(Count) @protobuf(1,varint,opt) + + // lastObservedTime is the time when last Event from the series was seen before last heartbeat. + lastObservedTime: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes,opt) +} + +// EventList is a list of Event objects. +#EventList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue new file mode 100644 index 000000000..f10426220 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +#GroupName: "networking.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue new file mode 100644 index 000000000..bbdc7f2b1 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue @@ -0,0 +1,588 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +// NetworkPolicy describes what network traffic is allowed for a set of Pods +#NetworkPolicy: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents the specification of the desired behavior for this NetworkPolicy. + // +optional + spec?: #NetworkPolicySpec @go(Spec) @protobuf(2,bytes,opt) +} + +// PolicyType string describes the NetworkPolicy type +// This type is beta-level in 1.8 +// +enum +#PolicyType: string // #enumPolicyType + +#enumPolicyType: + #PolicyTypeIngress | + #PolicyTypeEgress + +// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods +#PolicyTypeIngress: #PolicyType & "Ingress" + +// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods +#PolicyTypeEgress: #PolicyType & "Egress" + +// NetworkPolicySpec provides the specification of a NetworkPolicy +#NetworkPolicySpec: { + // podSelector selects the pods to which this NetworkPolicy object applies. + // The array of ingress rules is applied to any pods selected by this field. + // Multiple network policies can select the same set of pods. In this case, + // the ingress rules for each are combined additively. + // This field is NOT optional and follows standard label selector semantics. + // An empty podSelector matches all pods in this namespace. + podSelector: metav1.#LabelSelector @go(PodSelector) @protobuf(1,bytes,opt) + + // ingress is a list of ingress rules to be applied to the selected pods. + // Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod + // (and cluster policy otherwise allows the traffic), OR if the traffic source is + // the pod's local node, OR if the traffic matches at least one ingress rule + // across all of the NetworkPolicy objects whose podSelector matches the pod. If + // this field is empty then this NetworkPolicy does not allow any traffic (and serves + // solely to ensure that the pods it selects are isolated by default) + // +optional + ingress?: [...#NetworkPolicyIngressRule] @go(Ingress,[]NetworkPolicyIngressRule) @protobuf(2,bytes,rep) + + // egress is a list of egress rules to be applied to the selected pods. Outgoing traffic + // is allowed if there are no NetworkPolicies selecting the pod (and cluster policy + // otherwise allows the traffic), OR if the traffic matches at least one egress rule + // across all of the NetworkPolicy objects whose podSelector matches the pod. If + // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves + // solely to ensure that the pods it selects are isolated by default). + // This field is beta-level in 1.8 + // +optional + egress?: [...#NetworkPolicyEgressRule] @go(Egress,[]NetworkPolicyEgressRule) @protobuf(3,bytes,rep) + + // policyTypes is a list of rule types that the NetworkPolicy relates to. + // Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. + // If this field is not specified, it will default based on the existence of ingress or egress rules; + // policies that contain an egress section are assumed to affect egress, and all policies + // (whether or not they contain an ingress section) are assumed to affect ingress. + // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. + // Likewise, if you want to write a policy that specifies that no egress is allowed, + // you must specify a policyTypes value that include "Egress" (since such a policy would not include + // an egress section and would otherwise default to just [ "Ingress" ]). + // This field is beta-level in 1.8 + // +optional + policyTypes?: [...#PolicyType] @go(PolicyTypes,[]PolicyType) @protobuf(4,bytes,rep,casttype=PolicyType) +} + +// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods +// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. +#NetworkPolicyIngressRule: { + // ports is a list of ports which should be made accessible on the pods selected for + // this rule. Each item in this list is combined using a logical OR. If this field is + // empty or missing, this rule matches all ports (traffic not restricted by port). + // If this field is present and contains at least one item, then this rule allows + // traffic only if the traffic matches at least one port in the list. + // +optional + ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep) + + // from is a list of sources which should be able to access the pods selected for this rule. + // Items in this list are combined using a logical OR operation. If this field is + // empty or missing, this rule matches all sources (traffic not restricted by + // source). If this field is present and contains at least one item, this rule + // allows traffic only if the traffic matches at least one item in the from list. + // +optional + from?: [...#NetworkPolicyPeer] @go(From,[]NetworkPolicyPeer) @protobuf(2,bytes,rep) +} + +// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods +// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. +// This type is beta-level in 1.8 +#NetworkPolicyEgressRule: { + // ports is a list of destination ports for outgoing traffic. + // Each item in this list is combined using a logical OR. If this field is + // empty or missing, this rule matches all ports (traffic not restricted by port). + // If this field is present and contains at least one item, then this rule allows + // traffic only if the traffic matches at least one port in the list. + // +optional + ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep) + + // to is a list of destinations for outgoing traffic of pods selected for this rule. + // Items in this list are combined using a logical OR operation. If this field is + // empty or missing, this rule matches all destinations (traffic not restricted by + // destination). If this field is present and contains at least one item, this rule + // allows traffic only if the traffic matches at least one item in the to list. + // +optional + to?: [...#NetworkPolicyPeer] @go(To,[]NetworkPolicyPeer) @protobuf(2,bytes,rep) +} + +// NetworkPolicyPort describes a port to allow traffic on +#NetworkPolicyPort: { + // protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + // If not specified, this field defaults to TCP. + // +optional + protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.Protocol) + + // port represents the port on the given protocol. This can either be a numerical or named + // port on a pod. If this field is not provided, this matches all port names and + // numbers. + // If present, only traffic on the specified protocol AND port will be matched. + // +optional + port?: null | intstr.#IntOrString @go(Port,*intstr.IntOrString) @protobuf(2,bytes,opt) + + // endPort indicates that the range of ports from port to endPort if set, inclusive, + // should be allowed by the policy. This field cannot be defined if the port field + // is not defined or if the port field is defined as a named (string) port. + // The endPort must be equal or greater than port. + // +optional + endPort?: null | int32 @go(EndPort,*int32) @protobuf(3,bytes,opt) +} + +// IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed +// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs +// that should not be included within this rule. +#IPBlock: { + // cidr is a string representing the IPBlock + // Valid examples are "192.168.1.0/24" or "2001:db8::/64" + cidr: string @go(CIDR) @protobuf(1,bytes) + + // except is a slice of CIDRs that should not be included within an IPBlock + // Valid examples are "192.168.1.0/24" or "2001:db8::/64" + // Except values will be rejected if they are outside the cidr range + // +optional + except?: [...string] @go(Except,[]string) @protobuf(2,bytes,rep) +} + +// NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of +// fields are allowed +#NetworkPolicyPeer: { + // podSelector is a label selector which selects pods. This field follows standard label + // selector semantics; if present but empty, it selects all pods. + // + // If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + // the pods matching podSelector in the Namespaces selected by NamespaceSelector. + // Otherwise it selects the pods matching podSelector in the policy's own namespace. + // +optional + podSelector?: null | metav1.#LabelSelector @go(PodSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // namespaceSelector selects namespaces using cluster-scoped labels. This field follows + // standard label selector semantics; if present but empty, it selects all namespaces. + // + // If podSelector is also set, then the NetworkPolicyPeer as a whole selects + // the pods matching podSelector in the namespaces selected by namespaceSelector. + // Otherwise it selects all pods in the namespaces selected by namespaceSelector. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // ipBlock defines policy on a particular IPBlock. If this field is set then + // neither of the other fields can be. + // +optional + ipBlock?: null | #IPBlock @go(IPBlock,*IPBlock) @protobuf(3,bytes,rep) +} + +// NetworkPolicyList is a list of NetworkPolicy objects. +#NetworkPolicyList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#NetworkPolicy] @go(Items,[]NetworkPolicy) @protobuf(2,bytes,rep) +} + +// Ingress is a collection of rules that allow inbound connections to reach the +// endpoints defined by a backend. An Ingress can be configured to give services +// externally-reachable urls, load balance traffic, terminate SSL, offer name +// based virtual hosting etc. +#Ingress: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the desired state of the Ingress. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #IngressSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current state of the Ingress. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #IngressStatus @go(Status) @protobuf(3,bytes,opt) +} + +// IngressList is a collection of Ingress. +#IngressList: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of Ingress. + items: [...#Ingress] @go(Items,[]Ingress) @protobuf(2,bytes,rep) +} + +// IngressSpec describes the Ingress the user wishes to exist. +#IngressSpec: { + // ingressClassName is the name of an IngressClass cluster resource. Ingress + // controller implementations use this field to know whether they should be + // serving this Ingress resource, by a transitive connection + // (controller -> IngressClass -> Ingress resource). Although the + // `kubernetes.io/ingress.class` annotation (simple constant name) was never + // formally defined, it was widely supported by Ingress controllers to create + // a direct binding between Ingress controller and Ingress resources. Newly + // created Ingress resources should prefer using the field. However, even + // though the annotation is officially deprecated, for backwards compatibility + // reasons, ingress controllers should still honor that annotation if present. + // +optional + ingressClassName?: null | string @go(IngressClassName,*string) @protobuf(4,bytes,opt) + + // defaultBackend is the backend that should handle requests that don't + // match any rule. If Rules are not specified, DefaultBackend must be specified. + // If DefaultBackend is not set, the handling of requests that do not match any + // of the rules will be up to the Ingress controller. + // +optional + defaultBackend?: null | #IngressBackend @go(DefaultBackend,*IngressBackend) @protobuf(1,bytes,opt) + + // tls represents the TLS configuration. Currently the Ingress only supports a + // single TLS port, 443. If multiple members of this list specify different hosts, + // they will be multiplexed on the same port according to the hostname specified + // through the SNI TLS extension, if the ingress controller fulfilling the + // ingress supports SNI. + // +listType=atomic + // +optional + tls?: [...#IngressTLS] @go(TLS,[]IngressTLS) @protobuf(2,bytes,rep) + + // rules is a list of host rules used to configure the Ingress. If unspecified, + // or no rule matches, all traffic is sent to the default backend. + // +listType=atomic + // +optional + rules?: [...#IngressRule] @go(Rules,[]IngressRule) @protobuf(3,bytes,rep) +} + +// IngressTLS describes the transport layer security associated with an ingress. +#IngressTLS: { + // hosts is a list of hosts included in the TLS certificate. The values in + // this list must match the name/s used in the tlsSecret. Defaults to the + // wildcard host setting for the loadbalancer controller fulfilling this + // Ingress, if left unspecified. + // +listType=atomic + // +optional + hosts?: [...string] @go(Hosts,[]string) @protobuf(1,bytes,rep) + + // secretName is the name of the secret used to terminate TLS traffic on + // port 443. Field is left optional to allow TLS routing based on SNI + // hostname alone. If the SNI host in a listener conflicts with the "Host" + // header field used by an IngressRule, the SNI host is used for termination + // and value of the "Host" header is used for routing. + // +optional + secretName?: string @go(SecretName) @protobuf(2,bytes,opt) +} + +// IngressStatus describe the current state of the Ingress. +#IngressStatus: { + // loadBalancer contains the current status of the load-balancer. + // +optional + loadBalancer?: #IngressLoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt) +} + +// IngressLoadBalancerStatus represents the status of a load-balancer. +#IngressLoadBalancerStatus: { + // ingress is a list containing ingress points for the load-balancer. + // +optional + ingress?: [...#IngressLoadBalancerIngress] @go(Ingress,[]IngressLoadBalancerIngress) @protobuf(1,bytes,rep) +} + +// IngressLoadBalancerIngress represents the status of a load-balancer ingress point. +#IngressLoadBalancerIngress: { + // ip is set for load-balancer ingress points that are IP based. + // +optional + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // hostname is set for load-balancer ingress points that are DNS based. + // +optional + hostname?: string @go(Hostname) @protobuf(2,bytes,opt) + + // ports provides information about the ports exposed by this LoadBalancer. + // +listType=atomic + // +optional + ports?: [...#IngressPortStatus] @go(Ports,[]IngressPortStatus) @protobuf(4,bytes,rep) +} + +// IngressPortStatus represents the error condition of a service port +#IngressPortStatus: { + // port is the port number of the ingress port. + port: int32 @go(Port) @protobuf(1,varint,opt) + + // protocol is the protocol of the ingress port. + // The supported values are: "TCP", "UDP", "SCTP" + protocol: v1.#Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // error is to record the problem with the service port + // The format of the error shall comply with the following rules: + // - built-in error values shall be specified in this file and those shall use + // CamelCase names + // - cloud provider specific error values must have names that comply with the + // format foo.example.com/CamelCase. + // --- + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +optional + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + error?: null | string @go(Error,*string) @protobuf(3,bytes,opt) +} + +// IngressRule represents the rules mapping the paths under a specified host to +// the related backend services. Incoming requests are first evaluated for a host +// match, then routed to the backend associated with the matching IngressRuleValue. +#IngressRule: { + // host is the fully qualified domain name of a network host, as defined by RFC 3986. + // Note the following deviations from the "host" part of the + // URI as defined in RFC 3986: + // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to + // the IP in the Spec of the parent Ingress. + // 2. The `:` delimiter is not respected because ports are not allowed. + // Currently the port of an Ingress is implicitly :80 for http and + // :443 for https. + // Both these may change in the future. + // Incoming requests are matched against the host before the + // IngressRuleValue. If the host is unspecified, the Ingress routes all + // traffic based on the specified IngressRuleValue. + // + // host can be "precise" which is a domain name without the terminating dot of + // a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name + // prefixed with a single wildcard label (e.g. "*.foo.com"). + // The wildcard character '*' must appear by itself as the first DNS label and + // matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). + // Requests will be matched against the Host field in the following way: + // 1. If host is precise, the request matches this rule if the http host header is equal to Host. + // 2. If host is a wildcard, then the request matches this rule if the http host header + // is to equal to the suffix (removing the first label) of the wildcard rule. + // +optional + host?: string @go(Host) @protobuf(1,bytes,opt) + + #IngressRuleValue +} + +// IngressRuleValue represents a rule to apply against incoming requests. If the +// rule is satisfied, the request is routed to the specified backend. Currently +// mixing different types of rules in a single Ingress is disallowed, so exactly +// one of the following must be set. +#IngressRuleValue: { + // +optional + http?: null | #HTTPIngressRuleValue @go(HTTP,*HTTPIngressRuleValue) @protobuf(1,bytes,opt) +} + +// HTTPIngressRuleValue is a list of http selectors pointing to backends. +// In the example: http:///? -> backend where +// where parts of the url correspond to RFC 3986, this resource will be used +// to match against everything after the last '/' and before the first '?' +// or '#'. +#HTTPIngressRuleValue: { + // paths is a collection of paths that map requests to backends. + // +listType=atomic + paths: [...#HTTPIngressPath] @go(Paths,[]HTTPIngressPath) @protobuf(1,bytes,rep) +} + +// PathType represents the type of path referred to by a HTTPIngressPath. +// +enum +#PathType: string // #enumPathType + +#enumPathType: + #PathTypeExact | + #PathTypePrefix | + #PathTypeImplementationSpecific + +// PathTypeExact matches the URL path exactly and with case sensitivity. +#PathTypeExact: #PathType & "Exact" + +// PathTypePrefix matches based on a URL path prefix split by '/'. Matching +// is case sensitive and done on a path element by element basis. A path +// element refers to the list of labels in the path split by the '/' +// separator. A request is a match for path p if every p is an element-wise +// prefix of p of the request path. Note that if the last element of the +// path is a substring of the last element in request path, it is not a +// match (e.g. /foo/bar matches /foo/bar/baz, but does not match +// /foo/barbaz). If multiple matching paths exist in an Ingress spec, the +// longest matching path is given priority. +// Examples: +// - /foo/bar does not match requests to /foo/barbaz +// - /foo/bar matches request to /foo/bar and /foo/bar/baz +// - /foo and /foo/ both match requests to /foo and /foo/. If both paths are +// present in an Ingress spec, the longest matching path (/foo/) is given +// priority. +#PathTypePrefix: #PathType & "Prefix" + +// PathTypeImplementationSpecific matching is up to the IngressClass. +// Implementations can treat this as a separate PathType or treat it +// identically to Prefix or Exact path types. +#PathTypeImplementationSpecific: #PathType & "ImplementationSpecific" + +// HTTPIngressPath associates a path with a backend. Incoming urls matching the +// path are forwarded to the backend. +#HTTPIngressPath: { + // path is matched against the path of an incoming request. Currently it can + // contain characters disallowed from the conventional "path" part of a URL + // as defined by RFC 3986. Paths must begin with a '/' and must be present + // when using PathType with value "Exact" or "Prefix". + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // pathType determines the interpretation of the path matching. PathType can + // be one of the following values: + // * Exact: Matches the URL path exactly. + // * Prefix: Matches based on a URL path prefix split by '/'. Matching is + // done on a path element by element basis. A path element refers is the + // list of labels in the path split by the '/' separator. A request is a + // match for path p if every p is an element-wise prefix of p of the + // request path. Note that if the last element of the path is a substring + // of the last element in request path, it is not a match (e.g. /foo/bar + // matches /foo/bar/baz, but does not match /foo/barbaz). + // * ImplementationSpecific: Interpretation of the Path matching is up to + // the IngressClass. Implementations can treat this as a separate PathType + // or treat it identically to Prefix or Exact path types. + // Implementations are required to support all path types. + pathType?: null | #PathType @go(PathType,*PathType) @protobuf(3,bytes,opt) + + // backend defines the referenced service endpoint to which the traffic + // will be forwarded to. + backend: #IngressBackend @go(Backend) @protobuf(2,bytes,opt) +} + +// IngressBackend describes all endpoints for a given service and port. +#IngressBackend: { + // service references a service as a backend. + // This is a mutually exclusive setting with "Resource". + // +optional + service?: null | #IngressServiceBackend @go(Service,*IngressServiceBackend) @protobuf(4,bytes,opt) + + // resource is an ObjectRef to another Kubernetes resource in the namespace + // of the Ingress object. If resource is specified, a service.Name and + // service.Port must not be specified. + // This is a mutually exclusive setting with "Service". + // +optional + resource?: null | v1.#TypedLocalObjectReference @go(Resource,*v1.TypedLocalObjectReference) @protobuf(3,bytes,opt) +} + +// IngressServiceBackend references a Kubernetes Service as a Backend. +#IngressServiceBackend: { + // name is the referenced service. The service must exist in + // the same namespace as the Ingress object. + name: string @go(Name) @protobuf(1,bytes,opt) + + // port of the referenced service. A port name or port number + // is required for a IngressServiceBackend. + port?: #ServiceBackendPort @go(Port) @protobuf(2,bytes,opt) +} + +// ServiceBackendPort is the service port being referenced. +#ServiceBackendPort: { + // name is the name of the port on the Service. + // This is a mutually exclusive setting with "Number". + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // number is the numerical port number (e.g. 80) on the Service. + // This is a mutually exclusive setting with "Name". + // +optional + number?: int32 @go(Number) @protobuf(2,bytes,opt) +} + +// IngressClass represents the class of the Ingress, referenced by the Ingress +// Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be +// used to indicate that an IngressClass should be considered default. When a +// single IngressClass resource has this annotation set to true, new Ingress +// resources without a class specified will be assigned this default class. +#IngressClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the desired state of the IngressClass. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #IngressClassSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// IngressClassSpec provides information about the class of an Ingress. +#IngressClassSpec: { + // controller refers to the name of the controller that should handle this + // class. This allows for different "flavors" that are controlled by the + // same controller. For example, you may have different parameters for the + // same implementing controller. This should be specified as a + // domain-prefixed path no more than 250 characters in length, e.g. + // "acme.io/ingress-controller". This field is immutable. + controller?: string @go(Controller) @protobuf(1,bytes,opt) + + // parameters is a link to a custom resource containing additional + // configuration for the controller. This is optional if the controller does + // not require extra parameters. + // +optional + parameters?: null | #IngressClassParametersReference @go(Parameters,*IngressClassParametersReference) @protobuf(2,bytes,opt) +} + +// IngressClassParametersReferenceScopeNamespace indicates that the +// referenced Parameters resource is namespace-scoped. +#IngressClassParametersReferenceScopeNamespace: "Namespace" + +// IngressClassParametersReferenceScopeCluster indicates that the +// referenced Parameters resource is cluster-scoped. +#IngressClassParametersReferenceScopeCluster: "Cluster" + +// IngressClassParametersReference identifies an API object. This can be used +// to specify a cluster or namespace-scoped resource. +#IngressClassParametersReference: { + // apiGroup is the group for the resource being referenced. If APIGroup is + // not specified, the specified Kind must be in the core API group. For any + // other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt,name=aPIGroup) + + // kind is the type of resource being referenced. + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // name is the name of resource being referenced. + name: string @go(Name) @protobuf(3,bytes,opt) + + // scope represents if this refers to a cluster or namespace scoped resource. + // This may be set to "Cluster" (default) or "Namespace". + // +optional + scope?: null | string @go(Scope,*string) @protobuf(4,bytes,opt) + + // namespace is the namespace of the resource being referenced. This field is + // required when scope is set to "Namespace" and must be unset when scope is set to + // "Cluster". + // +optional + namespace?: null | string @go(Namespace,*string) @protobuf(5,bytes,opt) +} + +// IngressClassList is a collection of IngressClasses. +#IngressClassList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of IngressClasses. + items: [...#IngressClass] @go(Items,[]IngressClass) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue new file mode 100644 index 000000000..bee74f4b6 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue @@ -0,0 +1,11 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +// AnnotationIsDefaultIngressClass can be used to indicate that an +// IngressClass should be considered default. When a single IngressClass +// resource has this annotation set to true, new Ingress resources without a +// class specified will be assigned this default class. +#AnnotationIsDefaultIngressClass: "ingressclass.kubernetes.io/is-default-class" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue new file mode 100644 index 000000000..5969b44fa --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/node/v1 + +package v1 + +#GroupName: "node.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue new file mode 100644 index 000000000..3934557c9 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue @@ -0,0 +1,90 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/node/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" +) + +// RuntimeClass defines a class of container runtime supported in the cluster. +// The RuntimeClass is used to determine which container runtime is used to run +// all containers in a pod. RuntimeClasses are manually defined by a +// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is +// responsible for resolving the RuntimeClassName reference before running the +// pod. For more details, see +// https://kubernetes.io/docs/concepts/containers/runtime-class/ +#RuntimeClass: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // handler specifies the underlying runtime and configuration that the CRI + // implementation will use to handle pods of this class. The possible values + // are specific to the node & CRI configuration. It is assumed that all + // handlers are available on every node, and handlers of the same name are + // equivalent on every node. + // For example, a handler called "runc" might specify that the runc OCI + // runtime (using native Linux containers) will be used to run the containers + // in a pod. + // The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, + // and is immutable. + handler: string @go(Handler) @protobuf(2,bytes,opt) + + // overhead represents the resource overhead associated with running a pod for a + // given RuntimeClass. For more details, see + // https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/ + // +optional + overhead?: null | #Overhead @go(Overhead,*Overhead) @protobuf(3,bytes,opt) + + // scheduling holds the scheduling constraints to ensure that pods running + // with this RuntimeClass are scheduled to nodes that support it. + // If scheduling is nil, this RuntimeClass is assumed to be supported by all + // nodes. + // +optional + scheduling?: null | #Scheduling @go(Scheduling,*Scheduling) @protobuf(4,bytes,opt) +} + +// Overhead structure represents the resource overhead associated with running a pod. +#Overhead: { + // podFixed represents the fixed resource overhead associated with running a pod. + // +optional + podFixed?: corev1.#ResourceList @go(PodFixed) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.ResourceList,castkey=k8s.io/api/core/v1.ResourceName,castvalue=k8s.io/apimachinery/pkg/api/resource.Quantity) +} + +// Scheduling specifies the scheduling constraints for nodes supporting a +// RuntimeClass. +#Scheduling: { + // nodeSelector lists labels that must be present on nodes that support this + // RuntimeClass. Pods using this RuntimeClass can only be scheduled to a + // node matched by this selector. The RuntimeClass nodeSelector is merged + // with a pod's existing nodeSelector. Any conflicts will cause the pod to + // be rejected in admission. + // +optional + // +mapType=atomic + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(1,bytes,opt) + + // tolerations are appended (excluding duplicates) to pods running with this + // RuntimeClass during admission, effectively unioning the set of nodes + // tolerated by the pod and the RuntimeClass. + // +optional + // +listType=atomic + tolerations?: [...corev1.#Toleration] @go(Tolerations,[]corev1.Toleration) @protobuf(2,bytes,rep) +} + +// RuntimeClassList is a list of RuntimeClass objects. +#RuntimeClassList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#RuntimeClass] @go(Items,[]RuntimeClass) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue new file mode 100644 index 000000000..dedcdc34b --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue @@ -0,0 +1,8 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +// Package policy is for any kind of policy object. Suitable examples, even if +// they aren't all here, are PodDisruptionBudget, PodSecurityPolicy, +// NetworkPolicy, etc. +package v1 diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue new file mode 100644 index 000000000..e38fa373b --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +package v1 + +#GroupName: "policy" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue new file mode 100644 index 000000000..5901cc6db --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue @@ -0,0 +1,204 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +#DisruptionBudgetCause: metav1.#CauseType & "DisruptionBudget" + +// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget. +#PodDisruptionBudgetSpec: { + // An eviction is allowed if at least "minAvailable" pods selected by + // "selector" will still be available after the eviction, i.e. even in the + // absence of the evicted pod. So for example you can prevent all voluntary + // evictions by specifying "100%". + // +optional + minAvailable?: null | intstr.#IntOrString @go(MinAvailable,*intstr.IntOrString) @protobuf(1,bytes,opt) + + // Label query over pods whose evictions are managed by the disruption + // budget. + // A null selector will match no pods, while an empty ({}) selector will select + // all pods within the namespace. + // +patchStrategy=replace + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // An eviction is allowed if at most "maxUnavailable" pods selected by + // "selector" are unavailable after the eviction, i.e. even in absence of + // the evicted pod. For example, one can prevent all voluntary evictions + // by specifying 0. This is a mutually exclusive setting with "minAvailable". + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(3,bytes,opt) + + // UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods + // should be considered for eviction. Current implementation considers healthy pods, + // as pods that have status.conditions item with type="Ready",status="True". + // + // Valid policies are IfHealthyBudget and AlwaysAllow. + // If no policy is specified, the default behavior will be used, + // which corresponds to the IfHealthyBudget policy. + // + // IfHealthyBudget policy means that running pods (status.phase="Running"), + // but not yet healthy can be evicted only if the guarded application is not + // disrupted (status.currentHealthy is at least equal to status.desiredHealthy). + // Healthy pods will be subject to the PDB for eviction. + // + // AlwaysAllow policy means that all running pods (status.phase="Running"), + // but not yet healthy are considered disrupted and can be evicted regardless + // of whether the criteria in a PDB is met. This means perspective running + // pods of a disrupted application might not get a chance to become healthy. + // Healthy pods will be subject to the PDB for eviction. + // + // Additional policies may be added in the future. + // Clients making eviction decisions should disallow eviction of unhealthy pods + // if they encounter an unrecognized policy in this field. + // + // This field is beta-level. The eviction API uses this field when + // the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default). + // +optional + unhealthyPodEvictionPolicy?: null | #UnhealthyPodEvictionPolicyType @go(UnhealthyPodEvictionPolicy,*UnhealthyPodEvictionPolicyType) @protobuf(4,bytes,opt) +} + +// UnhealthyPodEvictionPolicyType defines the criteria for when unhealthy pods +// should be considered for eviction. +// +enum +#UnhealthyPodEvictionPolicyType: string // #enumUnhealthyPodEvictionPolicyType + +#enumUnhealthyPodEvictionPolicyType: + #IfHealthyBudget | + #AlwaysAllow + +// IfHealthyBudget policy means that running pods (status.phase="Running"), +// but not yet healthy can be evicted only if the guarded application is not +// disrupted (status.currentHealthy is at least equal to status.desiredHealthy). +// Healthy pods will be subject to the PDB for eviction. +#IfHealthyBudget: #UnhealthyPodEvictionPolicyType & "IfHealthyBudget" + +// AlwaysAllow policy means that all running pods (status.phase="Running"), +// but not yet healthy are considered disrupted and can be evicted regardless +// of whether the criteria in a PDB is met. This means perspective running +// pods of a disrupted application might not get a chance to become healthy. +// Healthy pods will be subject to the PDB for eviction. +#AlwaysAllow: #UnhealthyPodEvictionPolicyType & "AlwaysAllow" + +// PodDisruptionBudgetStatus represents information about the status of a +// PodDisruptionBudget. Status may trail the actual state of a system. +#PodDisruptionBudgetStatus: { + // Most recent generation observed when updating this PDB status. DisruptionsAllowed and other + // status information is valid only if observedGeneration equals to PDB's object generation. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt) + + // DisruptedPods contains information about pods whose eviction was + // processed by the API server eviction subresource handler but has not + // yet been observed by the PodDisruptionBudget controller. + // A pod will be in this map from the time when the API server processed the + // eviction request to the time when the pod is seen by PDB controller + // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod + // and the value is the time when the API server processed the eviction request. If + // the deletion didn't occur and a pod is still there it will be removed from + // the list automatically by PodDisruptionBudget controller after some time. + // If everything goes smooth this map should be empty for the most of the time. + // Large number of entries in the map may indicate problems with pod deletions. + // +optional + disruptedPods?: {[string]: metav1.#Time} @go(DisruptedPods,map[string]metav1.Time) @protobuf(2,bytes,rep) + + // Number of pod disruptions that are currently allowed. + disruptionsAllowed: int32 @go(DisruptionsAllowed) @protobuf(3,varint,opt) + + // current number of healthy pods + currentHealthy: int32 @go(CurrentHealthy) @protobuf(4,varint,opt) + + // minimum desired number of healthy pods + desiredHealthy: int32 @go(DesiredHealthy) @protobuf(5,varint,opt) + + // total number of pods counted by this disruption budget + expectedPods: int32 @go(ExpectedPods) @protobuf(6,varint,opt) + + // Conditions contain conditions for PDB. The disruption controller sets the + // DisruptionAllowed condition. The following are known values for the reason field + // (additional reasons could be added in the future): + // - SyncFailed: The controller encountered an error and wasn't able to compute + // the number of allowed disruptions. Therefore no disruptions are + // allowed and the status of the condition will be False. + // - InsufficientPods: The number of pods are either at or below the number + // required by the PodDisruptionBudget. No disruptions are + // allowed and the status of the condition will be False. + // - SufficientPods: There are more pods than required by the PodDisruptionBudget. + // The condition will be True, and the number of allowed + // disruptions are provided by the disruptionsAllowed property. + // + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(7,bytes,rep) +} + +// DisruptionAllowedCondition is a condition set by the disruption controller +// that signal whether any of the pods covered by the PDB can be disrupted. +#DisruptionAllowedCondition: "DisruptionAllowed" + +// SyncFailedReason is set on the DisruptionAllowed condition if reconcile +// of the PDB failed and therefore disruption of pods are not allowed. +#SyncFailedReason: "SyncFailed" + +// SufficientPodsReason is set on the DisruptionAllowed condition if there are +// more pods covered by the PDB than required and at least one can be disrupted. +#SufficientPodsReason: "SufficientPods" + +// InsufficientPodsReason is set on the DisruptionAllowed condition if the number +// of pods are equal to or fewer than required by the PDB. +#InsufficientPodsReason: "InsufficientPods" + +// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods +#PodDisruptionBudget: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the PodDisruptionBudget. + // +optional + spec?: #PodDisruptionBudgetSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the PodDisruptionBudget. + // +optional + status?: #PodDisruptionBudgetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodDisruptionBudgetList is a collection of PodDisruptionBudgets. +#PodDisruptionBudgetList: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of PodDisruptionBudgets + items: [...#PodDisruptionBudget] @go(Items,[]PodDisruptionBudget) @protobuf(2,bytes,rep) +} + +// Eviction evicts a pod from its node subject to certain policies and safety constraints. +// This is a subresource of Pod. A request to cause such an eviction is +// created by POSTing to .../pods//evictions. +#Eviction: { + metav1.#TypeMeta + + // ObjectMeta describes the pod that is being evicted. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // DeleteOptions may be provided + // +optional + deleteOptions?: null | metav1.#DeleteOptions @go(DeleteOptions,*metav1.DeleteOptions) @protobuf(2,bytes,opt) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue new file mode 100644 index 000000000..1c83e8b4f --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/rbac/v1 + +package v1 + +#GroupName: "rbac.authorization.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue new file mode 100644 index 000000000..521e355e9 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue @@ -0,0 +1,207 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/rbac/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +#APIGroupAll: "*" +#ResourceAll: "*" +#VerbAll: "*" +#NonResourceAll: "*" +#GroupKind: "Group" +#ServiceAccountKind: "ServiceAccount" +#UserKind: "User" + +// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false" +#AutoUpdateAnnotationKey: "rbac.authorization.kubernetes.io/autoupdate" + +// PolicyRule holds information that describes a policy rule, but does not contain information +// about who the rule applies to or which namespace the rule applies to. +#PolicyRule: { + // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. + // +optional + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. '*' represents all resources. + // +optional + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. + // +optional + resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep) + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path + // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. + // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. + // +optional + nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(5,bytes,rep) +} + +// Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, +// or a value for non-objects such as user and group names. +// +structType=atomic +#Subject: { + // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + // If the Authorizer does not recognized the kind value, the Authorizer should report an error. + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // APIGroup holds the API group of the referenced subject. + // Defaults to "" for ServiceAccount subjects. + // Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + // +optional + apiGroup?: string @go(APIGroup) @protobuf(2,bytes,opt.name=apiGroup) + + // Name of the object being referenced. + name: string @go(Name) @protobuf(3,bytes,opt) + + // Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + // the Authorizer should report an error. + // +optional + namespace?: string @go(Namespace) @protobuf(4,bytes,opt) +} + +// RoleRef contains information that points to the role being used +// +structType=atomic +#RoleRef: { + // APIGroup is the group for the resource being referenced + apiGroup: string @go(APIGroup) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) +} + +// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. +#Role: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Rules holds all the PolicyRules for this Role + // +optional + rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep) +} + +// RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. +// It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given +// namespace only have effect in that namespace. +#RoleBinding: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Subjects holds references to the objects the role applies to. + // +optional + subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep) + + // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. + // If the RoleRef cannot be resolved, the Authorizer must return an error. + // This field is immutable. + roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt) +} + +// RoleBindingList is a collection of RoleBindings +#RoleBindingList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of RoleBindings + items: [...#RoleBinding] @go(Items,[]RoleBinding) @protobuf(2,bytes,rep) +} + +// RoleList is a collection of Roles +#RoleList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of Roles + items: [...#Role] @go(Items,[]Role) @protobuf(2,bytes,rep) +} + +// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding. +#ClusterRole: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Rules holds all the PolicyRules for this ClusterRole + // +optional + rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep) + + // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. + // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be + // stomped by the controller. + // +optional + aggregationRule?: null | #AggregationRule @go(AggregationRule,*AggregationRule) @protobuf(3,bytes,opt) +} + +// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole +#AggregationRule: { + // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. + // If any of the selectors match, then the ClusterRole's permissions will be added + // +optional + clusterRoleSelectors?: [...metav1.#LabelSelector] @go(ClusterRoleSelectors,[]metav1.LabelSelector) @protobuf(1,bytes,rep) +} + +// ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, +// and adds who information via Subject. +#ClusterRoleBinding: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Subjects holds references to the objects the role applies to. + // +optional + subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep) + + // RoleRef can only reference a ClusterRole in the global namespace. + // If the RoleRef cannot be resolved, the Authorizer must return an error. + // This field is immutable. + roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt) +} + +// ClusterRoleBindingList is a collection of ClusterRoleBindings +#ClusterRoleBindingList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ClusterRoleBindings + items: [...#ClusterRoleBinding] @go(Items,[]ClusterRoleBinding) @protobuf(2,bytes,rep) +} + +// ClusterRoleList is a collection of ClusterRoles +#ClusterRoleList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ClusterRoles + items: [...#ClusterRole] @go(Items,[]ClusterRole) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue new file mode 100644 index 000000000..8cc2b5f28 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/scheduling/v1 + +package v1 + +#GroupName: "scheduling.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue new file mode 100644 index 000000000..1d8f95746 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue @@ -0,0 +1,57 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/scheduling/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + apiv1 "k8s.io/api/core/v1" +) + +// PriorityClass defines mapping from a priority class name to the priority +// integer value. The value can be any valid integer. +#PriorityClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // value represents the integer value of this priority class. This is the actual priority that pods + // receive when they have the name of this class in their pod spec. + value: int32 @go(Value) @protobuf(2,bytes,opt) + + // globalDefault specifies whether this PriorityClass should be considered as + // the default priority for pods that do not have any priority class. + // Only one PriorityClass can be marked as `globalDefault`. However, if more than + // one PriorityClasses exists with their `globalDefault` field set to true, + // the smallest value of such global default PriorityClasses will be used as the default priority. + // +optional + globalDefault?: bool @go(GlobalDefault) @protobuf(3,bytes,opt) + + // description is an arbitrary string that usually provides guidelines on + // when this priority class should be used. + // +optional + description?: string @go(Description) @protobuf(4,bytes,opt) + + // preemptionPolicy is the Policy for preempting pods with lower priority. + // One of Never, PreemptLowerPriority. + // Defaults to PreemptLowerPriority if unset. + // +optional + preemptionPolicy?: null | apiv1.#PreemptionPolicy @go(PreemptionPolicy,*apiv1.PreemptionPolicy) @protobuf(5,bytes,opt) +} + +// PriorityClassList is a collection of priority classes. +#PriorityClassList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of PriorityClasses + items: [...#PriorityClass] @go(Items,[]PriorityClass) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue new file mode 100644 index 000000000..641ce60cc --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/storage/v1 + +package v1 + +#GroupName: "storage.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue new file mode 100644 index 000000000..b5158650b --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue @@ -0,0 +1,652 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/storage/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" +) + +// StorageClass describes the parameters for a class of storage for +// which PersistentVolumes can be dynamically provisioned. +// +// StorageClasses are non-namespaced; the name of the storage class +// according to etcd is in ObjectMeta.Name. +#StorageClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // provisioner indicates the type of the provisioner. + provisioner: string @go(Provisioner) @protobuf(2,bytes,opt) + + // parameters holds the parameters for the provisioner that should + // create volumes of this storage class. + // +optional + parameters?: {[string]: string} @go(Parameters,map[string]string) @protobuf(3,bytes,rep) + + // reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class. + // Defaults to Delete. + // +optional + reclaimPolicy?: null | v1.#PersistentVolumeReclaimPolicy @go(ReclaimPolicy,*v1.PersistentVolumeReclaimPolicy) @protobuf(4,bytes,opt,casttype=k8s.io/api/core/v1.PersistentVolumeReclaimPolicy) + + // mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class. + // e.g. ["ro", "soft"]. Not validated - + // mount of the PVs will simply fail if one is invalid. + // +optional + mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(5,bytes,opt) + + // allowVolumeExpansion shows whether the storage class allow volume expand. + // +optional + allowVolumeExpansion?: null | bool @go(AllowVolumeExpansion,*bool) @protobuf(6,varint,opt) + + // volumeBindingMode indicates how PersistentVolumeClaims should be + // provisioned and bound. When unset, VolumeBindingImmediate is used. + // This field is only honored by servers that enable the VolumeScheduling feature. + // +optional + volumeBindingMode?: null | #VolumeBindingMode @go(VolumeBindingMode,*VolumeBindingMode) @protobuf(7,bytes,opt) + + // allowedTopologies restrict the node topologies where volumes can be dynamically provisioned. + // Each volume plugin defines its own supported topology specifications. + // An empty TopologySelectorTerm list means there is no topology restriction. + // This field is only honored by servers that enable the VolumeScheduling feature. + // +optional + // +listType=atomic + allowedTopologies?: [...v1.#TopologySelectorTerm] @go(AllowedTopologies,[]v1.TopologySelectorTerm) @protobuf(8,bytes,rep) +} + +// StorageClassList is a collection of storage classes. +#StorageClassList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of StorageClasses + items: [...#StorageClass] @go(Items,[]StorageClass) @protobuf(2,bytes,rep) +} + +// VolumeBindingMode indicates how PersistentVolumeClaims should be bound. +// +enum +#VolumeBindingMode: string // #enumVolumeBindingMode + +#enumVolumeBindingMode: + #VolumeBindingImmediate | + #VolumeBindingWaitForFirstConsumer + +// VolumeBindingImmediate indicates that PersistentVolumeClaims should be +// immediately provisioned and bound. This is the default mode. +#VolumeBindingImmediate: #VolumeBindingMode & "Immediate" + +// VolumeBindingWaitForFirstConsumer indicates that PersistentVolumeClaims +// should not be provisioned and bound until the first Pod is created that +// references the PeristentVolumeClaim. The volume provisioning and +// binding will occur during Pod scheduing. +#VolumeBindingWaitForFirstConsumer: #VolumeBindingMode & "WaitForFirstConsumer" + +// VolumeAttachment captures the intent to attach or detach the specified volume +// to/from the specified node. +// +// VolumeAttachment objects are non-namespaced. +#VolumeAttachment: { + metav1.#TypeMeta + + // Standard object metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents specification of the desired attach/detach volume behavior. + // Populated by the Kubernetes system. + spec: #VolumeAttachmentSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents status of the VolumeAttachment request. + // Populated by the entity completing the attach or detach + // operation, i.e. the external-attacher. + // +optional + status?: #VolumeAttachmentStatus @go(Status) @protobuf(3,bytes,opt) +} + +// VolumeAttachmentList is a collection of VolumeAttachment objects. +#VolumeAttachmentList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of VolumeAttachments + items: [...#VolumeAttachment] @go(Items,[]VolumeAttachment) @protobuf(2,bytes,rep) +} + +// VolumeAttachmentSpec is the specification of a VolumeAttachment request. +#VolumeAttachmentSpec: { + // attacher indicates the name of the volume driver that MUST handle this + // request. This is the name returned by GetPluginName(). + attacher: string @go(Attacher) @protobuf(1,bytes,opt) + + // source represents the volume that should be attached. + source: #VolumeAttachmentSource @go(Source) @protobuf(2,bytes,opt) + + // nodeName represents the node that the volume should be attached to. + nodeName: string @go(NodeName) @protobuf(3,bytes,opt) +} + +// VolumeAttachmentSource represents a volume that should be attached. +// Right now only PersistenVolumes can be attached via external attacher, +// in future we may allow also inline volumes in pods. +// Exactly one member can be set. +#VolumeAttachmentSource: { + // persistentVolumeName represents the name of the persistent volume to attach. + // +optional + persistentVolumeName?: null | string @go(PersistentVolumeName,*string) @protobuf(1,bytes,opt) + + // inlineVolumeSpec contains all the information necessary to attach + // a persistent volume defined by a pod's inline VolumeSource. This field + // is populated only for the CSIMigration feature. It contains + // translated fields from a pod's inline VolumeSource to a + // PersistentVolumeSpec. This field is beta-level and is only + // honored by servers that enabled the CSIMigration feature. + // +optional + inlineVolumeSpec?: null | v1.#PersistentVolumeSpec @go(InlineVolumeSpec,*v1.PersistentVolumeSpec) @protobuf(2,bytes,opt) +} + +// VolumeAttachmentStatus is the status of a VolumeAttachment request. +#VolumeAttachmentStatus: { + // attached indicates the volume is successfully attached. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + attached: bool @go(Attached) @protobuf(1,varint,opt) + + // attachmentMetadata is populated with any + // information returned by the attach operation, upon successful attach, that must be passed + // into subsequent WaitForAttach or Mount calls. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + // +optional + attachmentMetadata?: {[string]: string} @go(AttachmentMetadata,map[string]string) @protobuf(2,bytes,rep) + + // attachError represents the last error encountered during attach operation, if any. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + // +optional + attachError?: null | #VolumeError @go(AttachError,*VolumeError) @protobuf(3,bytes,opt,casttype=VolumeError) + + // detachError represents the last error encountered during detach operation, if any. + // This field must only be set by the entity completing the detach + // operation, i.e. the external-attacher. + // +optional + detachError?: null | #VolumeError @go(DetachError,*VolumeError) @protobuf(4,bytes,opt,casttype=VolumeError) +} + +// VolumeError captures an error encountered during a volume operation. +#VolumeError: { + // time represents the time the error was encountered. + // +optional + time?: metav1.#Time @go(Time) @protobuf(1,bytes,opt) + + // message represents the error encountered during Attach or Detach operation. + // This string may be logged, so it should not contain sensitive + // information. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) +} + +// CSIDriver captures information about a Container Storage Interface (CSI) +// volume driver deployed on the cluster. +// Kubernetes attach detach controller uses this object to determine whether attach is required. +// Kubelet uses this object to determine whether pod information needs to be passed on mount. +// CSIDriver objects are non-namespaced. +#CSIDriver: { + metav1.#TypeMeta + + // Standard object metadata. + // metadata.Name indicates the name of the CSI driver that this object + // refers to; it MUST be the same name returned by the CSI GetPluginName() + // call for that driver. + // The driver name must be 63 characters or less, beginning and ending with + // an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and + // alphanumerics between. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents the specification of the CSI Driver. + spec: #CSIDriverSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CSIDriverList is a collection of CSIDriver objects. +#CSIDriverList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSIDriver + items: [...#CSIDriver] @go(Items,[]CSIDriver) @protobuf(2,bytes,rep) +} + +// CSIDriverSpec is the specification of a CSIDriver. +#CSIDriverSpec: { + // attachRequired indicates this CSI volume driver requires an attach + // operation (because it implements the CSI ControllerPublishVolume() + // method), and that the Kubernetes attach detach controller should call + // the attach volume interface which checks the volumeattachment status + // and waits until the volume is attached before proceeding to mounting. + // The CSI external-attacher coordinates with CSI volume driver and updates + // the volumeattachment status when the attach operation is complete. + // If the CSIDriverRegistry feature gate is enabled and the value is + // specified to false, the attach operation will be skipped. + // Otherwise the attach operation will be called. + // + // This field is immutable. + // + // +optional + attachRequired?: null | bool @go(AttachRequired,*bool) @protobuf(1,varint,opt) + + // podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) + // during mount operations, if set to true. + // If set to false, pod information will not be passed on mount. + // Default is false. + // + // The CSI driver specifies podInfoOnMount as part of driver deployment. + // If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. + // The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. + // + // The following VolumeConext will be passed if podInfoOnMount is set to true. + // This list might grow, but the prefix will be used. + // "csi.storage.k8s.io/pod.name": pod.Name + // "csi.storage.k8s.io/pod.namespace": pod.Namespace + // "csi.storage.k8s.io/pod.uid": string(pod.UID) + // "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume + // defined by a CSIVolumeSource, otherwise "false" + // + // "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only + // required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode. + // Other drivers can leave pod info disabled and/or ignore this field. + // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when + // deployed on such a cluster and the deployment determines which mode that is, for example + // via a command line parameter of the driver. + // + // This field is immutable. + // + // +optional + podInfoOnMount?: null | bool @go(PodInfoOnMount,*bool) @protobuf(2,bytes,opt) + + // volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. + // The default if the list is empty is "Persistent", which is the usage defined by the + // CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. + // + // The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec + // with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. + // A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. + // + // For more information about implementing this mode, see + // https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html + // A driver can support one or more of these modes and more modes may be added in the future. + // + // This field is beta. + // This field is immutable. + // + // +optional + // +listType=set + volumeLifecycleModes?: [...#VolumeLifecycleMode] @go(VolumeLifecycleModes,[]VolumeLifecycleMode) @protobuf(3,bytes,opt) + + // storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage + // capacity that the driver deployment will report by creating + // CSIStorageCapacity objects with capacity information, if set to true. + // + // The check can be enabled immediately when deploying a driver. + // In that case, provisioning new volumes with late binding + // will pause until the driver deployment has published + // some suitable CSIStorageCapacity object. + // + // Alternatively, the driver can be deployed with the field + // unset or false and it can be flipped later when storage + // capacity information has been published. + // + // This field was immutable in Kubernetes <= 1.22 and now is mutable. + // + // +optional + // +featureGate=CSIStorageCapacity + storageCapacity?: null | bool @go(StorageCapacity,*bool) @protobuf(4,bytes,opt) + + // fsGroupPolicy defines if the underlying volume supports changing ownership and + // permission of the volume before being mounted. + // Refer to the specific FSGroupPolicy values for additional details. + // + // This field is immutable. + // + // Defaults to ReadWriteOnceWithFSType, which will examine each volume + // to determine if Kubernetes should modify ownership and permissions of the volume. + // With the default policy the defined fsGroup will only be applied + // if a fstype is defined and the volume's access mode contains ReadWriteOnce. + // + // +optional + fsGroupPolicy?: null | #FSGroupPolicy @go(FSGroupPolicy,*FSGroupPolicy) @protobuf(5,bytes,opt) + + // tokenRequests indicates the CSI driver needs pods' service account + // tokens it is mounting volume for to do necessary authentication. Kubelet + // will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. + // The CSI driver should parse and validate the following VolumeContext: + // "csi.storage.k8s.io/serviceAccount.tokens": { + // "": { + // "token": , + // "expirationTimestamp": , + // }, + // ... + // } + // + // Note: Audience in each TokenRequest should be different and at + // most one token is empty string. To receive a new token after expiry, + // RequiresRepublish can be used to trigger NodePublishVolume periodically. + // + // +optional + // +listType=atomic + tokenRequests?: [...#TokenRequest] @go(TokenRequests,[]TokenRequest) @protobuf(6,bytes,opt) + + // requiresRepublish indicates the CSI driver wants `NodePublishVolume` + // being periodically called to reflect any possible change in the mounted + // volume. This field defaults to false. + // + // Note: After a successful initial NodePublishVolume call, subsequent calls + // to NodePublishVolume should only update the contents of the volume. New + // mount points will not be seen by a running container. + // + // +optional + requiresRepublish?: null | bool @go(RequiresRepublish,*bool) @protobuf(7,varint,opt) + + // seLinuxMount specifies if the CSI driver supports "-o context" + // mount option. + // + // When "true", the CSI driver must ensure that all volumes provided by this CSI + // driver can be mounted separately with different `-o context` options. This is + // typical for storage backends that provide volumes as filesystems on block + // devices or as independent shared volumes. + // Kubernetes will call NodeStage / NodePublish with "-o context=xyz" mount + // option when mounting a ReadWriteOncePod volume used in Pod that has + // explicitly set SELinux context. In the future, it may be expanded to other + // volume AccessModes. In any case, Kubernetes will ensure that the volume is + // mounted only with a single SELinux context. + // + // When "false", Kubernetes won't pass any special SELinux mount options to the driver. + // This is typical for volumes that represent subdirectories of a bigger shared filesystem. + // + // Default is "false". + // + // +featureGate=SELinuxMountReadWriteOncePod + // +optional + seLinuxMount?: null | bool @go(SELinuxMount,*bool) @protobuf(8,varint,opt) +} + +// FSGroupPolicy specifies if a CSI Driver supports modifying +// volume ownership and permissions of the volume to be mounted. +// More modes may be added in the future. +#FSGroupPolicy: string // #enumFSGroupPolicy + +#enumFSGroupPolicy: + #ReadWriteOnceWithFSTypeFSGroupPolicy | + #FileFSGroupPolicy | + #NoneFSGroupPolicy + +// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined +// to determine if the volume ownership and permissions +// should be modified. If a fstype is defined and the volume's access mode +// contains ReadWriteOnce, then the defined fsGroup will be applied. +// This mode should be defined if it's expected that the +// fsGroup may need to be modified depending on the pod's SecurityPolicy. +// This is the default behavior if no other FSGroupPolicy is defined. +#ReadWriteOnceWithFSTypeFSGroupPolicy: #FSGroupPolicy & "ReadWriteOnceWithFSType" + +// FileFSGroupPolicy indicates that CSI driver supports volume ownership +// and permission change via fsGroup, and Kubernetes will change the permissions +// and ownership of every file in the volume to match the user requested fsGroup in +// the pod's SecurityPolicy regardless of fstype or access mode. +// Use this mode if Kubernetes should modify the permissions and ownership +// of the volume. +#FileFSGroupPolicy: #FSGroupPolicy & "File" + +// NoneFSGroupPolicy indicates that volumes will be mounted without performing +// any ownership or permission modifications, as the CSIDriver does not support +// these operations. +// This mode should be selected if the CSIDriver does not support fsGroup modifications, +// for example when Kubernetes cannot change ownership and permissions on a volume due +// to root-squash settings on a NFS volume. +#NoneFSGroupPolicy: #FSGroupPolicy & "None" + +// VolumeLifecycleMode is an enumeration of possible usage modes for a volume +// provided by a CSI driver. More modes may be added in the future. +#VolumeLifecycleMode: string // #enumVolumeLifecycleMode + +#enumVolumeLifecycleMode: + #VolumeLifecyclePersistent | + #VolumeLifecycleEphemeral + +// TokenRequest contains parameters of a service account token. +#TokenRequest: { + // audience is the intended audience of the token in "TokenRequestSpec". + // It will default to the audiences of kube apiserver. + audience: string @go(Audience) @protobuf(1,bytes,opt) + + // expirationSeconds is the duration of validity of the token in "TokenRequestSpec". + // It has the same default value of "ExpirationSeconds" in "TokenRequestSpec". + // + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt) +} + +// VolumeLifecyclePersistent explicitly confirms that the driver implements +// the full CSI spec. It is the default when CSIDriverSpec.VolumeLifecycleModes is not +// set. Such volumes are managed in Kubernetes via the persistent volume +// claim mechanism and have a lifecycle that is independent of the pods which +// use them. +#VolumeLifecyclePersistent: #VolumeLifecycleMode & "Persistent" + +// VolumeLifecycleEphemeral indicates that the driver can be used for +// ephemeral inline volumes. Such volumes are specified inside the pod +// spec with a CSIVolumeSource and, as far as Kubernetes is concerned, have +// a lifecycle that is tied to the lifecycle of the pod. For example, such +// a volume might contain data that gets created specifically for that pod, +// like secrets. +// But how the volume actually gets created and managed is entirely up to +// the driver. It might also use reference counting to share the same volume +// instance among different pods if the CSIVolumeSource of those pods is +// identical. +#VolumeLifecycleEphemeral: #VolumeLifecycleMode & "Ephemeral" + +// CSINode holds information about all CSI drivers installed on a node. +// CSI drivers do not need to create the CSINode object directly. As long as +// they use the node-driver-registrar sidecar container, the kubelet will +// automatically populate the CSINode object for the CSI driver as part of +// kubelet plugin registration. +// CSINode has the same name as a node. If the object is missing, it means either +// there are no CSI Drivers available on the node, or the Kubelet version is low +// enough that it doesn't create this object. +// CSINode has an OwnerReference that points to the corresponding node object. +#CSINode: { + metav1.#TypeMeta + + // Standard object's metadata. + // metadata.name must be the Kubernetes node name. + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the specification of CSINode + spec: #CSINodeSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CSINodeSpec holds information about the specification of all CSI drivers installed on a node +#CSINodeSpec: { + // drivers is a list of information of all CSI Drivers existing on a node. + // If all drivers in the list are uninstalled, this can become empty. + // +patchMergeKey=name + // +patchStrategy=merge + drivers: [...#CSINodeDriver] @go(Drivers,[]CSINodeDriver) @protobuf(1,bytes,rep) +} + +// CSINodeDriver holds information about the specification of one CSI driver installed on a node +#CSINodeDriver: { + // name represents the name of the CSI driver that this object refers to. + // This MUST be the same name returned by the CSI GetPluginName() call for + // that driver. + name: string @go(Name) @protobuf(1,bytes,opt) + + // nodeID of the node from the driver point of view. + // This field enables Kubernetes to communicate with storage systems that do + // not share the same nomenclature for nodes. For example, Kubernetes may + // refer to a given node as "node1", but the storage system may refer to + // the same node as "nodeA". When Kubernetes issues a command to the storage + // system to attach a volume to a specific node, it can use this field to + // refer to the node name using the ID that the storage system will + // understand, e.g. "nodeA" instead of "node1". This field is required. + nodeID: string @go(NodeID) @protobuf(2,bytes,opt) + + // topologyKeys is the list of keys supported by the driver. + // When a driver is initialized on a cluster, it provides a set of topology + // keys that it understands (e.g. "company.com/zone", "company.com/region"). + // When a driver is initialized on a node, it provides the same topology keys + // along with values. Kubelet will expose these topology keys as labels + // on its own node object. + // When Kubernetes does topology aware provisioning, it can use this list to + // determine which labels it should retrieve from the node object and pass + // back to the driver. + // It is possible for different nodes to use different topology keys. + // This can be empty if driver does not support topology. + // +optional + topologyKeys: [...string] @go(TopologyKeys,[]string) @protobuf(3,bytes,rep) + + // allocatable represents the volume resources of a node that are available for scheduling. + // This field is beta. + // +optional + allocatable?: null | #VolumeNodeResources @go(Allocatable,*VolumeNodeResources) @protobuf(4,bytes,opt) +} + +// VolumeNodeResources is a set of resource limits for scheduling of volumes. +#VolumeNodeResources: { + // count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node. + // A volume that is both attached and mounted on a node is considered to be used once, not twice. + // The same rule applies for a unique volume that is shared among multiple pods on the same node. + // If this field is not specified, then the supported number of volumes on this node is unbounded. + // +optional + count?: null | int32 @go(Count,*int32) @protobuf(1,varint,opt) +} + +// CSINodeList is a collection of CSINode objects. +#CSINodeList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSINode + items: [...#CSINode] @go(Items,[]CSINode) @protobuf(2,bytes,rep) +} + +// CSIStorageCapacity stores the result of one CSI GetCapacity call. +// For a given StorageClass, this describes the available capacity in a +// particular topology segment. This can be used when considering where to +// instantiate new PersistentVolumes. +// +// For example this can express things like: +// - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1" +// - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123" +// +// The following three cases all imply that no capacity is available for +// a certain combination: +// - no object exists with suitable topology and storage class name +// - such an object exists, but the capacity is unset +// - such an object exists, but the capacity is zero +// +// The producer of these objects can decide which approach is more suitable. +// +// They are consumed by the kube-scheduler when a CSI driver opts into +// capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler +// compares the MaximumVolumeSize against the requested size of pending volumes +// to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back +// to a comparison against the less precise Capacity. If that is also unset, +// the scheduler assumes that capacity is insufficient and tries some other +// node. +#CSIStorageCapacity: { + metav1.#TypeMeta + + // Standard object's metadata. + // The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters). + // To ensure that there are no conflicts with other CSI drivers on the cluster, + // the recommendation is to use csisc-, a generated name, or a reverse-domain name + // which ends with the unique CSI driver name. + // + // Objects are namespaced. + // + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // nodeTopology defines which nodes have access to the storage + // for which capacity was reported. If not set, the storage is + // not accessible from any node in the cluster. If empty, the + // storage is accessible from all nodes. This field is + // immutable. + // + // +optional + nodeTopology?: null | metav1.#LabelSelector @go(NodeTopology,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // storageClassName represents the name of the StorageClass that the reported capacity applies to. + // It must meet the same requirements as the name of a StorageClass + // object (non-empty, DNS subdomain). If that object no longer exists, + // the CSIStorageCapacity object is obsolete and should be removed by its + // creator. + // This field is immutable. + storageClassName: string @go(StorageClassName) @protobuf(3,bytes) + + // capacity is the value reported by the CSI driver in its GetCapacityResponse + // for a GetCapacityRequest with topology and parameters that match the + // previous fields. + // + // The semantic is currently (CSI spec 1.2) defined as: + // The available capacity, in bytes, of the storage that can be used + // to provision volumes. If not set, that information is currently + // unavailable. + // + // +optional + capacity?: null | resource.#Quantity @go(Capacity,*resource.Quantity) @protobuf(4,bytes,opt) + + // maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse + // for a GetCapacityRequest with topology and parameters that match the + // previous fields. + // + // This is defined since CSI spec 1.4.0 as the largest size + // that may be used in a + // CreateVolumeRequest.capacity_range.required_bytes field to + // create a volume with the same parameters as those in + // GetCapacityRequest. The corresponding value in the Kubernetes + // API is ResourceRequirements.Requests in a volume claim. + // + // +optional + maximumVolumeSize?: null | resource.#Quantity @go(MaximumVolumeSize,*resource.Quantity) @protobuf(5,bytes,opt) +} + +// CSIStorageCapacityList is a collection of CSIStorageCapacity objects. +#CSIStorageCapacityList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSIStorageCapacity objects. + // +listType=map + // +listMapKey=name + items: [...#CSIStorageCapacity] @go(Items,[]CSIStorageCapacity) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue new file mode 100644 index 000000000..083aa825b --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +// Package v1 is the v1 version of the API. +package v1 diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue new file mode 100644 index 000000000..c4ce800f4 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +#GroupName: "apiextensions.k8s.io" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue new file mode 100644 index 000000000..b938c8ba0 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue @@ -0,0 +1,513 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/runtime" +) + +// ConversionStrategyType describes different conversion types. +#ConversionStrategyType: string // #enumConversionStrategyType + +#enumConversionStrategyType: + #NoneConverter | + #WebhookConverter + +// KubeAPIApprovedAnnotation is an annotation that must be set to create a CRD for the k8s.io, *.k8s.io, kubernetes.io, or *.kubernetes.io namespaces. +// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL. +// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`. For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`. This is discouraged. +#KubeAPIApprovedAnnotation: "api-approved.kubernetes.io" + +// NoneConverter is a converter that only sets apiversion of the CR and leave everything else unchanged. +#NoneConverter: #ConversionStrategyType & "None" + +// WebhookConverter is a converter that calls to an external webhook to convert the CR. +#WebhookConverter: #ConversionStrategyType & "Webhook" + +// CustomResourceDefinitionSpec describes how a user wants their resource to appear +#CustomResourceDefinitionSpec: { + // group is the API group of the defined custom resource. + // The custom resources are served under `/apis//...`. + // Must match the name of the CustomResourceDefinition (in the form `.`). + group: string @go(Group) @protobuf(1,bytes,opt) + + // names specify the resource and kind names for the custom resource. + names: #CustomResourceDefinitionNames @go(Names) @protobuf(3,bytes,opt) + + // scope indicates whether the defined custom resource is cluster- or namespace-scoped. + // Allowed values are `Cluster` and `Namespaced`. + scope: #ResourceScope @go(Scope) @protobuf(4,bytes,opt,casttype=ResourceScope) + + // versions is the list of all API versions of the defined custom resource. + // Version names are used to compute the order in which served versions are listed in API discovery. + // If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered + // lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), + // then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first + // by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing + // major version, then minor version. An example sorted list of versions: + // v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10. + versions: [...#CustomResourceDefinitionVersion] @go(Versions,[]CustomResourceDefinitionVersion) @protobuf(7,bytes,rep) + + // conversion defines conversion settings for the CRD. + // +optional + conversion?: null | #CustomResourceConversion @go(Conversion,*CustomResourceConversion) @protobuf(9,bytes,opt) + + // preserveUnknownFields indicates that object fields which are not specified + // in the OpenAPI schema should be preserved when persisting to storage. + // apiVersion, kind, metadata and known fields inside metadata are always preserved. + // This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`. + // See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details. + // +optional + preserveUnknownFields?: bool @go(PreserveUnknownFields) @protobuf(10,varint,opt) +} + +// CustomResourceConversion describes how to convert different versions of a CR. +#CustomResourceConversion: { + // strategy specifies how custom resources are converted between versions. Allowed values are: + // - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource. + // - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information + // is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set. + strategy: #ConversionStrategyType @go(Strategy) @protobuf(1,bytes) + + // webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`. + // +optional + webhook?: null | #WebhookConversion @go(Webhook,*WebhookConversion) @protobuf(2,bytes,opt) +} + +// WebhookConversion describes how to call a conversion webhook +#WebhookConversion: { + // clientConfig is the instructions for how to call the webhook if strategy is `Webhook`. + // +optional + clientConfig?: null | #WebhookClientConfig @go(ClientConfig,*WebhookClientConfig) @protobuf(2,bytes) + + // conversionReviewVersions is an ordered list of preferred `ConversionReview` + // versions the Webhook expects. The API server will use the first version in + // the list which it supports. If none of the versions specified in this list + // are supported by API server, conversion will fail for the custom resource. + // If a persisted Webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail. + conversionReviewVersions: [...string] @go(ConversionReviewVersions,[]string) @protobuf(3,bytes,rep) +} + +// WebhookClientConfig contains the information to make a TLS connection with the webhook. +#WebhookClientConfig: { + // url gives the location of the webhook, in standard URL form + // (`scheme://host:port/path`). Exactly one of `url` or `service` + // must be specified. + // + // The `host` should not refer to a service running in the cluster; use + // the `service` field instead. The host might be resolved via external + // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve + // in-cluster DNS as that would be a layering violation). `host` may + // also be an IP address. + // + // Please note that using `localhost` or `127.0.0.1` as a `host` is + // risky unless you take great care to run this webhook on all hosts + // which run an apiserver which might need to make calls to this + // webhook. Such installs are likely to be non-portable, i.e., not easy + // to turn up in a new cluster. + // + // The scheme must be "https"; the URL must begin with "https://". + // + // A path is optional, and if present may be any string permissible in + // a URL. You may use the path to pass an arbitrary string to the + // webhook, for example, a cluster identifier. + // + // Attempting to use a user or basic auth e.g. "user:password@" is not + // allowed. Fragments ("#...") and query parameters ("?...") are not + // allowed, either. + // + // +optional + url?: null | string @go(URL,*string) @protobuf(3,bytes,opt) + + // service is a reference to the service for this webhook. Either + // service or url must be specified. + // + // If the webhook is running within the cluster, then you should use `service`. + // + // +optional + service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt) + + // caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. + // If unspecified, system trust roots on the apiserver are used. + // +optional + caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt) +} + +// ServiceReference holds a reference to Service.legacy.k8s.io +#ServiceReference: { + // namespace is the namespace of the service. + // Required + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // name is the name of the service. + // Required + name: string @go(Name) @protobuf(2,bytes,opt) + + // path is an optional URL path at which the webhook will be contacted. + // +optional + path?: null | string @go(Path,*string) @protobuf(3,bytes,opt) + + // port is an optional service port at which the webhook will be contacted. + // `port` should be a valid port number (1-65535, inclusive). + // Defaults to 443 for backward compatibility. + // +optional + port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt) +} + +// CustomResourceDefinitionVersion describes a version for CRD. +#CustomResourceDefinitionVersion: { + // name is the version name, e.g. “v1”, “v2beta1”, etc. + // The custom resources are served under this version at `/apis///...` if `served` is true. + name: string @go(Name) @protobuf(1,bytes,opt) + + // served is a flag enabling/disabling this version from being served via REST APIs + served: bool @go(Served) @protobuf(2,varint,opt) + + // storage indicates this version should be used when persisting custom resources to storage. + // There must be exactly one version with storage=true. + storage: bool @go(Storage) @protobuf(3,varint,opt) + + // deprecated indicates this version of the custom resource API is deprecated. + // When set to true, API requests to this version receive a warning header in the server response. + // Defaults to false. + // +optional + deprecated?: bool @go(Deprecated) @protobuf(7,varint,opt) + + // deprecationWarning overrides the default warning returned to API clients. + // May only be set when `deprecated` is true. + // The default warning indicates this version is deprecated and recommends use + // of the newest served version of equal or greater stability, if one exists. + // +optional + deprecationWarning?: null | string @go(DeprecationWarning,*string) @protobuf(8,bytes,opt) + + // schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource. + // +optional + schema?: null | #CustomResourceValidation @go(Schema,*CustomResourceValidation) @protobuf(4,bytes,opt) + + // subresources specify what subresources this version of the defined custom resource have. + // +optional + subresources?: null | #CustomResourceSubresources @go(Subresources,*CustomResourceSubresources) @protobuf(5,bytes,opt) + + // additionalPrinterColumns specifies additional columns returned in Table output. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. + // If no columns are specified, a single column displaying the age of the custom resource is used. + // +optional + additionalPrinterColumns?: [...#CustomResourceColumnDefinition] @go(AdditionalPrinterColumns,[]CustomResourceColumnDefinition) @protobuf(6,bytes,rep) +} + +// CustomResourceColumnDefinition specifies a column for server side printing. +#CustomResourceColumnDefinition: { + // name is a human readable name for the column. + name: string @go(Name) @protobuf(1,bytes,opt) + + // type is an OpenAPI type definition for this column. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details. + type: string @go(Type) @protobuf(2,bytes,opt) + + // format is an optional OpenAPI type definition for this column. The 'name' format is applied + // to the primary identifier column to assist in clients identifying column is the resource name. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details. + // +optional + format?: string @go(Format) @protobuf(3,bytes,opt) + + // description is a human readable description of this column. + // +optional + description?: string @go(Description) @protobuf(4,bytes,opt) + + // priority is an integer defining the relative importance of this column compared to others. Lower + // numbers are considered higher priority. Columns that may be omitted in limited space scenarios + // should be given a priority greater than 0. + // +optional + priority?: int32 @go(Priority) @protobuf(5,bytes,opt) + + // jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against + // each custom resource to produce the value for this column. + jsonPath: string @go(JSONPath) @protobuf(6,bytes,opt) +} + +// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition +#CustomResourceDefinitionNames: { + // plural is the plural name of the resource to serve. + // The custom resources are served under `/apis///.../`. + // Must match the name of the CustomResourceDefinition (in the form `.`). + // Must be all lowercase. + plural: string @go(Plural) @protobuf(1,bytes,opt) + + // singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`. + // +optional + singular?: string @go(Singular) @protobuf(2,bytes,opt) + + // shortNames are short names for the resource, exposed in API discovery documents, + // and used by clients to support invocations like `kubectl get `. + // It must be all lowercase. + // +optional + shortNames?: [...string] @go(ShortNames,[]string) @protobuf(3,bytes,opt) + + // kind is the serialized kind of the resource. It is normally CamelCase and singular. + // Custom resource instances will use this value as the `kind` attribute in API calls. + kind: string @go(Kind) @protobuf(4,bytes,opt) + + // listKind is the serialized kind of the list for this resource. Defaults to "`kind`List". + // +optional + listKind?: string @go(ListKind) @protobuf(5,bytes,opt) + + // categories is a list of grouped resources this custom resource belongs to (e.g. 'all'). + // This is published in API discovery documents, and used by clients to support invocations like + // `kubectl get all`. + // +optional + categories?: [...string] @go(Categories,[]string) @protobuf(6,bytes,rep) +} + +// ResourceScope is an enum defining the different scopes available to a custom resource +#ResourceScope: string // #enumResourceScope + +#enumResourceScope: + #ClusterScoped | + #NamespaceScoped + +#ClusterScoped: #ResourceScope & "Cluster" +#NamespaceScoped: #ResourceScope & "Namespaced" + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// CustomResourceDefinitionConditionType is a valid value for CustomResourceDefinitionCondition.Type +#CustomResourceDefinitionConditionType: string // #enumCustomResourceDefinitionConditionType + +#enumCustomResourceDefinitionConditionType: + #Established | + #NamesAccepted | + #NonStructuralSchema | + #Terminating | + #KubernetesAPIApprovalPolicyConformant + +// Established means that the resource has become active. A resource is established when all names are +// accepted without a conflict for the first time. A resource stays established until deleted, even during +// a later NamesAccepted due to changed names. Note that not all names can be changed. +#Established: #CustomResourceDefinitionConditionType & "Established" + +// NamesAccepted means the names chosen for this CustomResourceDefinition do not conflict with others in +// the group and are therefore accepted. +#NamesAccepted: #CustomResourceDefinitionConditionType & "NamesAccepted" + +// NonStructuralSchema means that one or more OpenAPI schema is not structural. +// +// A schema is structural if it specifies types for all values, with the only exceptions of those with +// - x-kubernetes-int-or-string: true — for fields which can be integer or string +// - x-kubernetes-preserve-unknown-fields: true — for raw, unspecified JSON values +// and there is no type, additionalProperties, default, nullable or x-kubernetes-* vendor extenions +// specified under allOf, anyOf, oneOf or not. +// +// Non-structural schemas will not be allowed anymore in v1 API groups. Moreover, new features will not be +// available for non-structural CRDs: +// - pruning +// - defaulting +// - read-only +// - OpenAPI publishing +// - webhook conversion +#NonStructuralSchema: #CustomResourceDefinitionConditionType & "NonStructuralSchema" + +// Terminating means that the CustomResourceDefinition has been deleted and is cleaning up. +#Terminating: #CustomResourceDefinitionConditionType & "Terminating" + +// KubernetesAPIApprovalPolicyConformant indicates that an API in *.k8s.io or *.kubernetes.io is or is not approved. For CRDs +// outside those groups, this condition will not be set. For CRDs inside those groups, the condition will +// be true if .metadata.annotations["api-approved.kubernetes.io"] is set to a URL, otherwise it will be false. +// See https://github.com/kubernetes/enhancements/pull/1111 for more details. +#KubernetesAPIApprovalPolicyConformant: #CustomResourceDefinitionConditionType & "KubernetesAPIApprovalPolicyConformant" + +// CustomResourceDefinitionCondition contains details for the current condition of this pod. +#CustomResourceDefinitionCondition: { + // type is the type of the condition. Types include Established, NamesAccepted and Terminating. + type: #CustomResourceDefinitionConditionType @go(Type) @protobuf(1,bytes,opt,casttype=CustomResourceDefinitionConditionType) + + // status is the status of the condition. + // Can be True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // lastTransitionTime last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is a unique, one-word, CamelCase reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition +#CustomResourceDefinitionStatus: { + // conditions indicate state for particular aspects of a CustomResourceDefinition + // +optional + // +listType=map + // +listMapKey=type + conditions: [...#CustomResourceDefinitionCondition] @go(Conditions,[]CustomResourceDefinitionCondition) @protobuf(1,bytes,opt) + + // acceptedNames are the names that are actually being used to serve discovery. + // They may be different than the names in spec. + // +optional + acceptedNames: #CustomResourceDefinitionNames @go(AcceptedNames) @protobuf(2,bytes,opt) + + // storedVersions lists all versions of CustomResources that were ever persisted. Tracking these + // versions allows a migration path for stored versions in etcd. The field is mutable + // so a migration controller can finish a migration to another version (ensuring + // no old objects are left in storage), and then remove the rest of the + // versions from this list. + // Versions may not be removed from `spec.versions` while they exist in this list. + // +optional + storedVersions: [...string] @go(StoredVersions,[]string) @protobuf(3,bytes,rep) +} + +#CustomResourceCleanupFinalizer: "customresourcecleanup.apiextensions.k8s.io" + +// CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format +// <.spec.name>.<.spec.group>. +#CustomResourceDefinition: { + metav1.#TypeMeta + + // Standard object's metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec describes how the user wants the resources to appear + spec: #CustomResourceDefinitionSpec @go(Spec) @protobuf(2,bytes,opt) + + // status indicates the actual state of the CustomResourceDefinition + // +optional + status?: #CustomResourceDefinitionStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CustomResourceDefinitionList is a list of CustomResourceDefinition objects. +#CustomResourceDefinitionList: { + metav1.#TypeMeta + + // Standard object's metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items list individual CustomResourceDefinition objects + items: [...#CustomResourceDefinition] @go(Items,[]CustomResourceDefinition) @protobuf(2,bytes,rep) +} + +// CustomResourceValidation is a list of validation methods for CustomResources. +#CustomResourceValidation: { + // openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning. + // +optional + openAPIV3Schema?: null | #JSONSchemaProps @go(OpenAPIV3Schema,*JSONSchemaProps) @protobuf(1,bytes,opt) +} + +// CustomResourceSubresources defines the status and scale subresources for CustomResources. +#CustomResourceSubresources: { + // status indicates the custom resource should serve a `/status` subresource. + // When enabled: + // 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. + // 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object. + // +optional + status?: null | #CustomResourceSubresourceStatus @go(Status,*CustomResourceSubresourceStatus) @protobuf(1,bytes,opt) + + // scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object. + // +optional + scale?: null | #CustomResourceSubresourceScale @go(Scale,*CustomResourceSubresourceScale) @protobuf(2,bytes,opt) +} + +// CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. +// Status is represented by the `.status` JSON path inside of a CustomResource. When set, +// * exposes a /status subresource for the custom resource +// * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza +// * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza +#CustomResourceSubresourceStatus: { +} + +// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources. +#CustomResourceSubresourceScale: { + // specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.spec`. + // If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET. + specReplicasPath: string @go(SpecReplicasPath) @protobuf(1,bytes) + + // statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.status`. + // If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource + // will default to 0. + statusReplicasPath: string @go(StatusReplicasPath) @protobuf(2,bytes,opt) + + // labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.status` or `.spec`. + // Must be set to work with HorizontalPodAutoscaler. + // The field pointed by this JSON path must be a string field (not a complex selector struct) + // which contains a serialized label selector in string form. + // More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource + // If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale` + // subresource will default to the empty string. + // +optional + labelSelectorPath?: null | string @go(LabelSelectorPath,*string) @protobuf(3,bytes,opt) +} + +// ConversionReview describes a conversion request/response. +#ConversionReview: { + metav1.#TypeMeta + + // request describes the attributes for the conversion request. + // +optional + request?: null | #ConversionRequest @go(Request,*ConversionRequest) @protobuf(1,bytes,opt) + + // response describes the attributes for the conversion response. + // +optional + response?: null | #ConversionResponse @go(Response,*ConversionResponse) @protobuf(2,bytes,opt) +} + +// ConversionRequest describes the conversion request parameters. +#ConversionRequest: { + // uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are + // otherwise identical (parallel requests, etc). + // The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request. + // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + uid: types.#UID @go(UID) @protobuf(1,bytes) + + // desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1" + desiredAPIVersion: string @go(DesiredAPIVersion) @protobuf(2,bytes) + + // objects is the list of custom resource objects to be converted. + objects: [...runtime.#RawExtension] @go(Objects,[]runtime.RawExtension) @protobuf(3,bytes,rep) +} + +// ConversionResponse describes a conversion response. +#ConversionResponse: { + // uid is an identifier for the individual request/response. + // This should be copied over from the corresponding `request.uid`. + uid: types.#UID @go(UID) @protobuf(1,bytes) + + // convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty. + // The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list + // must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace). + // The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored. + convertedObjects: [...runtime.#RawExtension] @go(ConvertedObjects,[]runtime.RawExtension) @protobuf(2,bytes,rep) + + // result contains the result of conversion with extra details if the conversion failed. `result.status` determines if + // the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the + // conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set + // `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message` + // will be used to construct an error message for the end user. + result: metav1.#Status @go(Result) @protobuf(3,bytes) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue new file mode 100644 index 000000000..19f42c1ff --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue @@ -0,0 +1,317 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +// FieldValueErrorReason is a machine-readable value providing more detail about why a field failed the validation. +// +enum +#FieldValueErrorReason: string // #enumFieldValueErrorReason + +#enumFieldValueErrorReason: + #FieldValueRequired | + #FieldValueDuplicate | + #FieldValueInvalid | + #FieldValueForbidden + +// FieldValueRequired is used to report required values that are not +// provided (e.g. empty strings, null values, or empty arrays). +#FieldValueRequired: #FieldValueErrorReason & "FieldValueRequired" + +// FieldValueDuplicate is used to report collisions of values that must be +// unique (e.g. unique IDs). +#FieldValueDuplicate: #FieldValueErrorReason & "FieldValueDuplicate" + +// FieldValueInvalid is used to report malformed values (e.g. failed regex +// match, too long, out of bounds). +#FieldValueInvalid: #FieldValueErrorReason & "FieldValueInvalid" + +// FieldValueForbidden is used to report valid (as per formatting rules) +// values which would be accepted under some conditions, but which are not +// permitted by the current conditions (such as security policy). +#FieldValueForbidden: #FieldValueErrorReason & "FieldValueForbidden" + +// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/). +#JSONSchemaProps: { + id?: string @go(ID) @protobuf(1,bytes,opt) + $schema?: #JSONSchemaURL @go(Schema) @protobuf(2,bytes,opt,name=schema) + $ref?: null | string @go(Ref,*string) @protobuf(3,bytes,opt,name=ref) + description?: string @go(Description) @protobuf(4,bytes,opt) + type?: string @go(Type) @protobuf(5,bytes,opt) + + // format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated: + // + // - bsonobjectid: a bson object ID, i.e. a 24 characters hex string + // - uri: an URI as parsed by Golang net/url.ParseRequestURI + // - email: an email address as parsed by Golang net/mail.ParseAddress + // - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034]. + // - ipv4: an IPv4 IP as parsed by Golang net.ParseIP + // - ipv6: an IPv6 IP as parsed by Golang net.ParseIP + // - cidr: a CIDR as parsed by Golang net.ParseCIDR + // - mac: a MAC address as parsed by Golang net.ParseMAC + // - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$ + // - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$ + // - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ + // - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ + // - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041" + // - isbn10: an ISBN10 number string like "0321751043" + // - isbn13: an ISBN13 number string like "978-0321751041" + // - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in + // - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$ + // - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$ + // - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559" + // - byte: base64 encoded binary data + // - password: any kind of string + // - date: a date string like "2006-01-02" as defined by full-date in RFC3339 + // - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format + // - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339. + format?: string @go(Format) @protobuf(6,bytes,opt) + title?: string @go(Title) @protobuf(7,bytes,opt) + + // default is a default value for undefined object fields. + // Defaulting is a beta feature under the CustomResourceDefaulting feature gate. + // Defaulting requires spec.preserveUnknownFields to be false. + default?: null | #JSON @go(Default,*JSON) @protobuf(8,bytes,opt) + maximum?: null | float64 @go(Maximum,*float64) @protobuf(9,bytes,opt) + exclusiveMaximum?: bool @go(ExclusiveMaximum) @protobuf(10,bytes,opt) + minimum?: null | float64 @go(Minimum,*float64) @protobuf(11,bytes,opt) + exclusiveMinimum?: bool @go(ExclusiveMinimum) @protobuf(12,bytes,opt) + maxLength?: null | int64 @go(MaxLength,*int64) @protobuf(13,bytes,opt) + minLength?: null | int64 @go(MinLength,*int64) @protobuf(14,bytes,opt) + pattern?: string @go(Pattern) @protobuf(15,bytes,opt) + maxItems?: null | int64 @go(MaxItems,*int64) @protobuf(16,bytes,opt) + minItems?: null | int64 @go(MinItems,*int64) @protobuf(17,bytes,opt) + uniqueItems?: bool @go(UniqueItems) @protobuf(18,bytes,opt) + multipleOf?: null | float64 @go(MultipleOf,*float64) @protobuf(19,bytes,opt) + enum?: [...#JSON] @go(Enum,[]JSON) @protobuf(20,bytes,rep) + maxProperties?: null | int64 @go(MaxProperties,*int64) @protobuf(21,bytes,opt) + minProperties?: null | int64 @go(MinProperties,*int64) @protobuf(22,bytes,opt) + required?: [...string] @go(Required,[]string) @protobuf(23,bytes,rep) + items?: null | #JSONSchemaPropsOrArray @go(Items,*JSONSchemaPropsOrArray) @protobuf(24,bytes,opt) + allOf?: [...#JSONSchemaProps] @go(AllOf,[]JSONSchemaProps) @protobuf(25,bytes,rep) + oneOf?: [...#JSONSchemaProps] @go(OneOf,[]JSONSchemaProps) @protobuf(26,bytes,rep) + anyOf?: [...#JSONSchemaProps] @go(AnyOf,[]JSONSchemaProps) @protobuf(27,bytes,rep) + not?: null | #JSONSchemaProps @go(Not,*JSONSchemaProps) @protobuf(28,bytes,opt) + properties?: {[string]: #JSONSchemaProps} @go(Properties,map[string]JSONSchemaProps) @protobuf(29,bytes,rep) + additionalProperties?: null | #JSONSchemaPropsOrBool @go(AdditionalProperties,*JSONSchemaPropsOrBool) @protobuf(30,bytes,opt) + patternProperties?: {[string]: #JSONSchemaProps} @go(PatternProperties,map[string]JSONSchemaProps) @protobuf(31,bytes,rep) + dependencies?: #JSONSchemaDependencies @go(Dependencies) @protobuf(32,bytes,opt) + additionalItems?: null | #JSONSchemaPropsOrBool @go(AdditionalItems,*JSONSchemaPropsOrBool) @protobuf(33,bytes,opt) + definitions?: #JSONSchemaDefinitions @go(Definitions) @protobuf(34,bytes,opt) + externalDocs?: null | #ExternalDocumentation @go(ExternalDocs,*ExternalDocumentation) @protobuf(35,bytes,opt) + example?: null | #JSON @go(Example,*JSON) @protobuf(36,bytes,opt) + nullable?: bool @go(Nullable) @protobuf(37,bytes,opt) + + // x-kubernetes-preserve-unknown-fields stops the API server + // decoding step from pruning fields which are not specified + // in the validation schema. This affects fields recursively, + // but switches back to normal pruning behaviour if nested + // properties or additionalProperties are specified in the schema. + // This can either be true or undefined. False is forbidden. + "x-kubernetes-preserve-unknown-fields"?: null | bool @go(XPreserveUnknownFields,*bool) @protobuf(38,bytes,opt,name=xKubernetesPreserveUnknownFields) + + // x-kubernetes-embedded-resource defines that the value is an + // embedded Kubernetes runtime.Object, with TypeMeta and + // ObjectMeta. The type must be object. It is allowed to further + // restrict the embedded object. kind, apiVersion and metadata + // are validated automatically. x-kubernetes-preserve-unknown-fields + // is allowed to be true, but does not have to be if the object + // is fully specified (up to kind, apiVersion, metadata). + "x-kubernetes-embedded-resource"?: bool @go(XEmbeddedResource) @protobuf(39,bytes,opt,name=xKubernetesEmbeddedResource) + + // x-kubernetes-int-or-string specifies that this value is + // either an integer or a string. If this is true, an empty + // type is allowed and type as child of anyOf is permitted + // if following one of the following patterns: + // + // 1) anyOf: + // - type: integer + // - type: string + // 2) allOf: + // - anyOf: + // - type: integer + // - type: string + // - ... zero or more + "x-kubernetes-int-or-string"?: bool @go(XIntOrString) @protobuf(40,bytes,opt,name=xKubernetesIntOrString) + + // x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used + // as the index of the map. + // + // This tag MUST only be used on lists that have the "x-kubernetes-list-type" + // extension set to "map". Also, the values specified for this attribute must + // be a scalar typed field of the child structure (no nesting is supported). + // + // The properties specified must either be required or have a default value, + // to ensure those properties are present for all list items. + // + // +optional + "x-kubernetes-list-map-keys"?: [...string] @go(XListMapKeys,[]string) @protobuf(41,bytes,rep,name=xKubernetesListMapKeys) + + // x-kubernetes-list-type annotates an array to further describe its topology. + // This extension must only be used on lists and may have 3 possible values: + // + // 1) `atomic`: the list is treated as a single entity, like a scalar. + // Atomic lists will be entirely replaced when updated. This extension + // may be used on any type of list (struct, scalar, ...). + // 2) `set`: + // Sets are lists that must not have multiple items with the same value. Each + // value must be a scalar, an object with x-kubernetes-map-type `atomic` or an + // array with x-kubernetes-list-type `atomic`. + // 3) `map`: + // These lists are like maps in that their elements have a non-index key + // used to identify them. Order is preserved upon merge. The map tag + // must only be used on a list with elements of type object. + // Defaults to atomic for arrays. + // +optional + "x-kubernetes-list-type"?: null | string @go(XListType,*string) @protobuf(42,bytes,opt,name=xKubernetesListType) + + // x-kubernetes-map-type annotates an object to further describe its topology. + // This extension must only be used when type is object and may have 2 possible values: + // + // 1) `granular`: + // These maps are actual maps (key-value pairs) and each fields are independent + // from each other (they can each be manipulated by separate actors). This is + // the default behaviour for all maps. + // 2) `atomic`: the list is treated as a single entity, like a scalar. + // Atomic maps will be entirely replaced when updated. + // +optional + "x-kubernetes-map-type"?: null | string @go(XMapType,*string) @protobuf(43,bytes,opt,name=xKubernetesMapType) + + // x-kubernetes-validations describes a list of validation rules written in the CEL expression language. + // This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled. + // +patchMergeKey=rule + // +patchStrategy=merge + // +listType=map + // +listMapKey=rule + "x-kubernetes-validations"?: #ValidationRules @go(XValidations) @protobuf(44,bytes,rep,name=xKubernetesValidations) +} + +// ValidationRules describes a list of validation rules written in the CEL expression language. +#ValidationRules: [...#ValidationRule] + +// ValidationRule describes a validation rule written in the CEL expression language. +#ValidationRule: { + // Rule represents the expression which will be evaluated by CEL. + // ref: https://github.com/google/cel-spec + // The Rule is scoped to the location of the x-kubernetes-validations extension in the schema. + // The `self` variable in the CEL expression is bound to the scoped value. + // Example: + // - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"} + // + // If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable + // via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as + // absent fields in CEL expressions. + // If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map + // are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map + // are accessible via CEL macros and functions such as `self.all(...)`. + // If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and + // functions. + // If the Rule is scoped to a scalar, `self` is bound to the scalar value. + // Examples: + // - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"} + // - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"} + // - Rule scoped to a string value: {"rule": "self.startsWith('kube')"} + // + // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the + // object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible. + // + // Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL + // expressions. This includes: + // - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields. + // - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as: + // - A schema with no type and x-kubernetes-preserve-unknown-fields set to true + // - An array where the items schema is of an "unknown type" + // - An object where the additionalProperties schema is of an "unknown type" + // + // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. + // Accessible property names are escaped according to the following rules when accessed in the expression: + // - '__' escapes to '__underscores__' + // - '.' escapes to '__dot__' + // - '-' escapes to '__dash__' + // - '/' escapes to '__slash__' + // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: + // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", + // "import", "let", "loop", "package", "namespace", "return". + // Examples: + // - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"} + // - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"} + // - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"} + // + // Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. + // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type: + // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and + // non-intersecting elements in `Y` are appended, retaining their partial order. + // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values + // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with + // non-intersecting keys are appended, retaining their partial order. + rule: string @go(Rule) @protobuf(1,bytes,opt) + + // Message represents the message displayed when validation fails. The message is required if the Rule contains + // line breaks. The message must not contain line breaks. + // If unset, the message is "failed rule: {Rule}". + // e.g. "must be a URL with the host matching spec.host" + message?: string @go(Message) @protobuf(2,bytes,opt) + + // MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + // Since messageExpression is used as a failure message, it must evaluate to a string. + // If both message and messageExpression are present on a rule, then messageExpression will be used if validation + // fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + // messageExpression has access to all the same variables as the rule; the only difference is the return type. + // Example: + // "x must be less than max ("+string(self.max)+")" + // +optional + messageExpression?: string @go(MessageExpression) @protobuf(3,bytes,opt) + + // reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule. + // The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule. + // The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate". + // If not set, default to use "FieldValueInvalid". + // All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid. + // +optional + reason?: null | #FieldValueErrorReason @go(Reason,*FieldValueErrorReason) @protobuf(4,bytes,opt) + + // fieldPath represents the field path returned when the validation fails. + // It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field. + // e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo` + // If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList` + // It does not support list numeric index. + // It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info. + // Numeric index of array is not supported. + // For field name which contains special characters, use `['specialName']` to refer the field name. + // e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']` + // +optional + fieldPath?: string @go(FieldPath) @protobuf(5,bytes,opt) +} + +// JSON represents any valid JSON value. +// These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil. +#JSON: _ + +// JSONSchemaURL represents a schema url. +#JSONSchemaURL: string + +// JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps +// or an array of JSONSchemaProps. Mainly here for serialization purposes. +#JSONSchemaPropsOrArray: _ + +// JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. +// Defaults to true for the boolean property. +#JSONSchemaPropsOrBool: _ + +// JSONSchemaDependencies represent a dependencies property. +#JSONSchemaDependencies: {[string]: #JSONSchemaPropsOrStringArray} + +// JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array. +#JSONSchemaPropsOrStringArray: _ + +// JSONSchemaDefinitions contains the models explicitly defined in this spec. +#JSONSchemaDefinitions: {[string]: #JSONSchemaProps} + +// ExternalDocumentation allows referencing an external resource for extended documentation. +#ExternalDocumentation: { + description?: string @go(Description) @protobuf(1,bytes,opt) + url?: string @go(URL) @protobuf(2,bytes,opt) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue new file mode 100644 index 000000000..cef44ba5c --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue @@ -0,0 +1,47 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// Scale is used for getting and setting the base-10 scaled value. +// Base-2 scales are omitted for mathematical simplicity. +// See Quantity.ScaledValue for more details. +#Scale: int32 // #enumScale + +#enumScale: + #Nano | + #Micro | + #Milli | + #Kilo | + #Mega | + #Giga | + #Tera | + #Peta | + #Exa + +#values_Scale: { + Nano: #Nano + Micro: #Micro + Milli: #Milli + Kilo: #Kilo + Mega: #Mega + Giga: #Giga + Tera: #Tera + Peta: #Peta + Exa: #Exa +} + +#Nano: #Scale & -9 +#Micro: #Scale & -6 +#Milli: #Scale & -3 +#Kilo: #Scale & 3 +#Mega: #Scale & 6 +#Giga: #Scale & 9 +#Tera: #Scale & 12 +#Peta: #Scale & 15 +#Exa: #Scale & 18 + +// infDecAmount implements common operations over an inf.Dec that are specific to the quantity +// representation. +_#infDecAmount: string diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue new file mode 100644 index 000000000..711f2096f --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue @@ -0,0 +1,13 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64. +// It is also the maximum decimal digits that can be represented with an int64. +_#maxInt64Factors: 18 + +_#mostNegative: -9223372036854775808 + +_#mostPositive: 9223372036854775807 diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue new file mode 100644 index 000000000..9d9713a1b --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue @@ -0,0 +1,107 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// Quantity is a fixed-point representation of a number. +// It provides convenient marshaling/unmarshaling in JSON and YAML, +// in addition to String() and AsInt64() accessors. +// +// The serialization format is: +// +// ``` +// ::= +// +// (Note that may be empty, from the "" case in .) +// +// ::= 0 | 1 | ... | 9 +// ::= | +// ::= | . | . | . +// ::= "+" | "-" +// ::= | +// ::= | | +// ::= Ki | Mi | Gi | Ti | Pi | Ei +// +// (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html) +// +// ::= m | "" | k | M | G | T | P | E +// +// (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) +// +// ::= "e" | "E" +// ``` +// +// No matter which of the three exponent forms is used, no quantity may represent +// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal +// places. Numbers larger or more precise will be capped or rounded up. +// (E.g.: 0.1m will rounded up to 1m.) +// This may be extended in the future if we require larger or smaller quantities. +// +// When a Quantity is parsed from a string, it will remember the type of suffix +// it had, and will use the same type again when it is serialized. +// +// Before serializing, Quantity will be put in "canonical form". +// This means that Exponent/suffix will be adjusted up or down (with a +// corresponding increase or decrease in Mantissa) such that: +// +// - No precision is lost +// - No fractional digits will be emitted +// - The exponent (or suffix) is as large as possible. +// +// The sign will be omitted unless the number is negative. +// +// Examples: +// +// - 1.5 will be serialized as "1500m" +// - 1.5Gi will be serialized as "1536Mi" +// +// Note that the quantity will NEVER be internally represented by a +// floating point number. That is the whole point of this exercise. +// +// Non-canonical values will still parse as long as they are well formed, +// but will be re-emitted in their canonical form. (So always use canonical +// form, or don't diff.) +// +// This format is intended to make it difficult to use these numbers without +// writing some sort of special handling code in the hopes that that will +// cause implementors to also use a fixed point implementation. +// +// +protobuf=true +// +protobuf.embed=string +// +protobuf.options.marshal=false +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen=true +// +k8s:openapi-gen=true +#Quantity: _ + +// CanonicalValue allows a quantity amount to be converted to a string. +#CanonicalValue: _ + +// Format lists the three possible formattings of a quantity. +#Format: string // #enumFormat + +#enumFormat: + #DecimalExponent | + #BinarySI | + #DecimalSI + +#DecimalExponent: #Format & "DecimalExponent" +#BinarySI: #Format & "BinarySI" +#DecimalSI: #Format & "DecimalSI" + +// splitREString is used to separate a number from its suffix; as such, +// this is overly permissive, but that's OK-- it will be checked later. +_#splitREString: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + +_#int64QuantityExpectedBytes: 18 + +// QuantityValue makes it possible to use a Quantity as value for a command +// line parameter. +// +// +protobuf=true +// +protobuf.embed=string +// +protobuf.options.marshal=false +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen=true +#QuantityValue: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue new file mode 100644 index 000000000..b40d68ec1 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +_#suffix: string + +// suffixer can interpret and construct suffixes. +_#suffixer: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue new file mode 100644 index 000000000..25ea8ecf1 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Duration is a wrapper around time.Duration which supports correct +// marshaling to YAML and JSON. In particular, it marshals into strings, which +// can be used as map keys in json. +#Duration: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue new file mode 100644 index 000000000..7ff538603 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue @@ -0,0 +1,48 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// GroupResource specifies a Group and a Resource, but does not force a version. This is useful for identifying +// concepts during lookup stages without having partially valid types +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupResource: { + group: string @go(Group) @protobuf(1,bytes,opt) + resource: string @go(Resource) @protobuf(2,bytes,opt) +} + +// GroupVersionResource unambiguously identifies a resource. It doesn't anonymously include GroupVersion +// to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersionResource: { + group: string @go(Group) @protobuf(1,bytes,opt) + version: string @go(Version) @protobuf(2,bytes,opt) + resource: string @go(Resource) @protobuf(3,bytes,opt) +} + +// GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying +// concepts during lookup stages without having partially valid types +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupKind: { + group: string @go(Group) @protobuf(1,bytes,opt) + kind: string @go(Kind) @protobuf(2,bytes,opt) +} + +// GroupVersionKind unambiguously identifies a kind. It doesn't anonymously include GroupVersion +// to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersionKind: { + group: string @go(Group) @protobuf(1,bytes,opt) + version: string @go(Version) @protobuf(2,bytes,opt) + kind: string @go(Kind) @protobuf(3,bytes,opt) +} + +// GroupVersion contains the "group" and the "version", which uniquely identifies the API. +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersion: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue new file mode 100644 index 000000000..f3c39a466 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue @@ -0,0 +1,33 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// TODO: move this, Object, List, and Type to a different package +#ObjectMetaAccessor: _ + +// Object lets you work with object metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field (Name, UID, Namespace on lists) will be a no-op and return +// a default value. +#Object: _ + +// ListMetaAccessor retrieves the list interface from an object +#ListMetaAccessor: _ + +// Common lets you work with core metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field will be a no-op and return a default value. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#Common: _ + +// ListInterface lets you work with list metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field will be a no-op and return a default value. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#ListInterface: _ + +// Type exposes the type and APIVersion of versioned or internal API objects. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#Type: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue new file mode 100644 index 000000000..3c067bae3 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +#RFC3339Micro: "2006-01-02T15:04:05.000000Z07:00" + +// MicroTime is version of Time with microsecond level precision. +// +// +protobuf.options.marshal=false +// +protobuf.as=Timestamp +// +protobuf.options.(gogoproto.goproto_stringer)=false +#MicroTime: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue new file mode 100644 index 000000000..39d23b288 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +#GroupName: "meta.k8s.io" + +#WatchEventKind: "WatchEvent" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue new file mode 100644 index 000000000..b3c8ec266 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Time is a wrapper around time.Time which supports correct +// marshaling to YAML and JSON. Wrappers are provided for many +// of the factory methods that the time package offers. +// +// +protobuf.options.marshal=false +// +protobuf.as=Timestamp +// +protobuf.options.(gogoproto.goproto_stringer)=false +#Time: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue new file mode 100644 index 000000000..835392730 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue @@ -0,0 +1,21 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Timestamp is a struct that is equivalent to Time, but intended for +// protobuf marshalling/unmarshalling. It is generated into a serialization +// that matches Time. Do not use in Go structs. +#Timestamp: { + // Represents seconds of UTC time since Unix epoch + // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + // 9999-12-31T23:59:59Z inclusive. + seconds: int64 @go(Seconds) @protobuf(1,varint,opt) + + // Non-negative fractions of a second at nanosecond resolution. Negative + // second values with fractions must still have non-negative nanos values + // that count forward in time. Must be from 0 to 999,999,999 + // inclusive. This field may be limited in precision depending on context. + nanos: int32 @go(Nanos) @protobuf(2,varint,opt) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue new file mode 100644 index 000000000..a0deb7c90 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue @@ -0,0 +1,1561 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +// Package v1 contains API types that are common to all versions. +// +// The package contains two categories of types: +// - external (serialized) types that lack their own version (e.g TypeMeta) +// - internal (never-serialized) types that are needed by several different +// api groups, and so live here, to avoid duplication and/or import loops +// (e.g. LabelSelector). +// +// In the future, we will probably move these categories of objects into +// separate packages. +package v1 + +import ( + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/runtime" +) + +// TypeMeta describes an individual object in an API response or request +// with strings representing the type of the object and its API schema version. +// Structures that are versioned or persisted should inline TypeMeta. +// +// +k8s:deepcopy-gen=false +#TypeMeta: { + // Kind is a string value representing the REST resource this object represents. + // Servers may infer this from the endpoint the client submits requests to. + // Cannot be updated. + // In CamelCase. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // APIVersion defines the versioned schema of this representation of an object. + // Servers should convert recognized schemas to the latest internal value, and + // may reject unrecognized values. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + // +optional + apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt) +} + +// ListMeta describes metadata that synthetic resources must have, including lists and +// various status objects. A resource may have only one of {ObjectMeta, ListMeta}. +#ListMeta: { + // Deprecated: selfLink is a legacy read-only field that is no longer populated by the system. + // +optional + selfLink?: string @go(SelfLink) @protobuf(1,bytes,opt) + + // String that identifies the server's internal version of this object that + // can be used by clients to determine when objects have changed. + // Value must be treated as opaque by clients and passed unmodified back to the server. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(2,bytes,opt) + + // continue may be set if the user set a limit on the number of items returned, and indicates that + // the server has more data available. The value is opaque and may be used to issue another request + // to the endpoint that served this list to retrieve the next set of available objects. Continuing a + // consistent list may not be possible if the server configuration has changed or more than a few + // minutes have passed. The resourceVersion field returned when using this continue value will be + // identical to the value in the first response, unless you have received this token from an error + // message. + continue?: string @go(Continue) @protobuf(3,bytes,opt) + + // remainingItemCount is the number of subsequent items in the list which are not included in this + // list response. If the list request contained label or field selectors, then the number of + // remaining items is unknown and the field will be left unset and omitted during serialization. + // If the list is complete (either because it is not chunking or because this is the last chunk), + // then there are no more remaining items and this field will be left unset and omitted during + // serialization. + // Servers older than v1.15 do not set this field. + // The intended use of the remainingItemCount is *estimating* the size of a collection. Clients + // should not rely on the remainingItemCount to be set or to be exact. + // +optional + remainingItemCount?: null | int64 @go(RemainingItemCount,*int64) @protobuf(4,bytes,opt) +} + +#ObjectNameField: "metadata.name" + +#FinalizerOrphanDependents: "orphan" +#FinalizerDeleteDependents: "foregroundDeletion" + +// ObjectMeta is metadata that all persisted resources must have, which includes all objects +// users must create. +#ObjectMeta: { + // Name must be unique within a namespace. Is required when creating resources, although + // some resources may allow a client to request the generation of an appropriate name + // automatically. Name is primarily intended for creation idempotence and configuration + // definition. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // GenerateName is an optional prefix, used by the server, to generate a unique + // name ONLY IF the Name field has not been provided. + // If this field is used, the name returned to the client will be different + // than the name passed. This value will also be combined with a unique suffix. + // The provided value has the same validation rules as the Name field, + // and may be truncated by the length of the suffix required to make the value + // unique on the server. + // + // If this field is specified and the generated name exists, the server will return a 409. + // + // Applied only if Name is not specified. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency + // +optional + generateName?: string @go(GenerateName) @protobuf(2,bytes,opt) + + // Namespace defines the space within which each name must be unique. An empty namespace is + // equivalent to the "default" namespace, but "default" is the canonical representation. + // Not all objects are required to be scoped to a namespace - the value of this field for + // those objects will be empty. + // + // Must be a DNS_LABEL. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces + // +optional + namespace?: string @go(Namespace) @protobuf(3,bytes,opt) + + // Deprecated: selfLink is a legacy read-only field that is no longer populated by the system. + // +optional + selfLink?: string @go(SelfLink) @protobuf(4,bytes,opt) + + // UID is the unique in time and space value for this object. It is typically generated by + // the server on successful creation of a resource and is not allowed to change on PUT + // operations. + // + // Populated by the system. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(5,bytes,opt,casttype=k8s.io/kubernetes/pkg/types.UID) + + // An opaque value that represents the internal version of this object that can + // be used by clients to determine when objects have changed. May be used for optimistic + // concurrency, change detection, and the watch operation on a resource or set of resources. + // Clients must treat these values as opaque and passed unmodified back to the server. + // They may only be valid for a particular resource or set of resources. + // + // Populated by the system. + // Read-only. + // Value must be treated as opaque by clients and . + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(6,bytes,opt) + + // A sequence number representing a specific generation of the desired state. + // Populated by the system. Read-only. + // +optional + generation?: int64 @go(Generation) @protobuf(7,varint,opt) + + // CreationTimestamp is a timestamp representing the server time when this object was + // created. It is not guaranteed to be set in happens-before order across separate operations. + // Clients may not set this value. It is represented in RFC3339 form and is in UTC. + // + // Populated by the system. + // Read-only. + // Null for lists. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + creationTimestamp?: #Time @go(CreationTimestamp) @protobuf(8,bytes,opt) + + // DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This + // field is set by the server when a graceful deletion is requested by the user, and is not + // directly settable by a client. The resource is expected to be deleted (no longer visible + // from resource lists, and not reachable by name) after the time in this field, once the + // finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. + // Once the deletionTimestamp is set, this value may not be unset or be set further into the + // future, although it may be shortened or the resource may be deleted prior to this time. + // For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react + // by sending a graceful termination signal to the containers in the pod. After that 30 seconds, + // the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, + // remove the pod from the API. In the presence of network partitions, this object may still + // exist after this timestamp, until an administrator or automated process can determine the + // resource is fully terminated. + // If not set, graceful deletion of the object has not been requested. + // + // Populated by the system when a graceful deletion is requested. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + deletionTimestamp?: null | #Time @go(DeletionTimestamp,*Time) @protobuf(9,bytes,opt) + + // Number of seconds allowed for this object to gracefully terminate before + // it will be removed from the system. Only set when deletionTimestamp is also set. + // May only be shortened. + // Read-only. + // +optional + deletionGracePeriodSeconds?: null | int64 @go(DeletionGracePeriodSeconds,*int64) @protobuf(10,varint,opt) + + // Map of string keys and values that can be used to organize and categorize + // (scope and select) objects. May match selectors of replication controllers + // and services. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + // +optional + labels?: {[string]: string} @go(Labels,map[string]string) @protobuf(11,bytes,rep) + + // Annotations is an unstructured key value map stored with a resource that may be + // set by external tools to store and retrieve arbitrary metadata. They are not + // queryable and should be preserved when modifying objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + // +optional + annotations?: {[string]: string} @go(Annotations,map[string]string) @protobuf(12,bytes,rep) + + // List of objects depended by this object. If ALL objects in the list have + // been deleted, this object will be garbage collected. If this object is managed by a controller, + // then an entry in this list will point to this controller, with the controller field set to true. + // There cannot be more than one managing controller. + // +optional + // +patchMergeKey=uid + // +patchStrategy=merge + ownerReferences?: [...#OwnerReference] @go(OwnerReferences,[]OwnerReference) @protobuf(13,bytes,rep) + + // Must be empty before the object is deleted from the registry. Each entry + // is an identifier for the responsible component that will remove the entry + // from the list. If the deletionTimestamp of the object is non-nil, entries + // in this list can only be removed. + // Finalizers may be processed and removed in any order. Order is NOT enforced + // because it introduces significant risk of stuck finalizers. + // finalizers is a shared field, any actor with permission can reorder it. + // If the finalizer list is processed in order, then this can lead to a situation + // in which the component responsible for the first finalizer in the list is + // waiting for a signal (field value, external system, or other) produced by a + // component responsible for a finalizer later in the list, resulting in a deadlock. + // Without enforced ordering finalizers are free to order amongst themselves and + // are not vulnerable to ordering changes in the list. + // +optional + // +patchStrategy=merge + finalizers?: [...string] @go(Finalizers,[]string) @protobuf(14,bytes,rep) + + // ManagedFields maps workflow-id and version to the set of fields + // that are managed by that workflow. This is mostly for internal + // housekeeping, and users typically shouldn't need to set or + // understand this field. A workflow can be the user's name, a + // controller's name, or the name of a specific apply path like + // "ci-cd". The set of fields is always in the version that the + // workflow used when modifying the object. + // + // +optional + managedFields?: [...#ManagedFieldsEntry] @go(ManagedFields,[]ManagedFieldsEntry) @protobuf(17,bytes,rep) +} + +// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients +#NamespaceDefault: "default" + +// NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces +#NamespaceAll: "" + +// NamespaceNone is the argument for a context when there is no namespace. +#NamespaceNone: "" + +// NamespaceSystem is the system namespace where we place system components. +#NamespaceSystem: "kube-system" + +// NamespacePublic is the namespace where we place public info (ConfigMaps) +#NamespacePublic: "kube-public" + +// OwnerReference contains enough information to let you identify an owning +// object. An owning object must be in the same namespace as the dependent, or +// be cluster-scoped, so there is no namespace field. +// +structType=atomic +#OwnerReference: { + // API version of the referent. + apiVersion: string @go(APIVersion) @protobuf(5,bytes,opt) + + // Kind of the referent. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + name: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + uid: types.#UID @go(UID) @protobuf(4,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // If true, this reference points to the managing controller. + // +optional + controller?: null | bool @go(Controller,*bool) @protobuf(6,varint,opt) + + // If true, AND if the owner has the "foregroundDeletion" finalizer, then + // the owner cannot be deleted from the key-value store until this + // reference is removed. + // See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + // for how the garbage collector interacts with this field and enforces the foreground deletion. + // Defaults to false. + // To set this field, a user needs "delete" permission of the owner, + // otherwise 422 (Unprocessable Entity) will be returned. + // +optional + blockOwnerDeletion?: null | bool @go(BlockOwnerDeletion,*bool) @protobuf(7,varint,opt) +} + +// ListOptions is the query options to a standard REST list call. +#ListOptions: { + #TypeMeta + + // A selector to restrict the list of returned objects by their labels. + // Defaults to everything. + // +optional + labelSelector?: string @go(LabelSelector) @protobuf(1,bytes,opt) + + // A selector to restrict the list of returned objects by their fields. + // Defaults to everything. + // +optional + fieldSelector?: string @go(FieldSelector) @protobuf(2,bytes,opt) + + // Watch for changes to the described resources and return them as a stream of + // add, update, and remove notifications. Specify resourceVersion. + // +optional + watch?: bool @go(Watch) @protobuf(3,varint,opt) + + // allowWatchBookmarks requests watch events with type "BOOKMARK". + // Servers that do not implement bookmarks may ignore this flag and + // bookmarks are sent at the server's discretion. Clients should not + // assume bookmarks are returned at any specific interval, nor may they + // assume the server will send any BOOKMARK event during a session. + // If this is not a watch, this field is ignored. + // +optional + allowWatchBookmarks?: bool @go(AllowWatchBookmarks) @protobuf(9,varint,opt) + + // resourceVersion sets a constraint on what resource versions a request may be served from. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(4,bytes,opt) + + // resourceVersionMatch determines how resourceVersion is applied to list calls. + // It is highly recommended that resourceVersionMatch be set for list calls where + // resourceVersion is set + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersionMatch?: #ResourceVersionMatch @go(ResourceVersionMatch) @protobuf(10,bytes,opt,casttype=ResourceVersionMatch) + + // Timeout for the list/watch call. + // This limits the duration of the call, regardless of any activity or inactivity. + // +optional + timeoutSeconds?: null | int64 @go(TimeoutSeconds,*int64) @protobuf(5,varint,opt) + + // limit is a maximum number of responses to return for a list call. If more items exist, the + // server will set the `continue` field on the list metadata to a value that can be used with the + // same initial query to retrieve the next set of results. Setting a limit may return fewer than + // the requested amount of items (up to zero items) in the event all requested objects are + // filtered out and clients should only use the presence of the continue field to determine whether + // more results are available. Servers may choose not to support the limit argument and will return + // all of the available results. If limit is specified and the continue field is empty, clients may + // assume that no more results are available. This field is not supported if watch is true. + // + // The server guarantees that the objects returned when using continue will be identical to issuing + // a single list call without a limit - that is, no objects created, modified, or deleted after the + // first request is issued will be included in any subsequent continued requests. This is sometimes + // referred to as a consistent snapshot, and ensures that a client that is using limit to receive + // smaller chunks of a very large result can ensure they see all possible objects. If objects are + // updated during a chunked list the version of the object that was present at the time the first list + // result was calculated is returned. + limit?: int64 @go(Limit) @protobuf(7,varint,opt) + + // The continue option should be set when retrieving more results from the server. Since this value is + // server defined, clients may only use the continue value from a previous query result with identical + // query parameters (except for the value of continue) and the server may reject a continue value it + // does not recognize. If the specified continue value is no longer valid whether due to expiration + // (generally five to fifteen minutes) or a configuration change on the server, the server will + // respond with a 410 ResourceExpired error together with a continue token. If the client needs a + // consistent list, it must restart their list without the continue field. Otherwise, the client may + // send another list request with the token received with the 410 error, the server will respond with + // a list starting from the next key, but from the latest snapshot, which is inconsistent from the + // previous list results - objects that are created, modified, or deleted after the first list request + // will be included in the response, as long as their keys are after the "next key". + // + // This field is not supported when watch is true. Clients may start a watch from the last + // resourceVersion value returned by the server and not miss any modifications. + continue?: string @go(Continue) @protobuf(8,bytes,opt) + + // `sendInitialEvents=true` may be set together with `watch=true`. + // In that case, the watch stream will begin with synthetic events to + // produce the current state of objects in the collection. Once all such + // events have been sent, a synthetic "Bookmark" event will be sent. + // The bookmark will report the ResourceVersion (RV) corresponding to the + // set of objects, and be marked with `"k8s.io/initial-events-end": "true"` annotation. + // Afterwards, the watch stream will proceed as usual, sending watch events + // corresponding to changes (subsequent to the RV) to objects watched. + // + // When `sendInitialEvents` option is set, we require `resourceVersionMatch` + // option to also be set. The semantic of the watch request is as following: + // - `resourceVersionMatch` = NotOlderThan + // is interpreted as "data at least as new as the provided `resourceVersion`" + // and the bookmark event is send when the state is synced + // to a `resourceVersion` at least as fresh as the one provided by the ListOptions. + // If `resourceVersion` is unset, this is interpreted as "consistent read" and the + // bookmark event is send when the state is synced at least to the moment + // when request started being processed. + // - `resourceVersionMatch` set to any other value or unset + // Invalid error is returned. + // + // Defaults to true if `resourceVersion=""` or `resourceVersion="0"` (for backward + // compatibility reasons) and to false otherwise. + // +optional + sendInitialEvents?: null | bool @go(SendInitialEvents,*bool) @protobuf(11,varint,opt) +} + +// resourceVersionMatch specifies how the resourceVersion parameter is applied. resourceVersionMatch +// may only be set if resourceVersion is also set. +// +// "NotOlderThan" matches data at least as new as the provided resourceVersion. +// "Exact" matches data at the exact resourceVersion provided. +// +// See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for +// details. +#ResourceVersionMatch: string // #enumResourceVersionMatch + +#enumResourceVersionMatch: + #ResourceVersionMatchNotOlderThan | + #ResourceVersionMatchExact + +// ResourceVersionMatchNotOlderThan matches data at least as new as the provided +// resourceVersion. +#ResourceVersionMatchNotOlderThan: #ResourceVersionMatch & "NotOlderThan" + +// ResourceVersionMatchExact matches data at the exact resourceVersion +// provided. +#ResourceVersionMatchExact: #ResourceVersionMatch & "Exact" + +// GetOptions is the standard query options to the standard REST get call. +#GetOptions: { + #TypeMeta + + // resourceVersion sets a constraint on what resource versions a request may be served from. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(1,bytes,opt) +} + +// DeletionPropagation decides if a deletion will propagate to the dependents of +// the object, and how the garbage collector will handle the propagation. +#DeletionPropagation: string // #enumDeletionPropagation + +#enumDeletionPropagation: + #DeletePropagationOrphan | + #DeletePropagationBackground | + #DeletePropagationForeground + +// Orphans the dependents. +#DeletePropagationOrphan: #DeletionPropagation & "Orphan" + +// Deletes the object from the key-value store, the garbage collector will +// delete the dependents in the background. +#DeletePropagationBackground: #DeletionPropagation & "Background" + +// The object exists in the key-value store until the garbage collector +// deletes all the dependents whose ownerReference.blockOwnerDeletion=true +// from the key-value store. API sever will put the "foregroundDeletion" +// finalizer on the object, and sets its deletionTimestamp. This policy is +// cascading, i.e., the dependents will be deleted with Foreground. +#DeletePropagationForeground: #DeletionPropagation & "Foreground" + +// DryRunAll means to complete all processing stages, but don't +// persist changes to storage. +#DryRunAll: "All" + +// DeleteOptions may be provided when deleting an API object. +#DeleteOptions: { + #TypeMeta + + // The duration in seconds before the object should be deleted. Value must be non-negative integer. + // The value zero indicates delete immediately. If this value is nil, the default grace period for the + // specified type will be used. + // Defaults to a per object value if not specified. zero means delete immediately. + // +optional + gracePeriodSeconds?: null | int64 @go(GracePeriodSeconds,*int64) @protobuf(1,varint,opt) + + // Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be + // returned. + // +k8s:conversion-gen=false + // +optional + preconditions?: null | #Preconditions @go(Preconditions,*Preconditions) @protobuf(2,bytes,opt) + + // Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. + // Should the dependent objects be orphaned. If true/false, the "orphan" + // finalizer will be added to/removed from the object's finalizers list. + // Either this field or PropagationPolicy may be set, but not both. + // +optional + orphanDependents?: null | bool @go(OrphanDependents,*bool) @protobuf(3,varint,opt) + + // Whether and how garbage collection will be performed. + // Either this field or OrphanDependents may be set, but not both. + // The default policy is decided by the existing finalizer set in the + // metadata.finalizers and the resource-specific default policy. + // Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - + // allow the garbage collector to delete the dependents in the background; + // 'Foreground' - a cascading policy that deletes all dependents in the + // foreground. + // +optional + propagationPolicy?: null | #DeletionPropagation @go(PropagationPolicy,*DeletionPropagation) @protobuf(4,varint,opt) + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(5,bytes,rep) +} + +// FieldValidationIgnore ignores unknown/duplicate fields +#FieldValidationIgnore: "Ignore" + +// FieldValidationWarn responds with a warning, but successfully serve the request +#FieldValidationWarn: "Warn" + +// FieldValidationStrict fails the request on unknown/duplicate fields +#FieldValidationStrict: "Strict" + +// CreateOptions may be provided when creating an API object. +#CreateOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. + // +optional + fieldManager?: string @go(FieldManager) @protobuf(3,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(4,bytes) +} + +// PatchOptions may be provided when patching an API object. +// PatchOptions is meant to be a superset of UpdateOptions. +#PatchOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // Force is going to "force" Apply requests. It means user will + // re-acquire conflicting fields owned by other people. Force + // flag must be unset for non-apply patch requests. + // +optional + force?: null | bool @go(Force,*bool) @protobuf(2,varint,opt) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. This + // field is required for apply requests + // (application/apply-patch) but optional for non-apply patch + // types (JsonPatch, MergePatch, StrategicMergePatch). + // +optional + fieldManager?: string @go(FieldManager) @protobuf(3,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(4,bytes) +} + +// ApplyOptions may be provided when applying an API object. +// FieldManager is required for apply requests. +// ApplyOptions is equivalent to PatchOptions. It is provided as a convenience with documentation +// that speaks specifically to how the options fields relate to apply. +#ApplyOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // Force is going to "force" Apply requests. It means user will + // re-acquire conflicting fields owned by other people. + force: bool @go(Force) @protobuf(2,varint,opt) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. This + // field is required. + fieldManager: string @go(FieldManager) @protobuf(3,bytes) +} + +// UpdateOptions may be provided when updating an API object. +// All fields in UpdateOptions should also be present in PatchOptions. +#UpdateOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. + // +optional + fieldManager?: string @go(FieldManager) @protobuf(2,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(3,bytes) +} + +// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out. +#Preconditions: { + // Specifies the target UID. + // +optional + uid?: null | types.#UID @go(UID,*types.UID) @protobuf(1,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // Specifies the target ResourceVersion + // +optional + resourceVersion?: null | string @go(ResourceVersion,*string) @protobuf(2,bytes,opt) +} + +// Status is a return value for calls that don't return other objects. +#Status: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Status of the operation. + // One of: "Success" or "Failure". + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: string @go(Status) @protobuf(2,bytes,opt) + + // A human-readable description of the status of this operation. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // A machine-readable description of why this operation is in the + // "Failure" status. If this value is empty there + // is no information available. A Reason clarifies an HTTP status + // code but does not override it. + // +optional + reason?: #StatusReason @go(Reason) @protobuf(4,bytes,opt,casttype=StatusReason) + + // Extended data associated with the reason. Each reason may define its + // own extended details. This field is optional and the data returned + // is not guaranteed to conform to any schema except that defined by + // the reason type. + // +optional + details?: null | #StatusDetails @go(Details,*StatusDetails) @protobuf(5,bytes,opt) + + // Suggested HTTP return code for this status, 0 if not set. + // +optional + code?: int32 @go(Code) @protobuf(6,varint,opt) +} + +// StatusDetails is a set of additional properties that MAY be set by the +// server to provide additional information about a response. The Reason +// field of a Status object defines what attributes will be set. Clients +// must ignore fields that do not match the defined type of each attribute, +// and should assume that any attribute may be empty, invalid, or under +// defined. +#StatusDetails: { + // The name attribute of the resource associated with the status StatusReason + // (when there is a single name which can be described). + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The group attribute of the resource associated with the status StatusReason. + // +optional + group?: string @go(Group) @protobuf(2,bytes,opt) + + // The kind attribute of the resource associated with the status StatusReason. + // On some operations may differ from the requested resource Kind. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(3,bytes,opt) + + // UID of the resource. + // (when there is a single resource which can be described). + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(6,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // The Causes array includes more details associated with the StatusReason + // failure. Not all StatusReasons may provide detailed causes. + // +optional + causes?: [...#StatusCause] @go(Causes,[]StatusCause) @protobuf(4,bytes,rep) + + // If specified, the time in seconds before the operation should be retried. Some errors may indicate + // the client must take an alternate action - for those errors this field may indicate how long to wait + // before taking the alternate action. + // +optional + retryAfterSeconds?: int32 @go(RetryAfterSeconds) @protobuf(5,varint,opt) +} + +#StatusSuccess: "Success" +#StatusFailure: "Failure" + +// StatusReason is an enumeration of possible failure causes. Each StatusReason +// must map to a single HTTP status code, but multiple reasons may map +// to the same HTTP status code. +// TODO: move to apiserver +#StatusReason: string // #enumStatusReason + +#enumStatusReason: + #StatusReasonUnknown | + #StatusReasonUnauthorized | + #StatusReasonForbidden | + #StatusReasonNotFound | + #StatusReasonAlreadyExists | + #StatusReasonConflict | + #StatusReasonGone | + #StatusReasonInvalid | + #StatusReasonServerTimeout | + #StatusReasonTimeout | + #StatusReasonTooManyRequests | + #StatusReasonBadRequest | + #StatusReasonMethodNotAllowed | + #StatusReasonNotAcceptable | + #StatusReasonRequestEntityTooLarge | + #StatusReasonUnsupportedMediaType | + #StatusReasonInternalError | + #StatusReasonExpired | + #StatusReasonServiceUnavailable + +// StatusReasonUnknown means the server has declined to indicate a specific reason. +// The details field may contain other information about this error. +// Status code 500. +#StatusReasonUnknown: #StatusReason & "" + +// StatusReasonUnauthorized means the server can be reached and understood the request, but requires +// the user to present appropriate authorization credentials (identified by the WWW-Authenticate header) +// in order for the action to be completed. If the user has specified credentials on the request, the +// server considers them insufficient. +// Status code 401 +#StatusReasonUnauthorized: #StatusReason & "Unauthorized" + +// StatusReasonForbidden means the server can be reached and understood the request, but refuses +// to take any further action. It is the result of the server being configured to deny access for some reason +// to the requested resource by the client. +// Details (optional): +// "kind" string - the kind attribute of the forbidden resource +// on some operations may differ from the requested +// resource. +// "id" string - the identifier of the forbidden resource +// Status code 403 +#StatusReasonForbidden: #StatusReason & "Forbidden" + +// StatusReasonNotFound means one or more resources required for this operation +// could not be found. +// Details (optional): +// "kind" string - the kind attribute of the missing resource +// on some operations may differ from the requested +// resource. +// "id" string - the identifier of the missing resource +// Status code 404 +#StatusReasonNotFound: #StatusReason & "NotFound" + +// StatusReasonAlreadyExists means the resource you are creating already exists. +// Details (optional): +// "kind" string - the kind attribute of the conflicting resource +// "id" string - the identifier of the conflicting resource +// Status code 409 +#StatusReasonAlreadyExists: #StatusReason & "AlreadyExists" + +// StatusReasonConflict means the requested operation cannot be completed +// due to a conflict in the operation. The client may need to alter the +// request. Each resource may define custom details that indicate the +// nature of the conflict. +// Status code 409 +#StatusReasonConflict: #StatusReason & "Conflict" + +// StatusReasonGone means the item is no longer available at the server and no +// forwarding address is known. +// Status code 410 +#StatusReasonGone: #StatusReason & "Gone" + +// StatusReasonInvalid means the requested create or update operation cannot be +// completed due to invalid data provided as part of the request. The client may +// need to alter the request. When set, the client may use the StatusDetails +// message field as a summary of the issues encountered. +// Details (optional): +// "kind" string - the kind attribute of the invalid resource +// "id" string - the identifier of the invalid resource +// "causes" - one or more StatusCause entries indicating the data in the +// provided resource that was invalid. The code, message, and +// field attributes will be set. +// Status code 422 +#StatusReasonInvalid: #StatusReason & "Invalid" + +// StatusReasonServerTimeout means the server can be reached and understood the request, +// but cannot complete the action in a reasonable time. The client should retry the request. +// This is may be due to temporary server load or a transient communication issue with +// another server. Status code 500 is used because the HTTP spec provides no suitable +// server-requested client retry and the 5xx class represents actionable errors. +// Details (optional): +// "kind" string - the kind attribute of the resource being acted on. +// "id" string - the operation that is being attempted. +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 500 +#StatusReasonServerTimeout: #StatusReason & "ServerTimeout" + +// StatusReasonTimeout means that the request could not be completed within the given time. +// Clients can get this response only when they specified a timeout param in the request, +// or if the server cannot complete the operation within a reasonable amount of time. +// The request might succeed with an increased value of timeout param. The client *should* +// wait at least the number of seconds specified by the retryAfterSeconds field. +// Details (optional): +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 504 +#StatusReasonTimeout: #StatusReason & "Timeout" + +// StatusReasonTooManyRequests means the server experienced too many requests within a +// given window and that the client must wait to perform the action again. A client may +// always retry the request that led to this error, although the client should wait at least +// the number of seconds specified by the retryAfterSeconds field. +// Details (optional): +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 429 +#StatusReasonTooManyRequests: #StatusReason & "TooManyRequests" + +// StatusReasonBadRequest means that the request itself was invalid, because the request +// doesn't make any sense, for example deleting a read-only object. This is different than +// StatusReasonInvalid above which indicates that the API call could possibly succeed, but the +// data was invalid. API calls that return BadRequest can never succeed. +// Status code 400 +#StatusReasonBadRequest: #StatusReason & "BadRequest" + +// StatusReasonMethodNotAllowed means that the action the client attempted to perform on the +// resource was not supported by the code - for instance, attempting to delete a resource that +// can only be created. API calls that return MethodNotAllowed can never succeed. +// Status code 405 +#StatusReasonMethodNotAllowed: #StatusReason & "MethodNotAllowed" + +// StatusReasonNotAcceptable means that the accept types indicated by the client were not acceptable +// to the server - for instance, attempting to receive protobuf for a resource that supports only json and yaml. +// API calls that return NotAcceptable can never succeed. +// Status code 406 +#StatusReasonNotAcceptable: #StatusReason & "NotAcceptable" + +// StatusReasonRequestEntityTooLarge means that the request entity is too large. +// Status code 413 +#StatusReasonRequestEntityTooLarge: #StatusReason & "RequestEntityTooLarge" + +// StatusReasonUnsupportedMediaType means that the content type sent by the client is not acceptable +// to the server - for instance, attempting to send protobuf for a resource that supports only json and yaml. +// API calls that return UnsupportedMediaType can never succeed. +// Status code 415 +#StatusReasonUnsupportedMediaType: #StatusReason & "UnsupportedMediaType" + +// StatusReasonInternalError indicates that an internal error occurred, it is unexpected +// and the outcome of the call is unknown. +// Details (optional): +// "causes" - The original error +// Status code 500 +#StatusReasonInternalError: #StatusReason & "InternalError" + +// StatusReasonExpired indicates that the request is invalid because the content you are requesting +// has expired and is no longer available. It is typically associated with watches that can't be +// serviced. +// Status code 410 (gone) +#StatusReasonExpired: #StatusReason & "Expired" + +// StatusReasonServiceUnavailable means that the request itself was valid, +// but the requested service is unavailable at this time. +// Retrying the request after some time might succeed. +// Status code 503 +#StatusReasonServiceUnavailable: #StatusReason & "ServiceUnavailable" + +// StatusCause provides more information about an api.Status failure, including +// cases when multiple errors are encountered. +#StatusCause: { + // A machine-readable description of the cause of the error. If this value is + // empty there is no information available. + // +optional + reason?: #CauseType @go(Type) @protobuf(1,bytes,opt,casttype=CauseType) + + // A human-readable description of the cause of the error. This field may be + // presented as-is to a reader. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) + + // The field of the resource that has caused this error, as named by its JSON + // serialization. May include dot and postfix notation for nested attributes. + // Arrays are zero-indexed. Fields may appear more than once in an array of + // causes due to fields having multiple errors. + // Optional. + // + // Examples: + // "name" - the field "name" on the current resource + // "items[0].name" - the field "name" on the first array entry in "items" + // +optional + field?: string @go(Field) @protobuf(3,bytes,opt) +} + +// CauseType is a machine readable value providing more detail about what +// occurred in a status response. An operation may have multiple causes for a +// status (whether Failure or Success). +#CauseType: string // #enumCauseType + +#enumCauseType: + #CauseTypeFieldValueNotFound | + #CauseTypeFieldValueRequired | + #CauseTypeFieldValueDuplicate | + #CauseTypeFieldValueInvalid | + #CauseTypeFieldValueNotSupported | + #CauseTypeForbidden | + #CauseTypeTooLong | + #CauseTypeTooMany | + #CauseTypeInternal | + #CauseTypeTypeInvalid | + #CauseTypeUnexpectedServerResponse | + #CauseTypeFieldManagerConflict | + #CauseTypeResourceVersionTooLarge + +// CauseTypeFieldValueNotFound is used to report failure to find a requested value +// (e.g. looking up an ID). +#CauseTypeFieldValueNotFound: #CauseType & "FieldValueNotFound" + +// CauseTypeFieldValueRequired is used to report required values that are not +// provided (e.g. empty strings, null values, or empty arrays). +#CauseTypeFieldValueRequired: #CauseType & "FieldValueRequired" + +// CauseTypeFieldValueDuplicate is used to report collisions of values that must be +// unique (e.g. unique IDs). +#CauseTypeFieldValueDuplicate: #CauseType & "FieldValueDuplicate" + +// CauseTypeFieldValueInvalid is used to report malformed values (e.g. failed regex +// match). +#CauseTypeFieldValueInvalid: #CauseType & "FieldValueInvalid" + +// CauseTypeFieldValueNotSupported is used to report valid (as per formatting rules) +// values that can not be handled (e.g. an enumerated string). +#CauseTypeFieldValueNotSupported: #CauseType & "FieldValueNotSupported" + +// CauseTypeForbidden is used to report valid (as per formatting rules) +// values which would be accepted under some conditions, but which are not +// permitted by the current conditions (such as security policy). See +// Forbidden(). +#CauseTypeForbidden: #CauseType & "FieldValueForbidden" + +// CauseTypeTooLong is used to report that the given value is too long. +// This is similar to ErrorTypeInvalid, but the error will not include the +// too-long value. See TooLong(). +#CauseTypeTooLong: #CauseType & "FieldValueTooLong" + +// CauseTypeTooMany is used to report "too many". This is used to +// report that a given list has too many items. This is similar to FieldValueTooLong, +// but the error indicates quantity instead of length. +#CauseTypeTooMany: #CauseType & "FieldValueTooMany" + +// CauseTypeInternal is used to report other errors that are not related +// to user input. See InternalError(). +#CauseTypeInternal: #CauseType & "InternalError" + +// CauseTypeTypeInvalid is for the value did not match the schema type for that field +#CauseTypeTypeInvalid: #CauseType & "FieldValueTypeInvalid" + +// CauseTypeUnexpectedServerResponse is used to report when the server responded to the client +// without the expected return type. The presence of this cause indicates the error may be +// due to an intervening proxy or the server software malfunctioning. +#CauseTypeUnexpectedServerResponse: #CauseType & "UnexpectedServerResponse" + +// FieldManagerConflict is used to report when another client claims to manage this field, +// It should only be returned for a request using server-side apply. +#CauseTypeFieldManagerConflict: #CauseType & "FieldManagerConflict" + +// CauseTypeResourceVersionTooLarge is used to report that the requested resource version +// is newer than the data observed by the API server, so the request cannot be served. +#CauseTypeResourceVersionTooLarge: #CauseType & "ResourceVersionTooLarge" + +// List holds a list of objects, which may not be known by the server. +#List: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of objects + items: [...runtime.#RawExtension] @go(Items,[]runtime.RawExtension) @protobuf(2,bytes,rep) +} + +// APIVersions lists the versions that are available, to allow clients to +// discover the API at /api, which is the root path of the legacy v1 API. +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#APIVersions: { + #TypeMeta + + // versions are the api versions that are available. + versions: [...string] @go(Versions,[]string) @protobuf(1,bytes,rep) + + // a map of client CIDR to server address that is serving this group. + // This is to help clients reach servers in the most network-efficient way possible. + // Clients can use the appropriate server address as per the CIDR that they match. + // In case of multiple matches, clients should use the longest matching CIDR. + // The server returns only those CIDRs that it thinks that the client can match. + // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. + // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP. + serverAddressByClientCIDRs: [...#ServerAddressByClientCIDR] @go(ServerAddressByClientCIDRs,[]ServerAddressByClientCIDR) @protobuf(2,bytes,rep) +} + +// APIGroupList is a list of APIGroup, to allow clients to discover the API at +// /apis. +#APIGroupList: { + #TypeMeta + + // groups is a list of APIGroup. + groups: [...#APIGroup] @go(Groups,[]APIGroup) @protobuf(1,bytes,rep) +} + +// APIGroup contains the name, the supported versions, and the preferred version +// of a group. +#APIGroup: { + #TypeMeta + + // name is the name of the group. + name: string @go(Name) @protobuf(1,bytes,opt) + + // versions are the versions supported in this group. + versions: [...#GroupVersionForDiscovery] @go(Versions,[]GroupVersionForDiscovery) @protobuf(2,bytes,rep) + + // preferredVersion is the version preferred by the API server, which + // probably is the storage version. + // +optional + preferredVersion?: #GroupVersionForDiscovery @go(PreferredVersion) @protobuf(3,bytes,opt) + + // a map of client CIDR to server address that is serving this group. + // This is to help clients reach servers in the most network-efficient way possible. + // Clients can use the appropriate server address as per the CIDR that they match. + // In case of multiple matches, clients should use the longest matching CIDR. + // The server returns only those CIDRs that it thinks that the client can match. + // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. + // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP. + // +optional + serverAddressByClientCIDRs?: [...#ServerAddressByClientCIDR] @go(ServerAddressByClientCIDRs,[]ServerAddressByClientCIDR) @protobuf(4,bytes,rep) +} + +// ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match. +#ServerAddressByClientCIDR: { + // The CIDR with which clients can match their IP to figure out the server address that they should use. + clientCIDR: string @go(ClientCIDR) @protobuf(1,bytes,opt) + + // Address of this server, suitable for a client that matches the above CIDR. + // This can be a hostname, hostname:port, IP or IP:port. + serverAddress: string @go(ServerAddress) @protobuf(2,bytes,opt) +} + +// GroupVersion contains the "group/version" and "version" string of a version. +// It is made a struct to keep extensibility. +#GroupVersionForDiscovery: { + // groupVersion specifies the API group and version in the form "group/version" + groupVersion: string @go(GroupVersion) @protobuf(1,bytes,opt) + + // version specifies the version in the form of "version". This is to save + // the clients the trouble of splitting the GroupVersion. + version: string @go(Version) @protobuf(2,bytes,opt) +} + +// APIResource specifies the name of a resource and whether it is namespaced. +#APIResource: { + // name is the plural name of the resource. + name: string @go(Name) @protobuf(1,bytes,opt) + + // singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely. + // The singularName is more correct for reporting status on a single item and both singular and plural are allowed + // from the kubectl CLI interface. + singularName: string @go(SingularName) @protobuf(6,bytes,opt) + + // namespaced indicates if a resource is namespaced or not. + namespaced: bool @go(Namespaced) @protobuf(2,varint,opt) + + // group is the preferred group of the resource. Empty implies the group of the containing resource list. + // For subresources, this may have a different value, for example: Scale". + group?: string @go(Group) @protobuf(8,bytes,opt) + + // version is the preferred version of the resource. Empty implies the version of the containing resource list + // For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)". + version?: string @go(Version) @protobuf(9,bytes,opt) + + // kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo') + kind: string @go(Kind) @protobuf(3,bytes,opt) + + // verbs is a list of supported kube verbs (this includes get, list, watch, create, + // update, patch, delete, deletecollection, and proxy) + verbs: #Verbs @go(Verbs) @protobuf(4,bytes,opt) + + // shortNames is a list of suggested short names of the resource. + shortNames?: [...string] @go(ShortNames,[]string) @protobuf(5,bytes,rep) + + // categories is a list of the grouped resources this resource belongs to (e.g. 'all') + categories?: [...string] @go(Categories,[]string) @protobuf(7,bytes,rep) + + // The hash value of the storage version, the version this resource is + // converted to when written to the data store. Value must be treated + // as opaque by clients. Only equality comparison on the value is valid. + // This is an alpha feature and may change or be removed in the future. + // The field is populated by the apiserver only if the + // StorageVersionHash feature gate is enabled. + // This field will remain optional even if it graduates. + // +optional + storageVersionHash?: string @go(StorageVersionHash) @protobuf(10,bytes,opt) +} + +// Verbs masks the value so protobuf can generate +// +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#Verbs: [...string] + +// APIResourceList is a list of APIResource, it is used to expose the name of the +// resources supported in a specific group and version, and if the resource +// is namespaced. +#APIResourceList: { + #TypeMeta + + // groupVersion is the group and version this APIResourceList is for. + groupVersion: string @go(GroupVersion) @protobuf(1,bytes,opt) + + // resources contains the name of the resources and if they are namespaced. + resources: [...#APIResource] @go(APIResources,[]APIResource) @protobuf(2,bytes,rep) +} + +// RootPaths lists the paths available at root. +// For example: "/healthz", "/apis". +#RootPaths: { + // paths are the paths available at root. + paths: [...string] @go(Paths,[]string) @protobuf(1,bytes,rep) +} + +// Patch is provided to give a concrete name and type to the Kubernetes PATCH request body. +#Patch: { +} + +// A label selector is a label query over a set of resources. The result of matchLabels and +// matchExpressions are ANDed. An empty label selector matches all objects. A null +// label selector matches no objects. +// +structType=atomic +#LabelSelector: { + // matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + // map is equivalent to an element of matchExpressions, whose key field is "key", the + // operator is "In", and the values array contains only "value". The requirements are ANDed. + // +optional + matchLabels?: {[string]: string} @go(MatchLabels,map[string]string) @protobuf(1,bytes,rep) + + // matchExpressions is a list of label selector requirements. The requirements are ANDed. + // +optional + matchExpressions?: [...#LabelSelectorRequirement] @go(MatchExpressions,[]LabelSelectorRequirement) @protobuf(2,bytes,rep) +} + +// A label selector requirement is a selector that contains values, a key, and an operator that +// relates the key and values. +#LabelSelectorRequirement: { + // key is the label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: #LabelSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=LabelSelectorOperator) + + // values is an array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. This array is replaced during a strategic + // merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A label selector operator is the set of operators that can be used in a selector requirement. +#LabelSelectorOperator: string // #enumLabelSelectorOperator + +#enumLabelSelectorOperator: + #LabelSelectorOpIn | + #LabelSelectorOpNotIn | + #LabelSelectorOpExists | + #LabelSelectorOpDoesNotExist + +#LabelSelectorOpIn: #LabelSelectorOperator & "In" +#LabelSelectorOpNotIn: #LabelSelectorOperator & "NotIn" +#LabelSelectorOpExists: #LabelSelectorOperator & "Exists" +#LabelSelectorOpDoesNotExist: #LabelSelectorOperator & "DoesNotExist" + +// ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource +// that the fieldset applies to. +#ManagedFieldsEntry: { + // Manager is an identifier of the workflow managing these fields. + manager?: string @go(Manager) @protobuf(1,bytes,opt) + + // Operation is the type of operation which lead to this ManagedFieldsEntry being created. + // The only valid values for this field are 'Apply' and 'Update'. + operation?: #ManagedFieldsOperationType @go(Operation) @protobuf(2,bytes,opt,casttype=ManagedFieldsOperationType) + + // APIVersion defines the version of this resource that this field set + // applies to. The format is "group/version" just like the top-level + // APIVersion field. It is necessary to track the version of a field + // set because it cannot be automatically converted. + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) + + // Time is the timestamp of when the ManagedFields entry was added. The + // timestamp will also be updated if a field is added, the manager + // changes any of the owned fields value or removes a field. The + // timestamp does not update when a field is removed from the entry + // because another manager took it over. + // +optional + time?: null | #Time @go(Time,*Time) @protobuf(4,bytes,opt) + + // FieldsType is the discriminator for the different fields format and version. + // There is currently only one possible value: "FieldsV1" + fieldsType?: string @go(FieldsType) @protobuf(6,bytes,opt) + + // FieldsV1 holds the first JSON version format as described in the "FieldsV1" type. + // +optional + fieldsV1?: null | #FieldsV1 @go(FieldsV1,*FieldsV1) @protobuf(7,bytes,opt) + + // Subresource is the name of the subresource used to update that object, or + // empty string if the object was updated through the main resource. The + // value of this field is used to distinguish between managers, even if they + // share the same name. For example, a status update will be distinct from a + // regular update using the same manager name. + // Note that the APIVersion field is not related to the Subresource field and + // it always corresponds to the version of the main resource. + subresource?: string @go(Subresource) @protobuf(8,bytes,opt) +} + +// ManagedFieldsOperationType is the type of operation which lead to a ManagedFieldsEntry being created. +#ManagedFieldsOperationType: string // #enumManagedFieldsOperationType + +#enumManagedFieldsOperationType: + #ManagedFieldsOperationApply | + #ManagedFieldsOperationUpdate + +#ManagedFieldsOperationApply: #ManagedFieldsOperationType & "Apply" +#ManagedFieldsOperationUpdate: #ManagedFieldsOperationType & "Update" + +// FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format. +// +// Each key is either a '.' representing the field itself, and will always map to an empty set, +// or a string representing a sub-field or item. The string will follow one of these four formats: +// 'f:', where is the name of a field in a struct, or key in a map +// 'v:', where is the exact json formatted value of a list item +// 'i:', where is position of a item in a list +// 'k:', where is a map of a list item's key fields to their unique values +// If a key maps to an empty Fields value, the field that key represents is part of the set. +// +// The exact format is defined in sigs.k8s.io/structured-merge-diff +// +protobuf.options.(gogoproto.goproto_stringer)=false +#FieldsV1: _ + +// Table is a tabular representation of a set of API resources. The server transforms the +// object into a set of preferred columns for quickly reviewing the objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +protobuf=false +#Table: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) + + // columnDefinitions describes each column in the returned items array. The number of cells per row + // will always match the number of column definitions. + columnDefinitions: [...#TableColumnDefinition] @go(ColumnDefinitions,[]TableColumnDefinition) + + // rows is the list of items in the table. + rows: [...#TableRow] @go(Rows,[]TableRow) +} + +// TableColumnDefinition contains information about a column returned in the Table. +// +protobuf=false +#TableColumnDefinition: { + // name is a human readable name for the column. + name: string @go(Name) + + // type is an OpenAPI type definition for this column, such as number, integer, string, or + // array. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more. + type: string @go(Type) + + // format is an optional OpenAPI type modifier for this column. A format modifies the type and + // imposes additional rules, like date or time formatting for a string. The 'name' format is applied + // to the primary identifier column which has type 'string' to assist in clients identifying column + // is the resource name. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more. + format: string @go(Format) + + // description is a human readable description of this column. + description: string @go(Description) + + // priority is an integer defining the relative importance of this column compared to others. Lower + // numbers are considered higher priority. Columns that may be omitted in limited space scenarios + // should be given a higher priority. + priority: int32 @go(Priority) +} + +// TableRow is an individual row in a table. +// +protobuf=false +#TableRow: { + // cells will be as wide as the column definitions array and may contain strings, numbers (float64 or + // int64), booleans, simple maps, lists, or null. See the type field of the column definition for a + // more detailed description. + cells: [...] @go(Cells,[]interface{}) + + // conditions describe additional status of a row that are relevant for a human user. These conditions + // apply to the row, not to the object, and will be specific to table output. The only defined + // condition type is 'Completed', for a row that indicates a resource that has run to completion and + // can be given less visual priority. + // +optional + conditions?: [...#TableRowCondition] @go(Conditions,[]TableRowCondition) + + // This field contains the requested additional information about each object based on the includeObject + // policy when requesting the Table. If "None", this field is empty, if "Object" this will be the + // default serialization of the object for the current API version, and if "Metadata" (the default) will + // contain the object metadata. Check the returned kind and apiVersion of the object before parsing. + // The media type of the object will always match the enclosing list - if this as a JSON table, these + // will be JSON encoded objects. + // +optional + object?: runtime.#RawExtension @go(Object) +} + +// TableRowCondition allows a row to be marked with additional information. +// +protobuf=false +#TableRowCondition: { + // Type of row condition. The only defined value is 'Completed' indicating that the + // object this row represents has reached a completed state and may be given less visual + // priority than other rows. Clients are not required to honor any conditions but should + // be consistent where possible about handling the conditions. + type: #RowConditionType @go(Type) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) + + // (brief) machine readable reason for the condition's last transition. + // +optional + reason?: string @go(Reason) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) +} + +#RowConditionType: string // #enumRowConditionType + +#enumRowConditionType: + #RowCompleted + +// RowCompleted means the underlying resource has reached completion and may be given less +// visual priority than other resources. +#RowCompleted: #RowConditionType & "Completed" + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// IncludeObjectPolicy controls which portion of the object is returned with a Table. +#IncludeObjectPolicy: string // #enumIncludeObjectPolicy + +#enumIncludeObjectPolicy: + #IncludeNone | + #IncludeMetadata | + #IncludeObject + +// IncludeNone returns no object. +#IncludeNone: #IncludeObjectPolicy & "None" + +// IncludeMetadata serializes the object containing only its metadata field. +#IncludeMetadata: #IncludeObjectPolicy & "Metadata" + +// IncludeObject contains the full object. +#IncludeObject: #IncludeObjectPolicy & "Object" + +// TableOptions are used when a Table is requested by the caller. +// +k8s:conversion-gen:explicit-from=net/url.Values +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#TableOptions: { + #TypeMeta + + // includeObject decides whether to include each object along with its columnar information. + // Specifying "None" will return no object, specifying "Object" will return the full object contents, and + // specifying "Metadata" (the default) will return the object's metadata in the PartialObjectMetadata kind + // in version v1beta1 of the meta.k8s.io API group. + includeObject?: #IncludeObjectPolicy @go(IncludeObject) @protobuf(1,bytes,opt,casttype=IncludeObjectPolicy) +} + +// PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients +// to get access to a particular ObjectMeta schema without knowing the details of the version. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#PartialObjectMetadata: { + #TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: #ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) +} + +// PartialObjectMetadataList contains a list of objects containing only their metadata +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#PartialObjectMetadataList: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items contains each of the included items. + items: [...#PartialObjectMetadata] @go(Items,[]PartialObjectMetadata) @protobuf(2,bytes,rep) +} + +// Condition contains details for one aspect of the current state of this API Resource. +// --- +// This struct is intended for direct use as an array at the field path .status.conditions. For example, +// +// type FooStatus struct{ +// // Represents the observations of a foo's current state. +// // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" +// // +patchMergeKey=type +// // +patchStrategy=merge +// // +listType=map +// // +listMapKey=type +// Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` +// +// // other fields +// } +#Condition: { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + type: string @go(Type) @protobuf(1,bytes,opt) + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt) + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + lastTransitionTime: #Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + reason: string @go(Reason) @protobuf(5,bytes,opt) + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + message: string @go(Message) @protobuf(6,bytes,opt) +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue new file mode 100644 index 000000000..12f5f1b63 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue @@ -0,0 +1,30 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" +) + +// Event represents a single event to a watched resource. +// +// +protobuf=true +// +k8s:deepcopy-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#WatchEvent: { + type: string @go(Type) @protobuf(1,bytes,opt) + + // Object is: + // * If Type is Added or Modified: the new state of the object. + // * If Type is Deleted: the state of the object immediately before deletion. + // * If Type is Error: *Status is recommended; other types may make sense + // depending on context. + object: runtime.#RawExtension @go(Object) @protobuf(2,bytes,opt) +} + +// InternalEvent makes watch.Event versioned +// +protobuf=false +#InternalEvent: watch.#Event diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue new file mode 100644 index 000000000..43474c392 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// SimpleAllocator a wrapper around make([]byte) +// conforms to the MemoryAllocator interface +#SimpleAllocator: { +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue new file mode 100644 index 000000000..a05de5d58 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue @@ -0,0 +1,37 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// codec binds an encoder and decoder. +_#codec: { + Encoder: #Encoder + Decoder: #Decoder +} + +// NoopEncoder converts an Decoder to a Serializer or Codec for code that expects them but only uses decoding. +#NoopEncoder: { + Decoder: #Decoder +} + +_#noopEncoderIdentifier: #Identifier & "noop" + +// NoopDecoder converts an Encoder to a Serializer or Codec for code that expects them but only uses encoding. +#NoopDecoder: { + Encoder: #Encoder +} + +_#base64Serializer: { + Encoder: #Encoder + Decoder: #Decoder +} + +_#internalGroupVersionerIdentifier: "internal" +_#disabledGroupVersionerIdentifier: "disabled" + +_#internalGroupVersioner: { +} + +_#disabledGroupVersioner: { +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue new file mode 100644 index 000000000..ce6d644cb --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +// Package runtime defines conversions between generic types and structs to map query strings +// to struct objects. +package runtime diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue new file mode 100644 index 000000000..f49ad1e36 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// UnstructuredConverter is an interface for converting between interface{} +// and map[string]interface representation. +#UnstructuredConverter: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue new file mode 100644 index 000000000..89c5c51b3 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue @@ -0,0 +1,39 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +// Package runtime includes helper functions for working with API objects +// that follow the kubernetes API object conventions, which are: +// +// 0. Your API objects have a common metadata struct member, TypeMeta. +// +// 1. Your code refers to an internal set of API objects. +// +// 2. In a separate package, you have an external set of API objects. +// +// 3. The external set is considered to be versioned, and no breaking +// changes are ever made to it (fields may be added but not changed +// or removed). +// +// 4. As your api evolves, you'll make an additional versioned package +// with every major change. +// +// 5. Versioned packages have conversion functions which convert to +// and from the internal version. +// +// 6. You'll continue to support older versions according to your +// deprecation policy, and you can easily provide a program/library +// to update old versions into new versions because of 5. +// +// 7. All of your serializations and deserializations are handled in a +// centralized place. +// +// Package runtime provides a conversion helper to make 5 easy, and the +// Encode/Decode/DecodeInto trio to accomplish 7. You can also register +// additional "codecs" which use a version of your choice. It's +// recommended that you register your types with runtime in your +// package's init function. +// +// As a bonus, a few common types useful from all api objects and versions +// are provided in types.go. +package runtime diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue new file mode 100644 index 000000000..d43f15f25 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +_#encodable: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue new file mode 100644 index 000000000..ec8f1f070 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue @@ -0,0 +1,23 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// MultiObjectTyper returns the types of objects across multiple schemes in order. +#MultiObjectTyper: [...#ObjectTyper] + +_#defaultFramer: { +} + +// WithVersionEncoder serializes an object and ensures the GVK is set. +#WithVersionEncoder: { + Version: #GroupVersioner + Encoder: #Encoder + ObjectTyper: #ObjectTyper +} + +// WithoutVersionDecoder clears the group version kind of a deserialized object. +#WithoutVersionDecoder: { + Decoder: #Decoder +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue new file mode 100644 index 000000000..22abcb620 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue @@ -0,0 +1,165 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// APIVersionInternal may be used if you are registering a type that should not +// be considered stable or serialized - it is a convention only and has no +// special behavior in this package. +#APIVersionInternal: "__internal" + +// GroupVersioner refines a set of possible conversion targets into a single option. +#GroupVersioner: _ + +// Identifier represents an identifier. +// Identitier of two different objects should be equal if and only if for every +// input the output they produce is exactly the same. +#Identifier: string // #enumIdentifier + +#enumIdentifier: + _#noopEncoderIdentifier + +// Encoder writes objects to a serialized form +#Encoder: _ + +// MemoryAllocator is responsible for allocating memory. +// By encapsulating memory allocation into its own interface, we can reuse the memory +// across many operations in places we know it can significantly improve the performance. +#MemoryAllocator: _ + +// EncoderWithAllocator serializes objects in a way that allows callers to manage any additional memory allocations. +#EncoderWithAllocator: _ + +// Decoder attempts to load an object from data. +#Decoder: _ + +// Serializer is the core interface for transforming objects into a serialized format and back. +// Implementations may choose to perform conversion of the object, but no assumptions should be made. +#Serializer: _ + +// Codec is a Serializer that deals with the details of versioning objects. It offers the same +// interface as Serializer, so this is a marker to consumers that care about the version of the objects +// they receive. +#Codec: #Serializer + +// ParameterCodec defines methods for serializing and deserializing API objects to url.Values and +// performing any necessary conversion. Unlike the normal Codec, query parameters are not self describing +// and the desired version must be specified. +#ParameterCodec: _ + +// Framer is a factory for creating readers and writers that obey a particular framing pattern. +#Framer: _ + +// SerializerInfo contains information about a specific serialization format +#SerializerInfo: { + // MediaType is the value that represents this serializer over the wire. + MediaType: string + + // MediaTypeType is the first part of the MediaType ("application" in "application/json"). + MediaTypeType: string + + // MediaTypeSubType is the second part of the MediaType ("json" in "application/json"). + MediaTypeSubType: string + + // EncodesAsText indicates this serializer can be encoded to UTF-8 safely. + EncodesAsText: bool + + // Serializer is the individual object serializer for this media type. + Serializer: #Serializer + + // PrettySerializer, if set, can serialize this object in a form biased towards + // readability. + PrettySerializer: #Serializer + + // StrictSerializer, if set, deserializes this object strictly, + // erring on unknown fields. + StrictSerializer: #Serializer + + // StreamSerializer, if set, describes the streaming serialization format + // for this media type. + StreamSerializer?: null | #StreamSerializerInfo @go(,*StreamSerializerInfo) +} + +// StreamSerializerInfo contains information about a specific stream serialization format +#StreamSerializerInfo: { + // EncodesAsText indicates this serializer can be encoded to UTF-8 safely. + EncodesAsText: bool + + // Serializer is the top level object serializer for this type when streaming + Serializer: #Serializer + + // Framer is the factory for retrieving streams that separate objects on the wire + Framer: #Framer +} + +// NegotiatedSerializer is an interface used for obtaining encoders, decoders, and serializers +// for multiple supported media types. This would commonly be accepted by a server component +// that performs HTTP content negotiation to accept multiple formats. +#NegotiatedSerializer: _ + +// ClientNegotiator handles turning an HTTP content type into the appropriate encoder. +// Use NewClientNegotiator or NewVersionedClientNegotiator to create this interface from +// a NegotiatedSerializer. +#ClientNegotiator: _ + +// StorageSerializer is an interface used for obtaining encoders, decoders, and serializers +// that can read and write data at rest. This would commonly be used by client tools that must +// read files, or server side storage interfaces that persist restful objects. +#StorageSerializer: _ + +// NestedObjectEncoder is an optional interface that objects may implement to be given +// an opportunity to encode any nested Objects / RawExtensions during serialization. +#NestedObjectEncoder: _ + +// NestedObjectDecoder is an optional interface that objects may implement to be given +// an opportunity to decode any nested Objects / RawExtensions during serialization. +// It is possible for DecodeNestedObjects to return a non-nil error but for the decoding +// to have succeeded in the case of strict decoding errors (e.g. unknown/duplicate fields). +// As such it is important for callers of DecodeNestedObjects to check to confirm whether +// an error is a runtime.StrictDecodingError before short circuiting. +// Similarly, implementations of DecodeNestedObjects should ensure that a runtime.StrictDecodingError +// is only returned when the rest of decoding has succeeded. +#NestedObjectDecoder: _ + +#ObjectDefaulter: _ + +#ObjectVersioner: _ + +// ObjectConvertor converts an object to a different version. +#ObjectConvertor: _ + +// ObjectTyper contains methods for extracting the APIVersion and Kind +// of objects. +#ObjectTyper: _ + +// ObjectCreater contains methods for instantiating an object by kind and version. +#ObjectCreater: _ + +// EquivalentResourceMapper provides information about resources that address the same underlying data as a specified resource +#EquivalentResourceMapper: _ + +// EquivalentResourceRegistry provides an EquivalentResourceMapper interface, +// and allows registering known resource[/subresource] -> kind +#EquivalentResourceRegistry: _ + +// ResourceVersioner provides methods for setting and retrieving +// the resource version from an API object. +#ResourceVersioner: _ + +// Namer provides methods for retrieving name and namespace of an API object. +#Namer: _ + +// Object interface must be supported by all API types registered with Scheme. Since objects in a scheme are +// expected to be serialized to the wire, the interface an Object must provide to the Scheme allows +// serializers to set the kind, version, and group the object is represented as. An Object may choose +// to return a no-op ObjectKindAccessor in cases where it is not expected to be serialized. +#Object: _ + +// CacheableObject allows an object to cache its different serializations +// to avoid performing the same serialization multiple times. +#CacheableObject: _ + +// Unstructured objects store values as map[string]interface{}, with only values that can be serialized +// to JSON allowed. +#Unstructured: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue new file mode 100644 index 000000000..7580f4676 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// NegotiateError is returned when a ClientNegotiator is unable to locate +// a serializer for the requested operation. +#NegotiateError: { + ContentType: string + Stream: bool +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue new file mode 100644 index 000000000..bd9c409a7 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// Splice is the interface that wraps the Splice method. +// +// Splice moves data from given slice without copying the underlying data for +// efficiency purpose. Therefore, the caller should make sure the underlying +// data is not changed later. +#Splice: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue new file mode 100644 index 000000000..9dfc078b4 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// Pair of strings. We keed the name of fields and the doc +#Pair: { + Name: string + Doc: string +} + +// KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself +#KubeTypes: [...#Pair] diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue new file mode 100644 index 000000000..d1ee609a2 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue @@ -0,0 +1,97 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type, +// like this: +// +// type MyAwesomeAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// ... // other fields +// } +// +// func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind +// +// TypeMeta is provided here for convenience. You may use it directly from this package or define +// your own with the same fields. +// +// +k8s:deepcopy-gen=false +// +protobuf=true +// +k8s:openapi-gen=true +#TypeMeta: { + // +optional + apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt) + + // +optional + kind?: string @go(Kind) @protobuf(2,bytes,opt) +} + +#ContentTypeJSON: "application/json" +#ContentTypeYAML: "application/yaml" +#ContentTypeProtobuf: "application/vnd.kubernetes.protobuf" + +// RawExtension is used to hold extensions in external versions. +// +// To use this, make a field which has RawExtension as its type in your external, versioned +// struct, and Object in your internal struct. You also need to register your +// various plugin types. +// +// // Internal package: +// +// type MyAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// MyPlugin runtime.Object `json:"myPlugin"` +// } +// +// type PluginA struct { +// AOption string `json:"aOption"` +// } +// +// // External package: +// +// type MyAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// MyPlugin runtime.RawExtension `json:"myPlugin"` +// } +// +// type PluginA struct { +// AOption string `json:"aOption"` +// } +// +// // On the wire, the JSON will look something like this: +// +// { +// "kind":"MyAPIObject", +// "apiVersion":"v1", +// "myPlugin": { +// "kind":"PluginA", +// "aOption":"foo", +// }, +// } +// +// So what happens? Decode first uses json or yaml to unmarshal the serialized data into +// your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. +// The next step is to copy (using pkg/conversion) into the internal struct. The runtime +// package's DefaultScheme has conversion functions installed which will unpack the +// JSON stored in RawExtension, turning it into the correct object type, and storing it +// in the Object. (TODO: In the case where the object is of an unknown type, a +// runtime.Unknown object will be created and stored.) +// +// +k8s:deepcopy-gen=true +// +protobuf=true +// +k8s:openapi-gen=true +#RawExtension: _ + +// Unknown allows api objects with unknown types to be passed-through. This can be used +// to deal with the API objects from a plug-in. Unknown objects still have functioning +// TypeMeta features-- kind, version, etc. +// TODO: Make this object have easy access to field based accessors and settors for +// metadata and field mutatation. +// +// +k8s:deepcopy-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +protobuf=true +// +k8s:openapi-gen=true +#Unknown: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue new file mode 100644 index 000000000..8b8ddf891 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +#ProtobufMarshaller: _ + +#ProtobufReverseMarshaller: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue new file mode 100644 index 000000000..bfb4bcda3 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +// Package types implements various generic types used throughout kubernetes. +package types diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue new file mode 100644 index 000000000..7cb2745aa --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +#NamespacedName: { + Namespace: string + Name: string +} + +#Separator: 47 // '/' diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue new file mode 100644 index 000000000..8b264b80c --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// NodeName is a type that holds a api.Node's Name identifier. +// Being a type captures intent and helps make sure that the node name +// is not confused with similar concepts (the hostname, the cloud provider id, +// the cloud provider name etc) +// +// To clarify the various types: +// +// - Node.Name is the Name field of the Node in the API. This should be stored in a NodeName. +// Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level. +// +// - Hostname is the hostname of the local machine (from uname -n). +// However, some components allow the user to pass in a --hostname-override flag, +// which will override this in most places. In the absence of anything more meaningful, +// kubelet will use Hostname as the Node.Name when it creates the Node. +// +// * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId. +// +// For GCE, InstanceName is the Name of an Instance object in the GCE API. On GCE, Instance.Name becomes the +// Hostname, and thus it makes sense also to use it as the Node.Name. But that is GCE specific, and it is up +// to the cloudprovider how to do this mapping. +// +// For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the +// PrivateDnsName for the Node.Name. And this is _not_ always the same as the hostname: if +// we are using a custom DHCP domain it won't be. +#NodeName: string diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue new file mode 100644 index 000000000..3de5d80f9 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue @@ -0,0 +1,21 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// Similarly to above, these are constants to support HTTP PATCH utilized by +// both the client and server that didn't make sense for a whole package to be +// dedicated to. +#PatchType: string // #enumPatchType + +#enumPatchType: + #JSONPatchType | + #MergePatchType | + #StrategicMergePatchType | + #ApplyPatchType + +#JSONPatchType: #PatchType & "application/json-patch+json" +#MergePatchType: #PatchType & "application/merge-patch+json" +#StrategicMergePatchType: #PatchType & "application/strategic-merge-patch+json" +#ApplyPatchType: #PatchType & "application/apply-patch+yaml" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue new file mode 100644 index 000000000..40bdd8285 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// UID is a type that holds unique ID values, including UUIDs. Because we +// don't ONLY use UUIDs, this is an alias to string. Being a type captures +// intent and helps make sure that UIDs and names do not get conflated. +#UID: string diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue new file mode 100644 index 000000000..2c8cc3651 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/util/intstr + +package intstr + +// IntOrString is a type that can hold an int32 or a string. When used in +// JSON or YAML marshalling and unmarshalling, it produces or consumes the +// inner type. This allows you to have, for example, a JSON field that can +// accept a name or number. +// TODO: Rename to Int32OrString +// +// +protobuf=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:openapi-gen=true +#IntOrString: _ + +// Type represents the stored type of IntOrString. +#Type: int64 // #enumType + +#enumType: + #Int | + #String + +#values_Type: { + Int: #Int + String: #String +} + +#Int: #Type & 0 +#String: #Type & 1 diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue new file mode 100644 index 000000000..bc1b91894 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +// Package watch contains a generic watchable interface, and a fake for +// testing code that uses the watch interface. +package watch diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue new file mode 100644 index 000000000..045e8ec85 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// Recorder records all events that are sent from the watch until it is closed. +#Recorder: { + Interface: #Interface +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue new file mode 100644 index 000000000..dcf72d5b0 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue @@ -0,0 +1,25 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// FullChannelBehavior controls how the Broadcaster reacts if a watcher's watch +// channel is full. +#FullChannelBehavior: int // #enumFullChannelBehavior + +#enumFullChannelBehavior: + #WaitIfChannelFull | + #DropIfChannelFull + +#values_FullChannelBehavior: { + WaitIfChannelFull: #WaitIfChannelFull + DropIfChannelFull: #DropIfChannelFull +} + +#WaitIfChannelFull: #FullChannelBehavior & 0 +#DropIfChannelFull: #FullChannelBehavior & 1 + +_#incomingQueueLength: 25 + +_#internalRunFunctionMarker: "internal-do-function" diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue new file mode 100644 index 000000000..f0805cfb2 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// Decoder allows StreamWatcher to watch any stream for which a Decoder can be written. +#Decoder: _ + +// Reporter hides the details of how an error is turned into a runtime.Object for +// reporting on a watch stream since this package may not import a higher level report. +#Reporter: _ diff --git a/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue new file mode 100644 index 000000000..0db2e6be1 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue @@ -0,0 +1,48 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +import "k8s.io/apimachinery/pkg/runtime" + +// Interface can be implemented by anything that knows how to watch and report changes. +#Interface: _ + +// EventType defines the possible types of events. +#EventType: string // #enumEventType + +#enumEventType: + #Added | + #Modified | + #Deleted | + #Bookmark | + #Error + +#Added: #EventType & "ADDED" +#Modified: #EventType & "MODIFIED" +#Deleted: #EventType & "DELETED" +#Bookmark: #EventType & "BOOKMARK" +#Error: #EventType & "ERROR" + +// Event represents a single event to a watched resource. +// +k8s:deepcopy-gen=true +#Event: { + Type: #EventType + + // Object is: + // * If Type is Added or Modified: the new state of the object. + // * If Type is Deleted: the state of the object immediately before deletion. + // * If Type is Bookmark: the object (instance of a type being watched) where + // only ResourceVersion field is set. On successful restart of watch from a + // bookmark resourceVersion, client is guaranteed to not get repeat event + // nor miss any events. + // * If Type is Error: *api.Status is recommended; other types may make sense + // depending on context. + Object: runtime.#Object +} + +// RaceFreeFakeWatcher lets you test anything that consumes a watch.Interface; threadsafe. +#RaceFreeFakeWatcher: { + Stopped: bool +} diff --git a/k8s/timoni/codebattle/cue.mod/module.cue b/k8s/timoni/codebattle/cue.mod/module.cue new file mode 100644 index 000000000..4f3d2dfda --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/module.cue @@ -0,0 +1,2 @@ +module: "timoni.sh/codebattle" +language: version: "v0.9.0" diff --git a/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue new file mode 100644 index 000000000..2c579e99d --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue @@ -0,0 +1,26 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Action holds the list of annotations for controlling +// Timoni's apply behaviour of Kubernetes resources. +Action: { + // Force annotation for recreating immutable resources such as Kubernetes Jobs. + Force: { + "action.timoni.sh/force": ActionStatus.Enabled + } + // One-off annotation for appling resources only if they don't exist on the cluster. + Oneoff: { + "action.timoni.sh/one-off": ActionStatus.Enabled + } + // Keep annotation for preventing Timoni's garbage collector from deleting resources. + Keep: { + "action.timoni.sh/prune": ActionStatus.Disabled + } +} + +ActionStatus: { + Enabled: "enabled" + Disabled: "disabled" +} diff --git a/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue new file mode 100644 index 000000000..1535ea43f --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue @@ -0,0 +1,50 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strings" +) + +// Image defines the schema for OCI image reference used in Kubernetes PodSpec container image. +#Image: { + + // Repository is the address of a container registry repository. + // An image repository is made up of slash-separated name components, optionally + // prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. + repository!: string + + // Tag identifies an image in the repository. + // A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. + // A tag name may not start with a period or a dash and may contain a maximum of 128 characters. + tag!: string & strings.MaxRunes(128) + + // Digest uniquely and immutably identifies an image in the repository. + // Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. + digest!: string + + // PullPolicy defines the pull policy for the image. + // By default, it is set to IfNotPresent. + pullPolicy: *"IfNotPresent" | "Always" | "Never" + + // Reference is the image address computed from repository, tag and digest + // in the format [REPOSITORY]:[TAG]@[DIGEST]. + reference: string + + if digest != "" && tag != "" { + reference: "\(repository):\(tag)@\(digest)" + } + + if digest != "" && tag == "" { + reference: "\(repository)@\(digest)" + } + + if digest == "" && tag != "" { + reference: "\(repository):\(tag)" + } + + if digest == "" && tag == "" { + reference: "\(repository):latest" + } +} diff --git a/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue new file mode 100644 index 000000000..19f098967 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue @@ -0,0 +1,47 @@ +// Copyright 2024 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "encoding/base64" + "strings" +) + +// ImagePullSecret is a generator for Kubernetes Secrets of type kubernetes.io/dockerconfigjson. +// Spec: https://kubernetes.io/docs/concepts/configuration/secret/#docker-config-secrets. +#ImagePullSecret: { + // Metadata is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Registry is the hostname of the container registry in the format [HOST[:PORT_NUMBER]]. + #Registry!: string + + // Username is the username used to authenticate to the container registry. + #Username!: string + + // Password is the password used to authenticate to the container registry. + #Password!: string + + // Optional suffix used to generate the Secret name. + #Suffix: *"" | string & strings.MaxRunes(30) + + let auth = base64.Encode(null, #Username+":"+#Password) + + apiVersion: "v1" + kind: "Secret" + type: "kubernetes.io/dockerconfigjson" + metadata: { + name: #Meta.name + #Suffix + namespace: #Meta.namespace + labels: #Meta.labels + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + } + stringData: { + ".dockerconfigjson": """ + {"auths": {"\(#Registry)": {"username": "\(#Username)","password": "\(#Password)","auth": "\(auth)"}}} + """ + } +} diff --git a/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue new file mode 100644 index 000000000..7b31c23e4 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue @@ -0,0 +1,49 @@ +// Copyright 2024 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "encoding/json" + "strings" + "uuid" +) + +#ConfigMapKind: "ConfigMap" +#SecretKind: "Secret" + +// ImmutableConfig is a generator for immutable Kubernetes ConfigMaps and Secrets. +// The metadata.name of the generated object is suffixed with the hash of the input data. +#ImmutableConfig: { + // Kind of the generated object. + #Kind: *#ConfigMapKind | #SecretKind + + // Metadata of the generated object. + #Meta: #Metadata + + // Optional suffix appended to the generate name. + #Suffix: *"" | string + + // Data of the generated object. + #Data: {[string]: string} + + let hash = strings.Split(uuid.SHA1(uuid.ns.DNS, json.Marshal(#Data)), "-")[0] + + apiVersion: "v1" + kind: #Kind + metadata: { + name: #Meta.name + #Suffix + "-" + hash + namespace: #Meta.namespace + labels: #Meta.labels + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + } + immutable: true + if kind == #ConfigMapKind { + data: #Data + } + if kind == #SecretKind { + stringData: #Data + } +} diff --git a/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue new file mode 100644 index 000000000..ad96b0621 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue @@ -0,0 +1,27 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// InstanceName defines the schema for the name of a Timoni instance. +// The instance name is used as a Kubernetes label value and must be 63 characters or less. +#InstanceName: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MinRunes(1) & strings.MaxRunes(63) + +// InstanceNamespace defines the schema for the namespace of a Timoni instance. +// The instance namespace is used as a Kubernetes label value and must be 63 characters or less. +#InstanceNamespace: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MinRunes(1) & strings.MaxRunes(63) + +// InstanceOwnerReference defines the schema for Kubernetes labels used to denote ownership. +#InstanceOwnerReference: { + #Name: "instance.timoni.sh/name" + #Namespace: "instance.timoni.sh/namespace" +} + +// InstanceModule defines the schema for the Module of a Timoni instance. +#InstanceModule: { + url: string & =~"^((oci|file)://.*)$" + version: *"latest" | string + digest?: string +} diff --git a/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue new file mode 100644 index 000000000..188ff505d --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue @@ -0,0 +1,120 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// Annotations defines the schema for Kubernetes object metadata annotations. +#Annotations: {[string & strings.MaxRunes(253)]: string} + +// Labels defines the schema for Kubernetes object metadata labels. +#Labels: {[string & strings.MaxRunes(253)]: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MaxRunes(63)} + +#StdLabelName: "app.kubernetes.io/name" +#StdLabelVersion: "app.kubernetes.io/version" +#StdLabelPartOf: "app.kubernetes.io/part-of" +#StdLabelManagedBy: "app.kubernetes.io/managed-by" +#StdLabelComponent: "app.kubernetes.io/component" +#StdLabelInstance: "app.kubernetes.io/instance" + +// Metadata defines the schema for Kubernetes object metadata. +#Metadata: { + // Version should be in the strict semver format. Is required when creating resources. + #Version!: string & strings.MaxRunes(63) + + // Name must be unique within a namespace. Is required when creating resources. + // Name is primarily intended for creation idempotence and configuration definition. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + name!: #InstanceName + + // Namespace defines the space within which each name must be unique. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces + namespace!: #InstanceNamespace + + // Annotations is an unstructured key value map stored with a resource that may be + // set to store and retrieve arbitrary metadata. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + annotations?: #Annotations + + // Map of string keys and values that can be used to organize and categorize (scope and select) objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + labels: #Labels + + // Standard Kubernetes labels: app name, version and managed-by. + labels: { + (#StdLabelName): name + (#StdLabelVersion): #Version + (#StdLabelManagedBy): "timoni" + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name label. + #LabelSelector: #Labels & { + (#StdLabelName): name + } + + // Finalizers are namespaced keys that tell Kubernetes to wait until specific conditions + // are met before it fully deletes resources marked for deletion. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/ + finalizers?: [...string] +} + +// MetaComponent generates the Kubernetes object metadata for a module namespaced component. +// The metadata.name is composed of the instance name and the component name. +// The metadata.labels contain the app.kubernetes.io/component label. +#MetaComponent: { + // Meta is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Component is the name of the component used + // as a suffix for the generate object name. + #Component!: string & strings.MaxRunes(30) + + name: #Meta.name + "-" + #Component + namespace: #Meta.namespace + + labels: #Meta.labels + labels: (#StdLabelComponent): #Component + + annotations?: #Annotations + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name + // and app.kubernetes.io/component labels. + #LabelSelector: #Labels & { + (#StdLabelComponent): #Component + (#StdLabelName): #Meta.name + } +} + +// MetaClusterComponent generates the Kubernetes object metadata for a module non-namespaced component. +// The metadata.name is composed of the instance name and the component name. +// The metadata.namespace is unset. +// The metadata.labels contain the app.kubernetes.io/component label. +#MetaClusterComponent: { + // Meta is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Component is the name of the component used + // as a suffix for the generate object name. + #Component!: string & strings.MaxRunes(30) + + name: #Meta.name + "-" + #Component + + labels: #Meta.labels + labels: (#StdLabelComponent): #Component + + annotations?: #Annotations + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name + // and app.kubernetes.io/component labels. + #LabelSelector: #Labels & { + (#StdLabelComponent): #Component + (#StdLabelName): #Meta.name + } +} diff --git a/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue new file mode 100644 index 000000000..1dcdb699e --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue @@ -0,0 +1,21 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// ObjectReference is a reference to a Kubernetes object. +#ObjectReference: { + // Name of the referent. + name!: string & strings.MaxRunes(256) + + // Namespace of the referent. + namespace?: string & strings.MaxRunes(256) + + // API version of the referent. + apiVersion?: string & strings.MaxRunes(256) + + // Kind of the referent. + kind?: string & strings.MaxRunes(256) +} diff --git a/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue new file mode 100644 index 000000000..d3b5573ae --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue @@ -0,0 +1,40 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strconv" + "strings" +) + +// CPUQuantity is a string that is validated as a quantity of CPU, such as 100m or 2000m. +#CPUQuantity: string & =~"^[1-9]\\d*m$" + +// MemoryQuantity is a string that is validated as a quantity of memory, such as 128Mi or 2Gi. +#MemoryQuantity: string & =~"^[1-9]\\d*(Mi|Gi)$" + +// ResourceRequirement defines the schema for the CPU and Memory resource requirements. +#ResourceRequirement: { + cpu?: #CPUQuantity + memory?: #MemoryQuantity +} + +// ResourceRequirements defines the schema for the compute resource requirements of a container. +// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/. +#ResourceRequirements: { + // Limits describes the maximum amount of compute resources allowed. + limits?: #ResourceRequirement + + // Requests describes the minimum amount of compute resources required. + // Requests cannot exceed Limits. + requests?: #ResourceRequirement & { + if limits != _|_ { + if limits.cpu != _|_ { + _lc: strconv.Atoi(strings.Split(limits.cpu, "m")[0]) + _rc: strconv.Atoi(strings.Split(requests.cpu, "m")[0]) + #cpu: int & >=_rc & _lc + } + } + } +} diff --git a/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue new file mode 100644 index 000000000..9c4f2384b --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue @@ -0,0 +1,19 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Selector defines the schema for Kubernetes Pod label selector used in Deployments, Services, Jobs, etc. +#Selector: { + // Name must be unique within a namespace. Is required when creating resources. + // Name is primarily intended for creation idempotence and configuration definition. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + #Name!: #InstanceName + + // Map of string keys and values that can be used to organize and categorize (scope and select) objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + labels: #Labels + + // Standard Kubernetes label: app name. + labels: (#StdLabelName): #Name +} diff --git a/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue new file mode 100644 index 000000000..ecd1e397f --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue @@ -0,0 +1,29 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strconv" + "strings" +) + +// SemVer validates the input version string and extracts the major and minor version numbers. +// When Minimum is set, the major and minor parts must be greater or equal to the minimum +// or a validation error is returned. +#SemVer: { + // Input version string in strict semver format. + #Version!: string & =~"^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?$" + + // Minimum is the minimum allowed MAJOR.MINOR version. + #Minimum: *"0.0.0" | string & =~"^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?$" + + let minMajor = strconv.Atoi(strings.Split(#Minimum, ".")[0]) + let minMinor = strconv.Atoi(strings.Split(#Minimum, ".")[1]) + + major: int & >=minMajor + major: strconv.Atoi(strings.Split(#Version, ".")[0]) + + minor: int & >=minMinor + minor: strconv.Atoi(strings.Split(#Version, ".")[1]) +} diff --git a/k8s/timoni/codebattle/templates/config.cue b/k8s/timoni/codebattle/templates/config.cue new file mode 100644 index 000000000..d008249c1 --- /dev/null +++ b/k8s/timoni/codebattle/templates/config.cue @@ -0,0 +1,89 @@ +package templates + +import ( + corev1 "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" + timoniv1 "timoni.sh/core/v1alpha1" +) + +#Config: { + kubeVersion!: string + moduleVersion!: string + + metadata: timoniv1.#Metadata & {#Version: moduleVersion} + metadata: labels: timoniv1.#Labels + metadata: annotations?: timoniv1.#Annotations + + selector: timoniv1.#Selector & { + #Name: metadata.name + labels: app: "codebattle" + } + + registry: string + image!: { + codebattle: timoniv1.#Image + nginx: timoniv1.#Image + } + + resources: timoniv1.#ResourceRequirements & { + requests: { + cpu: *"10m" | timoniv1.#CPUQuantity + memory: *"32Mi" | timoniv1.#MemoryQuantity + } + } + + replicas: *1 | int & >0 + + securityContext: corev1.#SecurityContext & { + allowPrivilegeEscalation: *false | true + privileged: *false | true + capabilities: + { + drop: *["ALL"] | [string] + add: *["CHOWN", "NET_BIND_SERVICE", "SETGID", "SETUID"] | [string] + } + } + + service: { + annotations?: timoniv1.#Annotations + port: *4000 | int & >0 & <=65535 + type: corev1.#ServiceType + } + + env: [string]: string | int | bool + + podSecurityContext?: corev1.#PodSecurityContext + imagePullSecrets?: [...timoniv1.#ObjectReference] + tolerations?: [...corev1.#Toleration] + affinity?: corev1.#Affinity + topologySpreadConstraints?: [...corev1.#TopologySpreadConstraint] + + ingress: { + enable: *false | bool + class?: string + tls: [...networkingv1.#IngressTLS] + host?: string + } + + gateway: { + enable: *false | bool + gatewayName: string + host: *"codebattle.hexlet.io" | string + } +} + +// Instance takes the config values and outputs the Kubernetes objects. +#Instance: { + config: #Config + + objects: { + deploy: #Deployment & {#config: config} + svc: #Service & {#config: config} + if config.ingress.enable { + ingress: #Ingress & {#config: config} + } + if config.gateway.enable { + gateway: #HTTPRoute & {#config: config} + } + } +} diff --git a/k8s/timoni/codebattle/templates/deployment.cue b/k8s/timoni/codebattle/templates/deployment.cue new file mode 100644 index 000000000..0df7c9c9f --- /dev/null +++ b/k8s/timoni/codebattle/templates/deployment.cue @@ -0,0 +1,80 @@ +package templates + +import ( + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" +) + +#Deployment: appsv1.#Deployment & { + #config: #Config + apiVersion: "apps/v1" + kind: "Deployment" + metadata: #config.metadata + spec: appsv1.#DeploymentSpec & { + replicas: #config.replicas + selector: matchLabels: #config.selector.labels + template: { + metadata: labels: #config.selector.labels + spec: corev1.#PodSpec & { + containers: [{ + name: "codebattle" + image: #config.image.codebattle.reference + imagePullPolicy: #config.image.codebattle.pullPolicy + ports: [{ + name: "codebattle" + containerPort: #config.service.port + protocol: "TCP" + }] + readinessProbe: { + httpGet: { + path: "/health" + port: "codebattle" + } + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + } + command: ["make", "start"] + envFrom: [{ + secretRef: name: "\(#config.metadata.name)-secrets" + }] + env: [for k, v in #config.env { + name: k + value: "\(v)" + }, { + name: "CODEBATTLE_PORT" + value: "\(#config.service.port)" + }, { + name: "CODEBATTLE_VERSION" + value: #config.image.codebattle.tag + }] + }, { + name: "nginx" + image: #config.image.nginx.reference + imagePullPolicy: #config.image.nginx.pullPolicy + ports: [{ + name: "http" + containerPort: 80 + protocol: "TCP" + }] + readinessProbe: { + httpGet: { + path: "/health" + port: "http" + } + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + } + env: [{ + name: "NGINX_SERVER_ADDRESS" + value: "127.0.0.1" + }] + }] + if #config.affinity != _|_ { + affinity: #config.affinity + } + } + } + } +} diff --git a/k8s/timoni/codebattle/templates/httproute.cue b/k8s/timoni/codebattle/templates/httproute.cue new file mode 100644 index 000000000..b59a2b6b5 --- /dev/null +++ b/k8s/timoni/codebattle/templates/httproute.cue @@ -0,0 +1,41 @@ +package templates + +import ( + gatewayv1 "gateway.networking.k8s.io/httproute/v1" +) + +#HTTPRoute: gatewayv1.#HTTPRoute & { + #config: #Config + apiVersion: "gateway.networking.k8s.io/v1" + kind: "HTTPRoute" + metadata: #config.metadata + spec: { + parentRefs: [{ + name: #config.gateway.gatewayName + }] + hostnames: [#config.gateway.host] + rules: [{ + matches: [{ + path: { + type: "PathPrefix" + value: "/" + } + }] + backendRefs: [{ + name: metadata.name + port: #config.service.port + }] + }, { + matches: [{ + path: { + type: "PathPrefix" + value: "/assets" + } + }] + backendRefs: [{ + name: metadata.name + port: 80 + }] + }] + } +} diff --git a/k8s/timoni/codebattle/templates/ingress.cue b/k8s/timoni/codebattle/templates/ingress.cue new file mode 100644 index 000000000..ea6eb98d0 --- /dev/null +++ b/k8s/timoni/codebattle/templates/ingress.cue @@ -0,0 +1,34 @@ +package templates + +import ( + networkingv1 "k8s.io/api/networking/v1" +) + +#Ingress: networkingv1.#Ingress & { + #config: #Config + apiVersion: "networking.k8s.io/v1" + kind: "Ingress" + metadata: #config.metadata + spec: networkingv1.#IngressSpec & { + ingressClassName: #config.ingress.class + tls: #config.ingress.tls + rules: [{ + host: #config.ingress.host + http: paths: [{ + path: "/assets" + pathType: "Prefix" + backend: service: { + name: #config.metadata.name + port: name: "nginx" + } + }, { + path: "/" + pathType: "Prefix" + backend: service: { + name: #config.metadata.name + port: name: "codebattle" + } + }] + }] + } +} diff --git a/k8s/timoni/codebattle/templates/service.cue b/k8s/timoni/codebattle/templates/service.cue new file mode 100644 index 000000000..19b8509ff --- /dev/null +++ b/k8s/timoni/codebattle/templates/service.cue @@ -0,0 +1,30 @@ +package templates + +import ( + corev1 "k8s.io/api/core/v1" +) + +#Service: corev1.#Service & { + #config: #Config + apiVersion: "v1" + kind: "Service" + metadata: #config.metadata + if #config.service.annotations != _|_ { + metadata: annotations: #config.service.annotations + } + spec: corev1.#ServiceSpec & { + type: #config.service.type + selector: #config.selector.labels + ports: [{ + port: #config.service.port + protocol: "TCP" + name: "codebattle" + targetPort: name + }, { + port: 80 + protocol: "TCP" + name: "http" + targetPort: name + }] + } +} diff --git a/k8s/timoni/codebattle/timoni.cue b/k8s/timoni/codebattle/timoni.cue new file mode 100644 index 000000000..b2618dcb2 --- /dev/null +++ b/k8s/timoni/codebattle/timoni.cue @@ -0,0 +1,25 @@ +package main + +import ( + templates "timoni.sh/codebattle/templates" +) + +values: templates.#Config + +timoni: { + apiVersion: "v1alpha1" + + instance: templates.#Instance & { + config: values + config: { + metadata: { + name: string @tag(name) + namespace: string @tag(namespace) + } + moduleVersion: string @tag(mv, var=moduleVersion) + kubeVersion: string @tag(kv, var=kubeVersion) + } + } + + apply: app: [for obj in instance.objects {obj}] +} diff --git a/k8s/timoni/codebattle/timoni.ignore b/k8s/timoni/codebattle/timoni.ignore new file mode 100644 index 000000000..0722c3486 --- /dev/null +++ b/k8s/timoni/codebattle/timoni.ignore @@ -0,0 +1,14 @@ +# VCS +.git/ +.gitignore +.gitmodules +.gitattributes + +# Go +vendor/ +go.mod +go.sum + +# CUE +*_tool.cue +debug_values.cue diff --git a/k8s/timoni/codebattle/values.cue b/k8s/timoni/codebattle/values.cue new file mode 100644 index 000000000..2ed9cdf27 --- /dev/null +++ b/k8s/timoni/codebattle/values.cue @@ -0,0 +1,30 @@ +package main + +values: { + registry: "docker.io" + service: { + port: 4000 + type: "ClusterIP" + } + image: { + codebattle: { + repository: "\(registry)/codebattle/codebattle" + tag: "latest" + digest: "" + } + nginx: { + repository: "\(registry)/codebattle/nginx-assets" + tag: "latest" + digest: "" + } + } + env: { + "CODEBATTLE_SHOW_EXTENSION_POPUP": true + "CODEBATTLE_USE_EXTERNAL_JS": true + "CODEBATTLE_CREATE_BOT_GAMES": true + "CODEBATTLE_IMPORT_GITHUB_TASKS": true + "CODEBATTLE_ALLOW_GUESTS": true + "CODEBATTLE_USE_PRESENCE": true + "CODEBATTLE_RECORD_GAMES": true + } +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/backend/v1alpha1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/backend/v1alpha1/types_gen.cue new file mode 100644 index 000000000..0c4ff93a7 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/backend/v1alpha1/types_gen.cue @@ -0,0 +1,102 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha1 + +import ( + "strings" + "list" +) + +// Backend allows the user to configure the endpoints of a backend +// and +// the behavior of the connection from Envoy Proxy to the backend. +#Backend: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.envoyproxy.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Backend" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of Backend. + spec!: #BackendSpec +} + +// Spec defines the desired state of Backend. +#BackendSpec: { + // AppProtocols defines the application protocols to be supported + // when connecting to the backend. + appProtocols?: [..."gateway.envoyproxy.io/h2c" | "gateway.envoyproxy.io/ws" | "gateway.envoyproxy.io/wss"] + + // Endpoints defines the endpoints to be used when connecting to + // the backend. + endpoints?: list.MaxItems(64) & [...{ + // FQDN defines a FQDN endpoint + fqdn?: { + // Hostname defines the FQDN hostname of the backend endpoint. + hostname!: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Port defines the port of the backend endpoint. + port!: uint16 + } + + // IP defines an IP endpoint. Supports both IPv4 and IPv6 + // addresses. + ip?: { + // Address defines the IP address of the backend endpoint. + // Supports both IPv4 and IPv6 addresses. + address!: strings.MaxRunes(45) & strings.MinRunes(3) & { + =~"^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$" + } + + // Port defines the port of the backend endpoint. + port!: uint16 + } + unix?: { + // Path defines the unix domain socket path of the backend + // endpoint. + path!: string + } + }] & [_, ...] + + // Fallback indicates whether the backend is designated as a + // fallback. + // It is highly recommended to configure active or passive health + // checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically + // readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the fallback + // backends will only start receiving traffic when + // the health of the active backends falls below 72%. + fallback?: bool +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/backendtrafficpolicy/v1alpha1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/backendtrafficpolicy/v1alpha1/types_gen.cue new file mode 100644 index 000000000..33c6fc1cd --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/backendtrafficpolicy/v1alpha1/types_gen.cue @@ -0,0 +1,1019 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha1 + +import ( + "strings" + "list" +) + +// BackendTrafficPolicy allows the user to configure the behavior +// of the connection +// between the Envoy Proxy listener and the backend service. +#BackendTrafficPolicy: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.envoyproxy.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "BackendTrafficPolicy" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // spec defines the desired state of BackendTrafficPolicy. + spec!: #BackendTrafficPolicySpec +} + +// spec defines the desired state of BackendTrafficPolicy. +#BackendTrafficPolicySpec: { + // Circuit Breaker settings for the upstream connections and + // requests. + // If not set, circuit breakers will be enabled with the default + // thresholds + circuitBreaker?: { + // The maximum number of connections that Envoy will establish to + // the referenced backend defined within a xRoute rule. + maxConnections?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel requests that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel retries that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRetries?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of pending requests that Envoy will queue to + // the referenced backend defined within a xRoute rule. + maxPendingRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of requests that Envoy will make over a + // single connection to the referenced backend defined within a + // xRoute rule. + // Default: unlimited. + maxRequestsPerConnection?: uint32 + } + + // The compression config for the http streams. + compression?: [...{ + // The configuration for Brotli compressor. + brotli?: {} + + // The configuration for GZIP compressor. + gzip?: {} + + // CompressorType defines the compressor type to use for + // compression. + type!: "Gzip" | "Brotli" + }] + + // Connection includes backend connection settings. + connection?: { + // BufferLimit Soft limit on size of the cluster’s connections + // read and write buffers. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // If unspecified, an implementation defined default is applied + // (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is + // interpreted as bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // DNS includes dns resolution settings. + dns?: { + // DNSRefreshRate specifies the rate at which DNS records should + // be refreshed. + // Defaults to 30 seconds. + dnsRefreshRate?: string + + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) + // should be respected. + // If the value is set to true, the DNS refresh rate will be set + // to the resource record’s TTL. + // Defaults to true. + respectDnsTtl?: bool + } + + // FaultInjection defines the fault injection policy to be + // applied. This configuration can be used to + // inject delays and abort requests to mimic failure scenarios + // such as service failures and overloads + faultInjection?: { + // If specified, the request will be aborted if it meets the + // configuration criteria. + abort?: { + // GrpcStatus specifies the GRPC status code to be returned + grpcStatus?: int32 + + // StatusCode specifies the HTTP status code to be returned + httpStatus?: uint & >=200 & <=600 + + // Percentage specifies the percentage of requests to be aborted. + // Default 100%, if set 0, no requests will be aborted. Accuracy + // to 0.0001%. + percentage?: number | *100 + } + + // If specified, a delay will be injected into the request. + delay?: { + // FixedDelay specifies the fixed delay duration + fixedDelay!: string + + // Percentage specifies the percentage of requests to be delayed. + // Default 100%, if set 0, no requests will be delayed. Accuracy + // to 0.0001%. + percentage?: number | *100 + } + } + + // HealthCheck allows gateway to perform active health checking on + // backends. + healthCheck?: { + // Active health check configuration + active?: { + grpc?: { + // Service to send in the health check request. + // If this is not specified, then the health check request applies + // to the entire + // server and not to a specific service. + service?: string + } + + // HealthyThreshold defines the number of healthy health checks + // required before a backend host is marked healthy. + healthyThreshold?: int32 & int & >=1 | *1 + + // HTTP defines the configuration of http health checker. + // It's required while the health checker type is HTTP. + http?: { + // ExpectedResponse defines a list of HTTP expected responses to + // match. + expectedResponse?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // ExpectedStatuses defines a list of HTTP response statuses + // considered healthy. + // Defaults to 200 only + expectedStatuses?: [...int & <600 & >=100] + + // Method defines the HTTP method used for health checking. + // Defaults to GET + method?: string + + // Path defines the HTTP path that will be requested during health + // checking. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // Interval defines the time between active health checks. + interval?: string | *"3s" + + // TCP defines the configuration of tcp health checker. + // It's required while the health checker type is TCP. + tcp?: { + // Receive defines the expected response payload. + receive?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // Send defines the request payload. + send?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + } + + // Timeout defines the time to wait for a health check response. + timeout?: string | *"1s" + + // Type defines the type of health checker. + type!: matchN(2, ["HTTP" | "TCP" | "GRPC", "HTTP" | "TCP" | "GRPC"]) + + // UnhealthyThreshold defines the number of unhealthy health + // checks required before a backend host is marked unhealthy. + unhealthyThreshold?: int32 & int & >=1 | *3 + } + + // Passive passive check configuration + passive?: { + // BaseEjectionTime defines the base duration for which a host + // will be ejected on consecutive failures. + baseEjectionTime?: string | *"30s" + + // Consecutive5xxErrors sets the number of consecutive 5xx errors + // triggering ejection. + consecutive5XxErrors?: int32 & int | *5 + + // ConsecutiveGatewayErrors sets the number of consecutive gateway + // errors triggering ejection. + consecutiveGatewayErrors?: int32 & int | *0 + + // ConsecutiveLocalOriginFailures sets the number of consecutive + // local origin failures triggering ejection. + // Parameter takes effect only when + // split_external_local_origin_errors is set to true. + consecutiveLocalOriginFailures?: int32 & int | *5 + + // Interval defines the time between passive health checks. + interval?: string | *"3s" + + // MaxEjectionPercent sets the maximum percentage of hosts in a + // cluster that can be ejected. + maxEjectionPercent?: int32 & int | *10 + + // SplitExternalLocalOriginErrors enables splitting of errors + // between external and local origin. + splitExternalLocalOriginErrors?: bool | *false + } + } + + // HTTP2 provides HTTP/2 configuration for backend connections. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // LoadBalancer policy to apply when routing traffic from the + // gateway to + // the backend endpoints. Defaults to `LeastRequest`. + loadBalancer?: { + // ConsistentHash defines the configuration when the load balancer + // type is + // set to ConsistentHash + consistentHash?: { + // Cookie configures the cookie hash policy when the consistent + // hash type is set to Cookie. + cookie?: { + // Additional Attributes to set for the generated cookie. + attributes?: close({ + [string]: string + }) + + // Name of the cookie to hash. + // If this cookie does not exist in the request, Envoy will + // generate a cookie and set + // the TTL on the response back to the client based on Layer 4 + // attributes of the backend endpoint, to ensure that these future + // requests + // go to the same backend endpoint. Make sure to set the TTL field + // for this case. + name!: string + + // TTL of the generated cookie if the cookie is not present. This + // value sets the + // Max-Age attribute value. + ttl?: string + } + header?: { + // Name of the header to hash. + name!: string + } + + // The table size for consistent hashing, must be prime number + // limited to 5000011. + tableSize?: int64 & int & <=5000011 & >=2 | *65537 + + // ConsistentHashType defines the type of input to hash on. Valid + // Type values are + // "SourceIP", + // "Header", + // "Cookie". + type!: "SourceIP" | "Header" | "Cookie" + } + slowStart?: { + // Window defines the duration of the warm up period for newly + // added host. + // During slow start window, traffic sent to the newly added hosts + // will gradually increase. + // Currently only supports linear growth of traffic. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + window!: string + } + + // Type decides the type of Load Balancer policy. + // Valid LoadBalancerType values are + // "ConsistentHash", + // "LeastRequest", + // "Random", + // "RoundRobin". + type!: "ConsistentHash" | "LeastRequest" | "Random" | "RoundRobin" + } + proxyProtocol?: { + // Version of ProxyProtol + // Valid ProxyProtocolVersion values are + // "V1" + // "V2" + version!: "V1" | "V2" + } + + // RateLimit allows the user to limit the number of incoming + // requests + // to a predefined value based on attributes within the traffic + // flow. + rateLimit?: { + global?: { + // Rules are a list of RateLimit selectors and limits. Each rule + // and its + // associated limit is applied in a mutually exclusive way. If a + // request + // matches multiple rules, each of their associated limits get + // applied, so a + // single request might increase the rate limit counters for + // multiple rules + // if selected. The rate limit service will return a logical OR of + // the individual + // rate limit decisions of all matching rules. For example, if a + // request + // matches two rules, one rate limited and one not, the final + // decision will be + // to rate limit the request. + rules!: list.MaxItems(64) & [...{ + // ClientSelectors holds the list of select conditions to select + // specific clients using attributes from the traffic flow. + // All individual select conditions must hold True for this rule + // and its limit to be applied. + // + // If no client selectors are specified, the rule applies to all + // traffic of + // the targeted Route. + // + // If the policy targets a Gateway, the rule applies to each Route + // of the Gateway. + // Please note that each Route has its own rate limit counters. + // For example, + // if a Gateway has two Routes, and the policy has a rule with + // limit 10rps, + // each Route will have its own 10rps limit. + clientSelectors?: list.MaxItems(8) & [...{ + // Headers is a list of request headers to match. Multiple header + // values are ANDed together, + // meaning, a request MUST match all the specified headers. + // At least one of headers or sourceCIDR condition must be + // specified. + headers?: list.MaxItems(16) & [...{ + // Invert specifies whether the value match result will be + // inverted. + // Do not set this field when Type="Distinct", implying matching + // on any/all unique + // values within the header. + invert?: bool | *false + + // Name of the HTTP header. + name!: strings.MaxRunes(256) & strings.MinRunes(1) + + // Type specifies how to match against the value of the header. + type?: "Exact" | "RegularExpression" | "Distinct" | *"Exact" + + // Value within the HTTP header. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered equivalent. + // Do not set this field when Type="Distinct", implying matching + // on any/all unique + // values within the header. + value?: strings.MaxRunes(1024) + }] + + // SourceCIDR is the client IP Address range to match on. + // At least one of headers or sourceCIDR condition must be + // specified. + sourceCIDR?: { + type?: "Exact" | "Distinct" | *"Exact" + + // Value is the IP CIDR that represents the range of Source IP + // Addresses of the client. + // These could also be the intermediate addresses through which + // the request has flown through and is part of the + // `X-Forwarded-For` header. + // For example, `192.168.0.1/32`, `192.168.0.0/24`, + // `001:db8::/64`. + value!: strings.MaxRunes(256) & strings.MinRunes(1) + } + }] + + // Cost specifies the cost of requests and responses for the rule. + // + // This is optional and if not specified, the default behavior is + // to reduce the rate limit counters by 1 on + // the request path and do not reduce the rate limit counters on + // the response path. + cost?: { + // Request specifies the number to reduce the rate limit counters + // on the request path. If this is not specified, the default + // behavior + // is to reduce the rate limit counters by 1. + // + // When Envoy receives a request that matches the rule, it tries + // to reduce the + // rate limit counters by the specified number. If the counter + // doesn't have + // enough capacity, the request is rate limited. + request?: { + // From specifies where to get the rate limit cost. Currently, + // only "Number" and "Metadata" are supported. + from!: "Number" | "Metadata" + + // Metadata specifies the per-request metadata to retrieve the + // usage number from. + metadata?: { + // Key is the key to retrieve the usage number from the filter + // metadata. + key!: string + + // Namespace is the namespace of the dynamic metadata. + namespace!: string + } + + // Number specifies the fixed usage number to reduce the rate + // limit counters. + // Using zero can be used to only check the rate limit counters + // without reducing them. + number?: int64 + } + + // Response specifies the number to reduce the rate limit counters + // after the response is sent back to the client or the request + // stream is closed. + // + // The cost is used to reduce the rate limit counters for the + // matching requests. + // Since the reduction happens after the request stream is + // complete, the rate limit + // won't be enforced for the current request, but for the + // subsequent matching requests. + // + // This is optional and if not specified, the rate limit counters + // are not reduced + // on the response path. + // + // Currently, this is only supported for HTTP Global Rate Limits. + response?: { + // From specifies where to get the rate limit cost. Currently, + // only "Number" and "Metadata" are supported. + from!: "Number" | "Metadata" + + // Metadata specifies the per-request metadata to retrieve the + // usage number from. + metadata?: { + // Key is the key to retrieve the usage number from the filter + // metadata. + key!: string + + // Namespace is the namespace of the dynamic metadata. + namespace!: string + } + + // Number specifies the fixed usage number to reduce the rate + // limit counters. + // Using zero can be used to only check the rate limit counters + // without reducing them. + number?: int64 + } + } + + // Limit holds the rate limit values. + // This limit is applied for traffic flows when the selectors + // compute to True, causing the request to be counted towards the + // limit. + // The limit is enforced and the request is ratelimited, i.e. a + // response with + // 429 HTTP status code is sent back to the client when + // the selected requests have reached the limit. + limit!: { + requests!: int + + // RateLimitUnit specifies the intervals for setting rate limits. + // Valid RateLimitUnit values are "Second", "Minute", "Hour", and + // "Day". + unit!: "Second" | "Minute" | "Hour" | "Day" + } + }] + } + local?: { + // Rules are a list of RateLimit selectors and limits. If a + // request matches + // multiple rules, the strictest limit is applied. For example, if + // a request + // matches two rules, one with 10rps and one with 20rps, the final + // limit will + // be based on the rule with 10rps. + rules?: list.MaxItems(16) & [...{ + // ClientSelectors holds the list of select conditions to select + // specific clients using attributes from the traffic flow. + // All individual select conditions must hold True for this rule + // and its limit to be applied. + // + // If no client selectors are specified, the rule applies to all + // traffic of + // the targeted Route. + // + // If the policy targets a Gateway, the rule applies to each Route + // of the Gateway. + // Please note that each Route has its own rate limit counters. + // For example, + // if a Gateway has two Routes, and the policy has a rule with + // limit 10rps, + // each Route will have its own 10rps limit. + clientSelectors?: list.MaxItems(8) & [...{ + // Headers is a list of request headers to match. Multiple header + // values are ANDed together, + // meaning, a request MUST match all the specified headers. + // At least one of headers or sourceCIDR condition must be + // specified. + headers?: list.MaxItems(16) & [...{ + // Invert specifies whether the value match result will be + // inverted. + // Do not set this field when Type="Distinct", implying matching + // on any/all unique + // values within the header. + invert?: bool | *false + + // Name of the HTTP header. + name!: strings.MaxRunes(256) & strings.MinRunes(1) + + // Type specifies how to match against the value of the header. + type?: "Exact" | "RegularExpression" | "Distinct" | *"Exact" + + // Value within the HTTP header. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered equivalent. + // Do not set this field when Type="Distinct", implying matching + // on any/all unique + // values within the header. + value?: strings.MaxRunes(1024) + }] + + // SourceCIDR is the client IP Address range to match on. + // At least one of headers or sourceCIDR condition must be + // specified. + sourceCIDR?: { + type?: "Exact" | "Distinct" | *"Exact" + + // Value is the IP CIDR that represents the range of Source IP + // Addresses of the client. + // These could also be the intermediate addresses through which + // the request has flown through and is part of the + // `X-Forwarded-For` header. + // For example, `192.168.0.1/32`, `192.168.0.0/24`, + // `001:db8::/64`. + value!: strings.MaxRunes(256) & strings.MinRunes(1) + } + }] + + // Cost specifies the cost of requests and responses for the rule. + // + // This is optional and if not specified, the default behavior is + // to reduce the rate limit counters by 1 on + // the request path and do not reduce the rate limit counters on + // the response path. + cost?: { + // Request specifies the number to reduce the rate limit counters + // on the request path. If this is not specified, the default + // behavior + // is to reduce the rate limit counters by 1. + // + // When Envoy receives a request that matches the rule, it tries + // to reduce the + // rate limit counters by the specified number. If the counter + // doesn't have + // enough capacity, the request is rate limited. + request?: { + // From specifies where to get the rate limit cost. Currently, + // only "Number" and "Metadata" are supported. + from!: "Number" | "Metadata" + + // Metadata specifies the per-request metadata to retrieve the + // usage number from. + metadata?: { + // Key is the key to retrieve the usage number from the filter + // metadata. + key!: string + + // Namespace is the namespace of the dynamic metadata. + namespace!: string + } + + // Number specifies the fixed usage number to reduce the rate + // limit counters. + // Using zero can be used to only check the rate limit counters + // without reducing them. + number?: int64 + } + + // Response specifies the number to reduce the rate limit counters + // after the response is sent back to the client or the request + // stream is closed. + // + // The cost is used to reduce the rate limit counters for the + // matching requests. + // Since the reduction happens after the request stream is + // complete, the rate limit + // won't be enforced for the current request, but for the + // subsequent matching requests. + // + // This is optional and if not specified, the rate limit counters + // are not reduced + // on the response path. + // + // Currently, this is only supported for HTTP Global Rate Limits. + response?: { + // From specifies where to get the rate limit cost. Currently, + // only "Number" and "Metadata" are supported. + from!: "Number" | "Metadata" + + // Metadata specifies the per-request metadata to retrieve the + // usage number from. + metadata?: { + // Key is the key to retrieve the usage number from the filter + // metadata. + key!: string + + // Namespace is the namespace of the dynamic metadata. + namespace!: string + } + + // Number specifies the fixed usage number to reduce the rate + // limit counters. + // Using zero can be used to only check the rate limit counters + // without reducing them. + number?: int64 + } + } + + // Limit holds the rate limit values. + // This limit is applied for traffic flows when the selectors + // compute to True, causing the request to be counted towards the + // limit. + // The limit is enforced and the request is ratelimited, i.e. a + // response with + // 429 HTTP status code is sent back to the client when + // the selected requests have reached the limit. + limit!: { + requests!: int + + // RateLimitUnit specifies the intervals for setting rate limits. + // Valid RateLimitUnit values are "Second", "Minute", "Hour", and + // "Day". + unit!: "Second" | "Minute" | "Hour" | "Day" + } + }] + } + + // Type decides the scope for the RateLimits. + // Valid RateLimitType values are "Global" or "Local". + type!: "Global" | "Local" + } + + // ResponseOverride defines the configuration to override specific + // responses with a custom one. + // If multiple configurations are specified, the first one to + // match wins. + responseOverride?: [...{ + match!: { + // Status code to match on. The match evaluates to true if any of + // the matches are successful. + statusCodes!: list.MaxItems(50) & [...{ + // Range contains the range of status codes. + range?: { + // End of the range, including the end value. + end!: int + + // Start of the range, including the start value. + start!: int + } + + // Type is the type of value. + // Valid values are Value and Range, default is Value. + type!: matchN(2, ["Value" | "Range", "Value" | "Range"]) | *"Value" + + // Value contains the value of the status code. + value?: int + }] & [_, ...] + } + + // Response configuration. + response!: { + // Body of the Custom Response + body?: { + // Inline contains the value as an inline string. + inline?: string + + // Type is the type of method to use to read the body value. + // Valid values are Inline and ValueRef, default is Inline. + type!: matchN(2, ["Inline" | "ValueRef", "Inline" | "ValueRef"]) | *"Inline" + + // ValueRef contains the contents of the body + // specified as a local object reference. + // Only a reference to ConfigMap is supported. + // + // The value of key `response.body` in the ConfigMap will be used + // as the response body. + // If the key is not found, the first value in the ConfigMap will + // be used. + valueRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + } + + // Content Type of the response. This will be set in the + // Content-Type header. + contentType?: string + + // Status Code of the Custom Response + // If unset, does not override the status of response. + statusCode?: int + } + }] + + // Retry provides more advanced usage, allowing users to customize + // the number of retries, retry fallback strategy, and retry + // triggering conditions. + // If not set, retry will be disabled. + retry?: { + // NumRetries is the number of retries to be attempted. Defaults + // to 2. + numRetries?: int32 & int & >=0 | *2 + + // PerRetry is the retry policy to be applied per retry attempt. + perRetry?: { + // Backoff is the backoff policy to be applied per retry attempt. + // gateway uses a fully jittered exponential + // back-off algorithm for retries. For additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + backOff?: { + // BaseInterval is the base interval between retries. + baseInterval?: string + + // MaxInterval is the maximum interval between retries. This + // parameter is optional, but must be greater than or equal to + // the base_interval if set. + // The default is 10 times the base_interval + maxInterval?: string + } + + // Timeout is the timeout per retry attempt. + timeout?: string + } + + // RetryOn specifies the retry trigger condition. + // + // If not specified, the default is to retry on + // connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + retryOn?: { + // HttpStatusCodes specifies the http status codes to be retried. + // The retriable-status-codes trigger must also be configured for + // these status codes to trigger a retry. + httpStatusCodes?: [...int & <600 & >=100] + + // Triggers specifies the retry trigger condition(Http/Grpc). + triggers?: [..."5xx" | "gateway-error" | "reset" | "connect-failure" | "retriable-4xx" | "refused-stream" | "retriable-status-codes" | "cancelled" | "deadline-exceeded" | "internal" | "resource-exhausted" | "unavailable"] + } + } + + // TargetRef is the name of the resource this policy is being + // attached to. + // This policy and the TargetRef MUST be in the same namespace for + // this + // Policy to have effect + // + // Deprecated: use targetRefs/targetSelectors instead + targetRef?: { + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // SectionName is the name of a section within the target + // resource. When + // unspecified, this targetRef targets the entire resource. In the + // following + // resources, SectionName is interpreted as the following: + // + // * Gateway: Listener name + // * HTTPRoute: HTTPRouteRule name + // * Service: Port name + // + // If a SectionName is specified, but does not exist on the + // targeted object, + // the Policy must fail to attach, and the policy implementation + // should record + // a `ResolvedRefs` or similar Condition in the Policy's status. + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + } + + // TargetRefs are the names of the Gateway resources this policy + // is being attached to. + targetRefs?: [...{ + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // SectionName is the name of a section within the target + // resource. When + // unspecified, this targetRef targets the entire resource. In the + // following + // resources, SectionName is interpreted as the following: + // + // * Gateway: Listener name + // * HTTPRoute: HTTPRouteRule name + // * Service: Port name + // + // If a SectionName is specified, but does not exist on the + // targeted object, + // the Policy must fail to attach, and the policy implementation + // should record + // a `ResolvedRefs` or similar Condition in the Policy's status. + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // TargetSelectors allow targeting resources for this policy based + // on labels + targetSelectors?: [...{ + // Group is the group that this selector targets. Defaults to + // gateway.networking.k8s.io + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is the resource kind that this selector targets. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // MatchLabels are the set of label selectors for identifying the + // targeted resource + matchLabels!: close({ + [string]: string + }) + }] + + // TcpKeepalive settings associated with the upstream client + // connection. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the backend connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // The idle timeout for an HTTP connection. Idle time is defined + // as a period in which there are no active requests in the + // connection. + // Default: 1 hour. + connectionIdleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The maximum duration of an HTTP connection. + // Default: unlimited. + maxConnectionDuration?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestTimeout is the time until which entire response is + // received from the upstream. + requestTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // The timeout for network connection establishment, including TCP + // and TLS handshakes. + // Default: 10 seconds. + connectTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + + // UseClientProtocol configures Envoy to prefer sending requests + // to backends using + // the same HTTP protocol that the incoming request used. Defaults + // to false, which means + // that Envoy will use the protocol indicated by the attached + // BackendRef. + useClientProtocol?: bool +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/clienttrafficpolicy/v1alpha1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/clienttrafficpolicy/v1alpha1/types_gen.cue new file mode 100644 index 000000000..b85f7eb1a --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/clienttrafficpolicy/v1alpha1/types_gen.cue @@ -0,0 +1,661 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha1 + +import ( + "strings" + "list" +) + +// ClientTrafficPolicy allows the user to configure the behavior +// of the connection +// between the downstream client and Envoy Proxy listener. +#ClientTrafficPolicy: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.envoyproxy.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "ClientTrafficPolicy" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of ClientTrafficPolicy. + spec!: #ClientTrafficPolicySpec +} + +// Spec defines the desired state of ClientTrafficPolicy. +#ClientTrafficPolicySpec: { + // ClientIPDetectionSettings provides configuration for + // determining the original client IP address for requests. + clientIPDetection?: { + // CustomHeader provides configuration for determining the client + // IP address for a request based on + // a trusted custom HTTP header. This uses the custom_header + // original IP detection extension. + // Refer to + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto + // for more details. + customHeader?: { + // FailClosed is a switch used to control the flow of traffic when + // client IP detection + // fails. If set to true, the listener will respond with 403 + // Forbidden when the client + // IP address cannot be determined. + failClosed?: bool + + // Name of the header containing the original downstream remote + // address, if present. + name!: strings.MaxRunes(255) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9-]+$" + } + } + + // XForwardedForSettings provides configuration for using + // X-Forwarded-For headers for determining the client IP address. + xForwardedFor?: { + // NumTrustedHops controls the number of additional ingress proxy + // hops from the right side of XFF HTTP + // headers to trust when determining the origin client's IP + // address. + // Only one of NumTrustedHops and TrustedCIDRs must be set. + numTrustedHops?: int32 + + // TrustedCIDRs is a list of CIDR ranges to trust when evaluating + // the remote IP address to determine the original client’s IP + // address. + // When the remote IP address matches a trusted CIDR and the + // x-forwarded-for header was sent, + // each entry in the x-forwarded-for header is evaluated from + // right to left + // and the first public non-trusted address is used as the + // original client address. + // If all addresses in x-forwarded-for are within the trusted + // list, the first (leftmost) entry is used. + // Only one of NumTrustedHops and TrustedCIDRs must be set. + trustedCIDRs?: [...=~"((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\\/([0-9]+))"] & [_, ...] + } + } + + // Connection includes client connection settings. + connection?: { + // BufferLimit provides configuration for the maximum buffer size + // in bytes for each incoming connection. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + // Default: 32768 bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // ConnectionLimit defines limits related to connections + connectionLimit?: { + // CloseDelay defines the delay to use before closing connections + // that are rejected + // once the limit value is reached. + // Default: none. + closeDelay?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // Value of the maximum concurrent connections limit. + // When the limit is reached, incoming connections will be closed + // after the CloseDelay duration. + value!: int64 & >=1 + } + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each incoming socket. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // EnableProxyProtocol interprets the ProxyProtocol header and + // adds the + // Client Address into the X-Forwarded-For header. + // Note Proxy Protocol must be present when this field is set, + // else the connection + // is closed. + enableProxyProtocol?: bool + + // HeaderSettings provides configuration for header management. + headers?: { + // DisableRateLimitHeaders configures Envoy Proxy to omit the + // "X-RateLimit-" response headers + // when rate limiting is enabled. + disableRateLimitHeaders?: bool + + // EarlyRequestHeaders defines settings for early request header + // modification, before envoy performs + // routing, tracing and built-in header manipulation. + earlyRequestHeaders?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" + // headers to requests + // and responses. + enableEnvoyHeaders?: bool + + // PreserveXRequestID configures Envoy to keep the X-Request-ID + // header if passed for a request that is edge + // (Edge request is the request from external clients to front + // Envoy) and not reset it, which is the current Envoy behaviour. + // It defaults to false. + preserveXRequestID?: bool + + // WithUnderscoresAction configures the action to take when an + // HTTP header with underscores + // is encountered. The default action is to reject the request. + withUnderscoresAction?: "Allow" | "RejectRequest" | "DropHeader" + + // XForwardedClientCert configures how Envoy Proxy handle the + // x-forwarded-client-cert (XFCC) HTTP header. + // + // x-forwarded-client-cert (XFCC) is an HTTP header used to + // forward the certificate + // information of part or all of the clients or proxies that a + // request has flowed through, + // on its way from the client to the server. + // + // Envoy proxy may choose to sanitize/append/forward the XFCC + // header before proxying the request. + // + // If not set, the default behavior is sanitizing the XFCC header. + xForwardedClientCert?: { + // CertDetailsToAdd specifies the fields in the client certificate + // to be forwarded in the XFCC header. + // + // Hash(the SHA 256 digest of the current client certificate) and + // By(the Subject Alternative Name) + // are always included if the client certificate is forwarded. + // + // This field is only applicable when the mode is set to + // `AppendForward` or + // `SanitizeSet` and the client connection is mTLS. + certDetailsToAdd?: list.MaxItems(5) & [..."Subject" | "Cert" | "Chain" | "DNS" | "URI"] + + // Mode defines how XFCC header is handled by Envoy Proxy. + // If not set, the default mode is `Sanitize`. + mode?: "Sanitize" | "ForwardOnly" | "AppendForward" | "SanitizeSet" | "AlwaysForwardOnly" + } + } + healthCheck?: { + // Path specifies the HTTP path to match on for health check + // requests. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // HTTP1 provides HTTP/1 configuration on the listener. + http1?: { + // EnableTrailers defines if HTTP/1 trailers should be proxied by + // Envoy. + enableTrailers?: bool + http10?: { + // UseDefaultHost defines if the HTTP/1.0 request is missing the + // Host header, + // then the hostname associated with the listener should be + // injected into the + // request. + // If this is not set and an HTTP/1.0 request arrives without a + // host, then + // it will be rejected. + useDefaultHost?: bool + } + + // PreserveHeaderCase defines if Envoy should preserve the letter + // case of headers. + // By default, Envoy will lowercase all the headers. + preserveHeaderCase?: bool + } + + // HTTP2 provides HTTP/2 configuration on the listener. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // HTTP3 provides HTTP/3 configuration on the listener. + http3?: {} + + // Path enables managing how the incoming path set by clients can + // be normalized. + path?: { + // DisableMergeSlashes allows disabling the default configuration + // of merging adjacent + // slashes in the path. + // Note that slash merging is not part of the HTTP spec and is + // provided for convenience. + disableMergeSlashes?: bool + + // EscapedSlashesAction determines how %2f, %2F, %5c, or %5C + // sequences in the path URI + // should be handled. + // The default is UnescapeAndRedirect. + escapedSlashesAction?: "KeepUnchanged" | "RejectRequest" | "UnescapeAndForward" | "UnescapeAndRedirect" + } + + // TargetRef is the name of the resource this policy is being + // attached to. + // This policy and the TargetRef MUST be in the same namespace for + // this + // Policy to have effect + // + // Deprecated: use targetRefs/targetSelectors instead + targetRef?: { + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // SectionName is the name of a section within the target + // resource. When + // unspecified, this targetRef targets the entire resource. In the + // following + // resources, SectionName is interpreted as the following: + // + // * Gateway: Listener name + // * HTTPRoute: HTTPRouteRule name + // * Service: Port name + // + // If a SectionName is specified, but does not exist on the + // targeted object, + // the Policy must fail to attach, and the policy implementation + // should record + // a `ResolvedRefs` or similar Condition in the Policy's status. + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + } + + // TargetRefs are the names of the Gateway resources this policy + // is being attached to. + targetRefs?: [...{ + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // SectionName is the name of a section within the target + // resource. When + // unspecified, this targetRef targets the entire resource. In the + // following + // resources, SectionName is interpreted as the following: + // + // * Gateway: Listener name + // * HTTPRoute: HTTPRouteRule name + // * Service: Port name + // + // If a SectionName is specified, but does not exist on the + // targeted object, + // the Policy must fail to attach, and the policy implementation + // should record + // a `ResolvedRefs` or similar Condition in the Policy's status. + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // TargetSelectors allow targeting resources for this policy based + // on labels + targetSelectors?: [...{ + // Group is the group that this selector targets. Defaults to + // gateway.networking.k8s.io + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is the resource kind that this selector targets. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // MatchLabels are the set of label selectors for identifying the + // targeted resource + matchLabels!: close({ + [string]: string + }) + }] + + // TcpKeepalive settings associated with the downstream client + // connection. + // If defined, sets SO_KEEPALIVE on the listener socket to enable + // TCP Keepalives. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the client connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // IdleTimeout for an HTTP connection. Idle time is defined as a + // period in which there are no active requests in the + // connection. + // Default: 1 hour. + idleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestReceivedTimeout is the duration envoy waits for the + // complete request reception. This timer starts upon request + // initiation and stops when either the last byte of the request + // is sent upstream or when the response begins. + requestReceivedTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // IdleTimeout for a TCP connection. Idle time is defined as a + // period in which there are no + // bytes sent or received on either the upstream or downstream + // connection. + // Default: 1 hour. + idleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + + // TLS settings configure TLS termination settings with the + // downstream client. + tls?: { + // ALPNProtocols supplies the list of ALPN protocols that should + // be + // exposed by the listener or used by the proxy to connect to the + // backend. + // Defaults: + // 1. HTTPS Routes: h2 and http/1.1 are enabled in listener + // context. + // 2. Other Routes: ALPN is disabled. + // 3. Backends: proxy uses the appropriate ALPN options for the + // backend protocol. + // When an empty list is provided, the ALPN TLS extension is + // disabled. + // Supported values are: + // - http/1.0 + // - http/1.1 + // - h2 + alpnProtocols?: [..."http/1.0" | "http/1.1" | "h2"] + + // Ciphers specifies the set of cipher suites supported when + // negotiating TLS 1.0 - 1.2. This setting has no effect for TLS + // 1.3. + // In non-FIPS Envoy Proxy builds the default cipher list is: + // - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // - ECDHE-ECDSA-AES256-GCM-SHA384 + // - ECDHE-RSA-AES256-GCM-SHA384 + // In builds using BoringSSL FIPS the default cipher list is: + // - ECDHE-ECDSA-AES128-GCM-SHA256 + // - ECDHE-RSA-AES128-GCM-SHA256 + // - ECDHE-ECDSA-AES256-GCM-SHA384 + // - ECDHE-RSA-AES256-GCM-SHA384 + ciphers?: [...string] + + // ClientValidation specifies the configuration to validate the + // client + // initiating the TLS connection to the Gateway listener. + clientValidation?: { + // CACertificateRefs contains one or more references to + // Kubernetes objects that contain TLS certificates of + // the Certificate Authorities that can be used + // as a trust anchor to validate the certificates presented by the + // client. + // + // A single reference to a Kubernetes ConfigMap or a Kubernetes + // Secret, + // with the CA certificate in a key named `ca.crt` is currently + // supported. + // + // References to a resource in different namespace are invalid + // UNLESS there + // is a ReferenceGrant in the target namespace that allows the + // certificate + // to be attached. + caCertificateRefs?: list.MaxItems(8) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + }] + + // Optional set to true accepts connections even when a client + // doesn't present a certificate. + // Defaults to false, which rejects connections without a valid + // client certificate. + optional?: bool + } + + // ECDHCurves specifies the set of supported ECDH curves. + // In non-FIPS Envoy Proxy builds the default curves are: + // - X25519 + // - P-256 + // In builds using BoringSSL FIPS the default curve is: + // - P-256 + ecdhCurves?: [...string] + + // Max specifies the maximal TLS protocol version to allow + // The default is TLS 1.3 if this is not specified. + maxVersion?: "Auto" | "1.0" | "1.1" | "1.2" | "1.3" + + // Min specifies the minimal TLS protocol version to allow. + // The default is TLS 1.2 if this is not specified. + minVersion?: "Auto" | "1.0" | "1.1" | "1.2" | "1.3" + session?: { + // Resumption determines the proxy's supported TLS session + // resumption option. + // By default, Envoy Gateway does not enable session resumption. + // Use sessionResumption to + // enable stateful and stateless session resumption. Users should + // consider security impacts + // of different resumption methods. Performance gains from + // resumption are diminished when + // Envoy proxy is deployed with more than one replica. + resumption?: { + // Stateful defines setting for stateful (session-id based) + // session resumption + stateful?: {} + + // Stateless defines setting for stateless (session-ticket based) + // session resumption + stateless?: {} + } + } + + // SignatureAlgorithms specifies which signature algorithms the + // listener should + // support. + signatureAlgorithms?: [...string] + } +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/envoyextensionpolicy/v1alpha1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/envoyextensionpolicy/v1alpha1/types_gen.cue new file mode 100644 index 000000000..d9a7d48a0 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/envoyextensionpolicy/v1alpha1/types_gen.cue @@ -0,0 +1,931 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha1 + +import ( + "strings" + "list" +) + +// EnvoyExtensionPolicy allows the user to configure various envoy +// extensibility options for the Gateway. +#EnvoyExtensionPolicy: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.envoyproxy.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "EnvoyExtensionPolicy" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of EnvoyExtensionPolicy. + spec!: #EnvoyExtensionPolicySpec +} + +// Spec defines the desired state of EnvoyExtensionPolicy. +#EnvoyExtensionPolicySpec: { + // ExtProc is an ordered list of external processing filters + // that should be added to the envoy filter chain + extProc?: list.MaxItems(16) & [...{ + // BackendRef references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // Deprecated: Use BackendRefs instead. + backendRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // BackendRefs references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + backendRefs?: list.MaxItems(16) & [...{ + // Fallback indicates whether the backend is designated as a + // fallback. + // Multiple fallback backends can be configured. + // It is highly recommended to configure active or passive health + // checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically + // readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the fallback + // backends will only start receiving traffic when + // the health of the active backends falls below 72%. + fallback?: bool + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + }] + + // BackendSettings holds configuration for managing the connection + // to the backend. + backendSettings?: { + // Circuit Breaker settings for the upstream connections and + // requests. + // If not set, circuit breakers will be enabled with the default + // thresholds + circuitBreaker?: { + // The maximum number of connections that Envoy will establish to + // the referenced backend defined within a xRoute rule. + maxConnections?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel requests that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel retries that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRetries?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of pending requests that Envoy will queue to + // the referenced backend defined within a xRoute rule. + maxPendingRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of requests that Envoy will make over a + // single connection to the referenced backend defined within a + // xRoute rule. + // Default: unlimited. + maxRequestsPerConnection?: uint32 + } + + // Connection includes backend connection settings. + connection?: { + // BufferLimit Soft limit on size of the cluster’s connections + // read and write buffers. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // If unspecified, an implementation defined default is applied + // (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is + // interpreted as bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // DNS includes dns resolution settings. + dns?: { + // DNSRefreshRate specifies the rate at which DNS records should + // be refreshed. + // Defaults to 30 seconds. + dnsRefreshRate?: string + + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) + // should be respected. + // If the value is set to true, the DNS refresh rate will be set + // to the resource record’s TTL. + // Defaults to true. + respectDnsTtl?: bool + } + + // HealthCheck allows gateway to perform active health checking on + // backends. + healthCheck?: { + // Active health check configuration + active?: { + grpc?: { + // Service to send in the health check request. + // If this is not specified, then the health check request applies + // to the entire + // server and not to a specific service. + service?: string + } + + // HealthyThreshold defines the number of healthy health checks + // required before a backend host is marked healthy. + healthyThreshold?: int32 & int & >=1 | *1 + + // HTTP defines the configuration of http health checker. + // It's required while the health checker type is HTTP. + http?: { + // ExpectedResponse defines a list of HTTP expected responses to + // match. + expectedResponse?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // ExpectedStatuses defines a list of HTTP response statuses + // considered healthy. + // Defaults to 200 only + expectedStatuses?: [...int & <600 & >=100] + + // Method defines the HTTP method used for health checking. + // Defaults to GET + method?: string + + // Path defines the HTTP path that will be requested during health + // checking. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // Interval defines the time between active health checks. + interval?: string | *"3s" + + // TCP defines the configuration of tcp health checker. + // It's required while the health checker type is TCP. + tcp?: { + // Receive defines the expected response payload. + receive?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // Send defines the request payload. + send?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + } + + // Timeout defines the time to wait for a health check response. + timeout?: string | *"1s" + + // Type defines the type of health checker. + type!: matchN(2, ["HTTP" | "TCP" | "GRPC", "HTTP" | "TCP" | "GRPC"]) + + // UnhealthyThreshold defines the number of unhealthy health + // checks required before a backend host is marked unhealthy. + unhealthyThreshold?: int32 & int & >=1 | *3 + } + + // Passive passive check configuration + passive?: { + // BaseEjectionTime defines the base duration for which a host + // will be ejected on consecutive failures. + baseEjectionTime?: string | *"30s" + + // Consecutive5xxErrors sets the number of consecutive 5xx errors + // triggering ejection. + consecutive5XxErrors?: int32 & int | *5 + + // ConsecutiveGatewayErrors sets the number of consecutive gateway + // errors triggering ejection. + consecutiveGatewayErrors?: int32 & int | *0 + + // ConsecutiveLocalOriginFailures sets the number of consecutive + // local origin failures triggering ejection. + // Parameter takes effect only when + // split_external_local_origin_errors is set to true. + consecutiveLocalOriginFailures?: int32 & int | *5 + + // Interval defines the time between passive health checks. + interval?: string | *"3s" + + // MaxEjectionPercent sets the maximum percentage of hosts in a + // cluster that can be ejected. + maxEjectionPercent?: int32 & int | *10 + + // SplitExternalLocalOriginErrors enables splitting of errors + // between external and local origin. + splitExternalLocalOriginErrors?: bool | *false + } + } + + // HTTP2 provides HTTP/2 configuration for backend connections. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // LoadBalancer policy to apply when routing traffic from the + // gateway to + // the backend endpoints. Defaults to `LeastRequest`. + loadBalancer?: { + // ConsistentHash defines the configuration when the load balancer + // type is + // set to ConsistentHash + consistentHash?: { + // Cookie configures the cookie hash policy when the consistent + // hash type is set to Cookie. + cookie?: { + // Additional Attributes to set for the generated cookie. + attributes?: close({ + [string]: string + }) + + // Name of the cookie to hash. + // If this cookie does not exist in the request, Envoy will + // generate a cookie and set + // the TTL on the response back to the client based on Layer 4 + // attributes of the backend endpoint, to ensure that these future + // requests + // go to the same backend endpoint. Make sure to set the TTL field + // for this case. + name!: string + + // TTL of the generated cookie if the cookie is not present. This + // value sets the + // Max-Age attribute value. + ttl?: string + } + header?: { + // Name of the header to hash. + name!: string + } + + // The table size for consistent hashing, must be prime number + // limited to 5000011. + tableSize?: int64 & int & <=5000011 & >=2 | *65537 + + // ConsistentHashType defines the type of input to hash on. Valid + // Type values are + // "SourceIP", + // "Header", + // "Cookie". + type!: "SourceIP" | "Header" | "Cookie" + } + slowStart?: { + // Window defines the duration of the warm up period for newly + // added host. + // During slow start window, traffic sent to the newly added hosts + // will gradually increase. + // Currently only supports linear growth of traffic. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + window!: string + } + + // Type decides the type of Load Balancer policy. + // Valid LoadBalancerType values are + // "ConsistentHash", + // "LeastRequest", + // "Random", + // "RoundRobin". + type!: "ConsistentHash" | "LeastRequest" | "Random" | "RoundRobin" + } + proxyProtocol?: { + // Version of ProxyProtol + // Valid ProxyProtocolVersion values are + // "V1" + // "V2" + version!: "V1" | "V2" + } + + // Retry provides more advanced usage, allowing users to customize + // the number of retries, retry fallback strategy, and retry + // triggering conditions. + // If not set, retry will be disabled. + retry?: { + // NumRetries is the number of retries to be attempted. Defaults + // to 2. + numRetries?: int32 & int & >=0 | *2 + + // PerRetry is the retry policy to be applied per retry attempt. + perRetry?: { + // Backoff is the backoff policy to be applied per retry attempt. + // gateway uses a fully jittered exponential + // back-off algorithm for retries. For additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + backOff?: { + // BaseInterval is the base interval between retries. + baseInterval?: string + + // MaxInterval is the maximum interval between retries. This + // parameter is optional, but must be greater than or equal to + // the base_interval if set. + // The default is 10 times the base_interval + maxInterval?: string + } + + // Timeout is the timeout per retry attempt. + timeout?: string + } + + // RetryOn specifies the retry trigger condition. + // + // If not specified, the default is to retry on + // connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + retryOn?: { + // HttpStatusCodes specifies the http status codes to be retried. + // The retriable-status-codes trigger must also be configured for + // these status codes to trigger a retry. + httpStatusCodes?: [...int & <600 & >=100] + + // Triggers specifies the retry trigger condition(Http/Grpc). + triggers?: [..."5xx" | "gateway-error" | "reset" | "connect-failure" | "retriable-4xx" | "refused-stream" | "retriable-status-codes" | "cancelled" | "deadline-exceeded" | "internal" | "resource-exhausted" | "unavailable"] + } + } + + // TcpKeepalive settings associated with the upstream client + // connection. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the backend connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // The idle timeout for an HTTP connection. Idle time is defined + // as a period in which there are no active requests in the + // connection. + // Default: 1 hour. + connectionIdleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The maximum duration of an HTTP connection. + // Default: unlimited. + maxConnectionDuration?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestTimeout is the time until which entire response is + // received from the upstream. + requestTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // The timeout for network connection establishment, including TCP + // and TLS handshakes. + // Default: 10 seconds. + connectTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + } + + // FailOpen defines if requests or responses that cannot be + // processed due to connectivity to the + // external processor are terminated or passed-through. + // Default: false + failOpen?: bool + + // MessageTimeout is the timeout for a response to be returned + // from the external processor + // Default: 200ms + messageTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // Metadata defines options related to the sending and receiving + // of dynamic metadata. + // These options define which metadata namespaces would be sent to + // the processor and which dynamic metadata + // namespaces the processor would be permitted to emit metadata + // to. + // Users can specify custom namespaces or well-known envoy + // metadata namespace (such as envoy.filters.http.ext_authz) + // documented here: + // https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata#well-known-dynamic-metadata + // Default: no metadata context is sent or received from the + // external processor + metadata?: { + // AccessibleNamespaces are metadata namespaces that are sent to + // the external processor as context + accessibleNamespaces?: [...string] + + // WritableNamespaces are metadata namespaces that the external + // processor can write to + writableNamespaces?: list.MaxItems(8) & [...string] + } + + // ProcessingMode defines how request and response body is + // processed + // Default: header and body are not sent to the external processor + processingMode?: { + // AllowModeOverride allows the external processor to override the + // processing mode set via the + // `mode_override` field in the gRPC response message. This + // defaults to false. + allowModeOverride?: bool + + // Defines processing mode for requests. If present, request + // headers are sent. Request body is processed according + // to the specified mode. + request?: { + // Defines which attributes are sent to the external processor. + // Envoy Gateway currently + // supports only the following attribute prefixes: connection, + // source, destination, + // request, response, upstream and xds.route. + // https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + attributes?: [...=~"^(connection\\.|source\\.|destination\\.|request\\.|response\\.|upstream\\.|xds\\.route_)[a-z_1-9]*$"] + + // Defines body processing mode + body?: "Streamed" | "Buffered" | "BufferedPartial" + } + + // Defines processing mode for responses. If present, response + // headers are sent. Response body is processed according + // to the specified mode. + response?: { + // Defines which attributes are sent to the external processor. + // Envoy Gateway currently + // supports only the following attribute prefixes: connection, + // source, destination, + // request, response, upstream and xds.route. + // https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + attributes?: [...=~"^(connection\\.|source\\.|destination\\.|request\\.|response\\.|upstream\\.|xds\\.route_)[a-z_1-9]*$"] + + // Defines body processing mode + body?: "Streamed" | "Buffered" | "BufferedPartial" + } + } + }] + + // Lua is an ordered list of Lua filters + // that should be added to the envoy filter chain + lua?: list.MaxItems(16) & [...{ + // Inline contains the source code as an inline string. + inline?: string + + // Type is the type of method to use to read the Lua value. + // Valid values are Inline and ValueRef, default is Inline. + type!: "Inline" | "ValueRef" | *"Inline" + + // ValueRef has the source code specified as a local object + // reference. + // Only a reference to ConfigMap is supported. + // The value of key `lua` in the ConfigMap will be used. + // If the key is not found, the first value in the ConfigMap will + // be used. + valueRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + }] + + // TargetRef is the name of the resource this policy is being + // attached to. + // This policy and the TargetRef MUST be in the same namespace for + // this + // Policy to have effect + // + // Deprecated: use targetRefs/targetSelectors instead + targetRef?: { + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // SectionName is the name of a section within the target + // resource. When + // unspecified, this targetRef targets the entire resource. In the + // following + // resources, SectionName is interpreted as the following: + // + // * Gateway: Listener name + // * HTTPRoute: HTTPRouteRule name + // * Service: Port name + // + // If a SectionName is specified, but does not exist on the + // targeted object, + // the Policy must fail to attach, and the policy implementation + // should record + // a `ResolvedRefs` or similar Condition in the Policy's status. + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + } + + // TargetRefs are the names of the Gateway resources this policy + // is being attached to. + targetRefs?: [...{ + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // SectionName is the name of a section within the target + // resource. When + // unspecified, this targetRef targets the entire resource. In the + // following + // resources, SectionName is interpreted as the following: + // + // * Gateway: Listener name + // * HTTPRoute: HTTPRouteRule name + // * Service: Port name + // + // If a SectionName is specified, but does not exist on the + // targeted object, + // the Policy must fail to attach, and the policy implementation + // should record + // a `ResolvedRefs` or similar Condition in the Policy's status. + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // TargetSelectors allow targeting resources for this policy based + // on labels + targetSelectors?: [...{ + // Group is the group that this selector targets. Defaults to + // gateway.networking.k8s.io + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is the resource kind that this selector targets. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // MatchLabels are the set of label selectors for identifying the + // targeted resource + matchLabels!: close({ + [string]: string + }) + }] + + // Wasm is a list of Wasm extensions to be loaded by the Gateway. + // Order matters, as the extensions will be loaded in the order + // they are + // defined in this list. + wasm?: list.MaxItems(16) & [...{ + // Code is the Wasm code for the extension. + code!: { + // HTTP is the HTTP URL containing the Wasm code. + // + // Note that the HTTP server must be accessible from the Envoy + // proxy. + http?: { + // SHA256 checksum that will be used to verify the Wasm code. + // + // If not specified, Envoy Gateway will not verify the downloaded + // Wasm code. + // kubebuilder:validation:Pattern=`^[a-f0-9]{64}$` + sha256?: string + + // URL is the URL containing the Wasm code. + url!: =~"^((https?:)(\\/\\/\\/?)([\\w]*(?::[\\w]*)?@)?([\\d\\w\\.-]+)(?::(\\d+))?)?([\\/\\\\\\w\\.()-]*)?(?:([?][^#]*)?(#.*)?)*" + } + + // Image is the OCI image containing the Wasm code. + // + // Note that the image must be accessible from the Envoy Gateway. + image?: { + // PullSecretRef is a reference to the secret containing the + // credentials to pull the image. + // Only support Kubernetes Secret resource from the same + // namespace. + pullSecretRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + } + + // SHA256 checksum that will be used to verify the OCI image. + // + // It must match the digest of the OCI image. + // + // If not specified, Envoy Gateway will not verify the downloaded + // OCI image. + // kubebuilder:validation:Pattern=`^[a-f0-9]{64}$` + sha256?: string + + // URL is the URL of the OCI image. + // URL can be in the format of `registry/image:tag` or + // `registry/image@sha256:digest`. + url!: string + } + + // PullPolicy is the policy to use when pulling the Wasm module by + // either the HTTP or Image source. + // This field is only applicable when the SHA256 field is not set. + // + // If not specified, the default policy is IfNotPresent except for + // OCI images whose tag is latest. + // + // Note: EG does not update the Wasm module every time an Envoy + // proxy requests + // the Wasm module even if the pull policy is set to Always. + // It only updates the Wasm module when the EnvoyExtension + // resource version changes. + pullPolicy?: "IfNotPresent" | "Always" + + // Type is the type of the source of the Wasm code. + // Valid WasmCodeSourceType values are "HTTP" or "Image". + type!: matchN(2, ["HTTP" | "Image", "HTTP" | "Image" | "ConfigMap"]) + } + + // Config is the configuration for the Wasm extension. + // This configuration will be passed as a JSON string to the Wasm + // extension. + config?: _ + env?: { + // HostKeys is a list of keys for environment variables from the + // host envoy process + // that should be passed into the Wasm VM. This is useful for + // passing secrets to to Wasm extensions. + hostKeys?: [...string] + } + + // FailOpen is a switch used to control the behavior when a fatal + // error occurs + // during the initialization or the execution of the Wasm + // extension. + // If FailOpen is set to true, the system bypasses the Wasm + // extension and + // allows the traffic to pass through. Otherwise, if it is set to + // false or + // not set (defaulting to false), the system blocks the traffic + // and returns + // an HTTP 5xx error. + failOpen?: bool | *false + + // Name is a unique name for this Wasm extension. It is used to + // identify the + // Wasm extension if multiple extensions are handled by the same + // vm_id and root_id. + // It's also used for logging/debugging. + // If not specified, EG will generate a unique name for the Wasm + // extension. + name?: string + + // RootID is a unique ID for a set of extensions in a VM which + // will share a + // RootContext and Contexts if applicable (e.g., an Wasm + // HttpFilter and an Wasm AccessLog). + // If left blank, all extensions with a blank root_id with the + // same vm_id will share Context(s). + // + // Note: RootID must match the root_id parameter used to register + // the Context in the Wasm code. + rootID?: string + }] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/envoypatchpolicy/v1alpha1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/envoypatchpolicy/v1alpha1/types_gen.cue new file mode 100644 index 000000000..f6b9cffcd --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/envoypatchpolicy/v1alpha1/types_gen.cue @@ -0,0 +1,133 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha1 + +import "strings" + +// EnvoyPatchPolicy allows the user to modify the generated Envoy +// xDS +// resources by Envoy Gateway using this patch API +#EnvoyPatchPolicy: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.envoyproxy.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "EnvoyPatchPolicy" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of EnvoyPatchPolicy. + spec!: #EnvoyPatchPolicySpec +} + +// Spec defines the desired state of EnvoyPatchPolicy. +#EnvoyPatchPolicySpec: { + // JSONPatch defines the JSONPatch configuration. + jsonPatches?: [...{ + // Name is the name of the resource + name!: string + + // Patch defines the JSON Patch Operation + operation!: { + // From is the source location of the value to be copied or moved. + // Only valid + // for move or copy operations + // Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more + // details. + from?: string + + // JSONPath is a JSONPath expression. Refer to + // https://datatracker.ietf.org/doc/rfc9535/ for more details. + // It produces one or more JSONPointer expressions based on the + // given JSON document. + // If no JSONPointer is found, it will result in an error. + // If the 'Path' property is also set, it will be appended to the + // resulting JSONPointer expressions from the JSONPath + // evaluation. + // This is useful when creating a property that does not yet exist + // in the JSON document. + // The final JSONPointer expressions specifies the locations in + // the target document/field where the operation will be applied. + jsonPath?: string + + // Op is the type of operation to perform + op!: "add" | "remove" | "replace" | "move" | "copy" | "test" + + // Path is a JSONPointer expression. Refer to + // https://datatracker.ietf.org/doc/html/rfc6901 for more + // details. + // It specifies the location of the target document/field where + // the operation will be performed + path?: string + + // Value is the new value of the path location. The value is only + // used by + // the `add` and `replace` operations. + value?: _ + } + + // Type is the typed URL of the Envoy xDS Resource + type!: "type.googleapis.com/envoy.config.listener.v3.Listener" | "type.googleapis.com/envoy.config.route.v3.RouteConfiguration" | "type.googleapis.com/envoy.config.cluster.v3.Cluster" | "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment" | "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" + }] + + // Priority of the EnvoyPatchPolicy. + // If multiple EnvoyPatchPolicies are applied to the same + // TargetRef, they will be applied in the ascending order of + // the priority i.e. int32.min has the highest priority and + // int32.max has the lowest priority. + // Defaults to 0. + priority?: int32 + + // TargetRef is the name of the Gateway API resource this policy + // is being attached to. + // By default, attaching to Gateway is supported and + // when mergeGateways is enabled it should attach to GatewayClass. + // This Policy and the TargetRef MUST be in the same namespace + // for this Policy to have effect and be applied to the Gateway + // TargetRef + targetRef!: { + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // Type decides the type of patch. + // Valid EnvoyPatchType values are "JSONPatch". + type!: "JSONPatch" +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/envoyproxy/v1alpha1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/envoyproxy/v1alpha1/types_gen.cue new file mode 100644 index 000000000..d6b6b5610 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/envoyproxy/v1alpha1/types_gen.cue @@ -0,0 +1,11340 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha1 + +import ( + "strings" + "list" +) + +// EnvoyProxy is the schema for the envoyproxies API. +#EnvoyProxy: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.envoyproxy.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "EnvoyProxy" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // EnvoyProxySpec defines the desired state of EnvoyProxy. + spec!: #EnvoyProxySpec +} + +// EnvoyProxySpec defines the desired state of EnvoyProxy. +#EnvoyProxySpec: { + // BackendTLS is the TLS configuration for the Envoy proxy to use + // when connecting to backends. + // These settings are applied on backends for which TLS policies + // are specified. + backendTLS?: { + // ALPNProtocols supplies the list of ALPN protocols that should + // be + // exposed by the listener or used by the proxy to connect to the + // backend. + // Defaults: + // 1. HTTPS Routes: h2 and http/1.1 are enabled in listener + // context. + // 2. Other Routes: ALPN is disabled. + // 3. Backends: proxy uses the appropriate ALPN options for the + // backend protocol. + // When an empty list is provided, the ALPN TLS extension is + // disabled. + // Supported values are: + // - http/1.0 + // - http/1.1 + // - h2 + alpnProtocols?: [..."http/1.0" | "http/1.1" | "h2"] + + // Ciphers specifies the set of cipher suites supported when + // negotiating TLS 1.0 - 1.2. This setting has no effect for TLS + // 1.3. + // In non-FIPS Envoy Proxy builds the default cipher list is: + // - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // - ECDHE-ECDSA-AES256-GCM-SHA384 + // - ECDHE-RSA-AES256-GCM-SHA384 + // In builds using BoringSSL FIPS the default cipher list is: + // - ECDHE-ECDSA-AES128-GCM-SHA256 + // - ECDHE-RSA-AES128-GCM-SHA256 + // - ECDHE-ECDSA-AES256-GCM-SHA384 + // - ECDHE-RSA-AES256-GCM-SHA384 + ciphers?: [...string] + + // ClientCertificateRef defines the reference to a Kubernetes + // Secret that contains + // the client certificate and private key for Envoy to use when + // connecting to + // backend services and external services, such as ExtAuth, ALS, + // OpenTelemetry, etc. + // This secret should be located within the same namespace as the + // Envoy proxy resource that references it. + clientCertificateRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + } + + // ECDHCurves specifies the set of supported ECDH curves. + // In non-FIPS Envoy Proxy builds the default curves are: + // - X25519 + // - P-256 + // In builds using BoringSSL FIPS the default curve is: + // - P-256 + ecdhCurves?: [...string] + + // Max specifies the maximal TLS protocol version to allow + // The default is TLS 1.3 if this is not specified. + maxVersion?: "Auto" | "1.0" | "1.1" | "1.2" | "1.3" + + // Min specifies the minimal TLS protocol version to allow. + // The default is TLS 1.2 if this is not specified. + minVersion?: "Auto" | "1.0" | "1.1" | "1.2" | "1.3" + + // SignatureAlgorithms specifies which signature algorithms the + // listener should + // support. + signatureAlgorithms?: [...string] + } + + // Bootstrap defines the Envoy Bootstrap as a YAML string. + // Visit + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap + // to learn more about the syntax. + // If set, this is the Bootstrap configuration used for the + // managed Envoy Proxy fleet instead of the default Bootstrap + // configuration + // set by Envoy Gateway. + // Some fields within the Bootstrap that are required to + // communicate with the xDS Server (Envoy Gateway) and receive + // xDS resources + // from it are not configurable and will result in the + // `EnvoyProxy` resource being rejected. + // Backward compatibility across minor versions is not guaranteed. + // We strongly recommend using `egctl x translate` to generate a + // `EnvoyProxy` resource with the `Bootstrap` field set to the + // default + // Bootstrap configuration used. You can edit this configuration, + // and rerun `egctl x translate` to ensure there are no + // validation errors. + bootstrap?: { + // JSONPatches is an array of JSONPatches to be applied to the + // default bootstrap. Patches are + // applied in the order in which they are defined. + jsonPatches?: [...{ + // From is the source location of the value to be copied or moved. + // Only valid + // for move or copy operations + // Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more + // details. + from?: string + + // JSONPath is a JSONPath expression. Refer to + // https://datatracker.ietf.org/doc/rfc9535/ for more details. + // It produces one or more JSONPointer expressions based on the + // given JSON document. + // If no JSONPointer is found, it will result in an error. + // If the 'Path' property is also set, it will be appended to the + // resulting JSONPointer expressions from the JSONPath + // evaluation. + // This is useful when creating a property that does not yet exist + // in the JSON document. + // The final JSONPointer expressions specifies the locations in + // the target document/field where the operation will be applied. + jsonPath?: string + + // Op is the type of operation to perform + op!: "add" | "remove" | "replace" | "move" | "copy" | "test" + + // Path is a JSONPointer expression. Refer to + // https://datatracker.ietf.org/doc/html/rfc6901 for more + // details. + // It specifies the location of the target document/field where + // the operation will be performed + path?: string + + // Value is the new value of the path location. The value is only + // used by + // the `add` and `replace` operations. + value?: _ + }] + + // Type is the type of the bootstrap configuration, it should be + // either Replace, Merge, or JSONPatch. + // If unspecified, it defaults to Replace. + type?: "Merge" | "Replace" | "JSONPatch" | *"Replace" + + // Value is a YAML string of the bootstrap. + value?: string + } + + // Concurrency defines the number of worker threads to run. If + // unset, it defaults to + // the number of cpuset threads on the platform. + concurrency?: int32 + + // ExtraArgs defines additional command line options that are + // provided to Envoy. + // More info: + // https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options + // Note: some command line options are used internally(e.g. + // --log-level) so they cannot be provided here. + extraArgs?: [...string] + + // FilterOrder defines the order of filters in the Envoy proxy's + // HTTP filter chain. + // The FilterPosition in the list will be applied in the order + // they are defined. + // If unspecified, the default filter order is applied. + // Default filter order is: + // + // - envoy.filters.http.health_check + // + // - envoy.filters.http.fault + // + // - envoy.filters.http.cors + // + // - envoy.filters.http.ext_authz + // + // - envoy.filters.http.basic_auth + // + // - envoy.filters.http.oauth2 + // + // - envoy.filters.http.jwt_authn + // + // - envoy.filters.http.stateful_session + // + // - envoy.filters.http.ext_proc + // + // - envoy.filters.http.wasm + // + // - envoy.filters.http.rbac + // + // - envoy.filters.http.local_ratelimit + // + // - envoy.filters.http.ratelimit + // + // - envoy.filters.http.custom_response + // + // - envoy.filters.http.router + // + // Note: "envoy.filters.http.router" cannot be reordered, it's + // always the last filter in the chain. + filterOrder?: [...{ + // After defines the filter that should come after the filter. + // Only one of Before or After must be set. + after?: "envoy.filters.http.health_check" | "envoy.filters.http.fault" | "envoy.filters.http.cors" | "envoy.filters.http.ext_authz" | "envoy.filters.http.api_key_auth" | "envoy.filters.http.basic_auth" | "envoy.filters.http.oauth2" | "envoy.filters.http.jwt_authn" | "envoy.filters.http.stateful_session" | "envoy.filters.http.ext_proc" | "envoy.filters.http.wasm" | "envoy.filters.http.rbac" | "envoy.filters.http.local_ratelimit" | "envoy.filters.http.ratelimit" | "envoy.filters.http.custom_response" | "envoy.filters.http.compressor" + + // Before defines the filter that should come before the filter. + // Only one of Before or After must be set. + before?: "envoy.filters.http.health_check" | "envoy.filters.http.fault" | "envoy.filters.http.cors" | "envoy.filters.http.ext_authz" | "envoy.filters.http.api_key_auth" | "envoy.filters.http.basic_auth" | "envoy.filters.http.oauth2" | "envoy.filters.http.jwt_authn" | "envoy.filters.http.stateful_session" | "envoy.filters.http.ext_proc" | "envoy.filters.http.wasm" | "envoy.filters.http.rbac" | "envoy.filters.http.local_ratelimit" | "envoy.filters.http.ratelimit" | "envoy.filters.http.custom_response" | "envoy.filters.http.compressor" + + // Name of the filter. + name!: "envoy.filters.http.health_check" | "envoy.filters.http.fault" | "envoy.filters.http.cors" | "envoy.filters.http.ext_authz" | "envoy.filters.http.api_key_auth" | "envoy.filters.http.basic_auth" | "envoy.filters.http.oauth2" | "envoy.filters.http.jwt_authn" | "envoy.filters.http.stateful_session" | "envoy.filters.http.ext_proc" | "envoy.filters.http.wasm" | "envoy.filters.http.rbac" | "envoy.filters.http.local_ratelimit" | "envoy.filters.http.ratelimit" | "envoy.filters.http.custom_response" | "envoy.filters.http.compressor" + }] + + // IPFamily specifies the IP family for the EnvoyProxy fleet. + // This setting only affects the Gateway listener port and does + // not impact + // other aspects of the Envoy proxy configuration. + // If not specified, the system will operate as follows: + // - It defaults to IPv4 only. + // - IPv6 and dual-stack environments are not supported in this + // default configuration. + // Note: To enable IPv6 or dual-stack functionality, explicit + // configuration is required. + ipFamily?: "IPv4" | "IPv6" | "DualStack" + + // Logging defines logging parameters for managed proxies. + logging?: { + // Level is a map of logging level per component, where the + // component is the key + // and the log level is the value. If unspecified, defaults to + // "default: warn". + level?: close({ + [string]: "debug" | "info" | "error" | "warn" + }) | *{ + default: "warn" + } + } | *{ + level: { + default: "warn" + } + } + + // MergeGateways defines if Gateway resources should be merged + // onto the same Envoy Proxy Infrastructure. + // Setting this field to true would merge all Gateway Listeners + // under the parent Gateway Class. + // This means that the port, protocol and hostname tuple must be + // unique for every listener. + // If a duplicate listener is detected, the newer listener (based + // on timestamp) will be rejected and its status will be updated + // with a "Accepted=False" condition. + mergeGateways?: bool + + // PreserveRouteOrder determines if the order of matching for + // HTTPRoutes is determined by Gateway-API + // specification + // (https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule) + // or preserves the order defined by users in the HTTPRoute's + // HTTPRouteRule list. + // Default: False + preserveRouteOrder?: bool + + // Provider defines the desired resource provider and + // provider-specific configuration. + // If unspecified, the "Kubernetes" resource provider is used with + // default configuration + // parameters. + provider?: { + // Kubernetes defines the desired state of the Kubernetes resource + // provider. + // Kubernetes provides infrastructure resources for running the + // data plane, + // e.g. Envoy proxy. If unspecified and type is "Kubernetes", + // default settings + // for managed Kubernetes resources are applied. + kubernetes?: { + // EnvoyDaemonSet defines the desired state of the Envoy daemonset + // resource. + // Disabled by default, a deployment resource is used instead to + // provision the Envoy Proxy fleet + envoyDaemonSet?: { + // Container defines the desired specification of main container. + container?: { + // List of environment variables to set in the container. + env?: [...{ + // Name of the environment variable. Must be a C_IDENTIFIER. + name!: string + + // Variable references $(VAR_NAME) are expanded + // using the previously defined environment variables in the + // container and + // any service environment variables. If a variable cannot be + // resolved, + // the reference in the input string will be unchanged. Double $$ + // are reduced + // to a single $, which allows for escaping the $(VAR_NAME) + // syntax: i.e. + // "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + // Escaped references will never be expanded, regardless of + // whether the variable + // exists or not. + // Defaults to "". + value?: string + + // Source for the environment variable's value. Cannot be used if + // value is not empty. + valueFrom?: { + // Selects a key of a ConfigMap. + configMapKeyRef?: { + // The key to select. + key!: string + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // Specify whether the ConfigMap or its key must be defined + optional?: bool + } + + // Selects a field of the pod: supports metadata.name, + // metadata.namespace, `metadata.labels['']`, + // `metadata.annotations['']`, + // spec.nodeName, spec.serviceAccountName, status.hostIP, + // status.podIP, status.podIPs. + fieldRef?: { + // Version of the schema the FieldPath is written in terms of, + // defaults to "v1". + apiVersion?: string + + // Path of the field to select in the specified API version. + fieldPath!: string + } + + // Selects a resource of the container: only resources limits and + // requests + // (limits.cpu, limits.memory, limits.ephemeral-storage, + // requests.cpu, requests.memory and requests.ephemeral-storage) + // are currently supported. + resourceFieldRef?: { + // Container name: required for volumes, optional for env vars + containerName?: string + + // Specifies the output format of the exposed resources, defaults + // to "1" + divisor?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // Required: resource to select + resource!: string + } + + // Selects a key of a secret in the pod's namespace + secretKeyRef?: { + // The key of the secret to select from. Must be a valid secret + // key. + key!: string + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // Specify whether the Secret or its key must be defined + optional?: bool + } + } + }] + + // Image specifies the EnvoyProxy container image to be used, + // instead of the default image. + image?: string + + // Resources required by this container. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources?: { + // Claims lists the names of resources, defined in + // spec.resourceClaims, + // that are used by this container. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. It can only be set for containers. + claims?: [...{ + // Name must match the name of one entry in + // pod.spec.resourceClaims of + // the Pod where this field is used. It makes that resource + // available + // inside a container. + name!: string + + // Request is the name chosen for a request in the referenced + // claim. + // If empty, everything from the claim is made available, + // otherwise + // only the result of this request. + request?: string + }] + + // Limits describes the maximum amount of compute resources + // allowed. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + limits?: close({ + [string]: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + }) + + // Requests describes the minimum amount of compute resources + // required. + // If Requests is omitted for a container, it defaults to Limits + // if that is explicitly specified, + // otherwise to an implementation-defined value. Requests cannot + // exceed Limits. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + requests?: close({ + [string]: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + }) + } + + // SecurityContext defines the security options the container + // should be run with. + // If set, the fields of SecurityContext override the equivalent + // fields of PodSecurityContext. + // More info: + // https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext?: { + // AllowPrivilegeEscalation controls whether a process can gain + // more + // privileges than its parent process. This bool directly controls + // if + // the no_new_privs flag will be set on the container process. + // AllowPrivilegeEscalation is true always when the container is: + // 1) run as Privileged + // 2) has CAP_SYS_ADMIN + // Note that this field cannot be set when spec.os.name is + // windows. + allowPrivilegeEscalation?: bool + + // appArmorProfile is the AppArmor options to use by this + // container. If set, this profile + // overrides the pod's appArmorProfile. + // Note that this field cannot be set when spec.os.name is + // windows. + appArmorProfile?: { + // localhostProfile indicates a profile loaded on the node that + // should be used. + // The profile must be preconfigured on the node to work. + // Must match the loaded name of the profile. + // Must be set if and only if type is "Localhost". + localhostProfile?: string + + // type indicates which kind of AppArmor profile will be applied. + // Valid options are: + // Localhost - a profile pre-loaded on the node. + // RuntimeDefault - the container runtime's default profile. + // Unconfined - no AppArmor enforcement. + type!: string + } + + // The capabilities to add/drop when running containers. + // Defaults to the default set of capabilities granted by the + // container runtime. + // Note that this field cannot be set when spec.os.name is + // windows. + capabilities?: { + // Added capabilities + add?: [...string] + + // Removed capabilities + drop?: [...string] + } + + // Run container in privileged mode. + // Processes in privileged containers are essentially equivalent + // to root on the host. + // Defaults to false. + // Note that this field cannot be set when spec.os.name is + // windows. + privileged?: bool + + // procMount denotes the type of proc mount to use for the + // containers. + // The default value is Default which uses the container runtime + // defaults for + // readonly paths and masked paths. + // This requires the ProcMountType feature flag to be enabled. + // Note that this field cannot be set when spec.os.name is + // windows. + procMount?: string + + // Whether this container has a read-only root filesystem. + // Default is false. + // Note that this field cannot be set when spec.os.name is + // windows. + readOnlyRootFilesystem?: bool + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // The SELinux context to be applied to the container. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in PodSecurityContext. If set in + // both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by this container. If seccomp + // options are + // provided at both the pod & container level, the container + // options + // override the pod options. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // The Windows specific settings applied to all containers. + // If unspecified, the options from the PodSecurityContext will be + // used. + // If set in both SecurityContext and PodSecurityContext, the + // value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + windowsOptions?: { + // GMSACredentialSpec is where the GMSA admission webhook + // (https://github.com/kubernetes-sigs/windows-gmsa) inlines the + // contents of the + // GMSA credential spec named by the GMSACredentialSpecName field. + gmsaCredentialSpec?: string + + // GMSACredentialSpecName is the name of the GMSA credential spec + // to use. + gmsaCredentialSpecName?: string + + // HostProcess determines if a container should be run as a 'Host + // Process' container. + // All of a Pod's containers must have the same effective + // HostProcess value + // (it is not allowed to have a mix of HostProcess containers and + // non-HostProcess containers). + // In addition, if HostProcess is true then HostNetwork must also + // be set to true. + hostProcess?: bool + + // The UserName in Windows to run the entrypoint of the container + // process. + // Defaults to the user specified in image metadata if + // unspecified. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsUserName?: string + } + } + + // VolumeMounts are volumes to mount into the container's + // filesystem. + // Cannot be updated. + volumeMounts?: [...{ + // Path within the container at which the volume should be + // mounted. Must + // not contain ':'. + mountPath!: string + + // mountPropagation determines how mounts are propagated from the + // host + // to container and the other way around. + // When not set, MountPropagationNone is used. + // This field is beta in 1.10. + // When RecursiveReadOnly is set to IfPossible or to Enabled, + // MountPropagation must be None or unspecified + // (which defaults to None). + mountPropagation?: string + + // This must match the Name of a Volume. + name!: string + + // Mounted read-only if true, read-write otherwise (false or + // unspecified). + // Defaults to false. + readOnly?: bool + + // RecursiveReadOnly specifies whether read-only mounts should be + // handled + // recursively. + // + // If ReadOnly is false, this field has no meaning and must be + // unspecified. + // + // If ReadOnly is true, and this field is set to Disabled, the + // mount is not made + // recursively read-only. If this field is set to IfPossible, the + // mount is made + // recursively read-only, if it is supported by the container + // runtime. If this + // field is set to Enabled, the mount is made recursively + // read-only if it is + // supported by the container runtime, otherwise the pod will not + // be started and + // an error will be generated to indicate the reason. + // + // If this field is set to IfPossible or Enabled, MountPropagation + // must be set to + // None (or be unspecified, which defaults to None). + // + // If this field is not specified, it is treated as an equivalent + // of Disabled. + recursiveReadOnly?: string + + // Path within the volume from which the container's volume should + // be mounted. + // Defaults to "" (volume's root). + subPath?: string + + // Expanded path within the volume from which the container's + // volume should be mounted. + // Behaves similarly to SubPath but environment variable + // references $(VAR_NAME) are expanded using the container's + // environment. + // Defaults to "" (volume's root). + // SubPathExpr and SubPath are mutually exclusive. + subPathExpr?: string + }] + } + + // Name of the daemonSet. + // When unset, this defaults to an autogenerated name. + name?: string + + // Patch defines how to perform the patch operation to daemonset + patch?: { + // Type is the type of merge operation to perform + // + // By default, StrategicMerge is used as the patch type. + type?: string + + // Object contains the raw configuration for merged object + value!: _ + } + + // Pod defines the desired specification of pod. + pod?: { + // If specified, the pod's scheduling constraints. + affinity?: { + // Describes node affinity scheduling rules for the pod. + nodeAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node matches the corresponding + // matchExpressions; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // A node selector term, associated with the corresponding weight. + preference!: { + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + } + + // Weight associated with matching the corresponding + // nodeSelectorTerm, in the range 1-100. + weight!: int32 + }] + requiredDuringSchedulingIgnoredDuringExecution?: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms!: [...{ + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + }] + } + } + + // Describes pod affinity scheduling rules (e.g. co-locate this + // pod in the same node, zone, etc. as some other pod(s)). + podAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the affinity requirements specified by this field are not + // met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to + // be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + + // Describes pod anti-affinity scheduling rules (e.g. avoid + // putting this pod in the same node, zone, etc. as some other + // pod(s)). + podAntiAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the anti-affinity expressions specified by this field, but it + // may choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling anti-affinity expressions, + // etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the anti-affinity requirements specified by this field are + // not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease + // to be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + } + + // Annotations are the annotations that should be appended to the + // pods. + // By default, no pod annotations are appended. + annotations?: close({ + [string]: string + }) + + // ImagePullSecrets is an optional list of references to secrets + // in the same namespace to use for pulling any of the images used + // by this PodSpec. + // If specified, these secrets will be passed to individual puller + // implementations for them to use. + // More info: + // https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + imagePullSecrets?: [...{ + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + }] + + // Labels are the additional labels that should be tagged to the + // pods. + // By default, no additional pod labels are tagged. + labels?: close({ + [string]: string + }) + + // NodeSelector is a selector which must be true for the pod to + // fit on a node. + // Selector which must match a node's labels for the pod to be + // scheduled on that node. + // More info: + // https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector?: close({ + [string]: string + }) + + // SecurityContext holds pod-level security attributes and common + // container settings. + // Optional: Defaults to empty. See type description for default + // values of each field. + securityContext?: { + // appArmorProfile is the AppArmor options to use by the + // containers in this pod. + // Note that this field cannot be set when spec.os.name is + // windows. + appArmorProfile?: { + // localhostProfile indicates a profile loaded on the node that + // should be used. + // The profile must be preconfigured on the node to work. + // Must match the loaded name of the profile. + // Must be set if and only if type is "Localhost". + localhostProfile?: string + + // type indicates which kind of AppArmor profile will be applied. + // Valid options are: + // Localhost - a profile pre-loaded on the node. + // RuntimeDefault - the container runtime's default profile. + // Unconfined - no AppArmor enforcement. + type!: string + } + + // A special supplemental group that applies to all containers in + // a pod. + // Some volume types allow the Kubelet to change the ownership of + // that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will + // be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and + // permissions of any volume. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroup?: int64 + + // fsGroupChangePolicy defines behavior of changing ownership and + // permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and + // permissions). + // It will have no effect on ephemeral volume types such as: + // secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not + // specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroupChangePolicy?: string + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // seLinuxChangePolicy defines how the container's SELinux label + // is applied to all volumes used by the Pod. + // It has no effect on nodes that do not support SELinux or to + // volumes does not support SELinux. + // Valid values are "MountOption" and "Recursive". + // + // "Recursive" means relabeling of all files on all Pod volumes by + // the container runtime. + // This may be slow for large volumes, but allows mixing + // privileged and unprivileged Pods sharing the same volume on + // the same node. + // + // "MountOption" mounts all eligible Pod volumes with `-o context` + // mount option. + // This requires all Pods that share the same volume to use the + // same SELinux label. + // It is not possible to share the same volume among privileged + // and unprivileged Pods. + // Eligible volumes are in-tree FibreChannel and iSCSI volumes, + // and all CSI volumes + // whose CSI driver announces SELinux support by setting + // spec.seLinuxMount: true in their + // CSIDriver instance. Other volumes are always re-labelled + // recursively. + // "MountOption" value is allowed only when SELinuxMount feature + // gate is enabled. + // + // If not specified and SELinuxMount feature gate is enabled, + // "MountOption" is used. + // If not specified and SELinuxMount feature gate is disabled, + // "MountOption" is used for ReadWriteOncePod volumes + // and "Recursive" for all other volumes. + // + // This field affects only Pods that have SELinux label set, + // either in PodSecurityContext or in SecurityContext of all + // containers. + // + // All Pods that use the same volume should use the same + // seLinuxChangePolicy, otherwise some pods can get stuck in + // ContainerCreating state. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxChangePolicy?: string + + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value + // specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // A list of groups applied to the first process run in each + // container, in + // addition to the container's primary GID and fsGroup (if + // specified). If + // the SupplementalGroupsPolicy feature is enabled, the + // supplementalGroupsPolicy field determines whether these are in + // addition + // to or instead of any group memberships defined in the container + // image. + // If unspecified, no additional groups are added, though group + // memberships + // defined in the container image may still be used, depending on + // the + // supplementalGroupsPolicy field. + // Note that this field cannot be set when spec.os.name is + // windows. + supplementalGroups?: [...int64 & int] + + // Defines how supplemental groups of the first container + // processes are calculated. + // Valid values are "Merge" and "Strict". If not specified, + // "Merge" is used. + // (Alpha) Using the field requires the SupplementalGroupsPolicy + // feature gate to be enabled + // and the container runtime must implement support for this + // feature. + // Note that this field cannot be set when spec.os.name is + // windows. + supplementalGroupsPolicy?: string + + // Sysctls hold a list of namespaced sysctls used for the pod. + // Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is + // windows. + sysctls?: [...{ + // Name of a property to set + name!: string + + // Value of a property to set + value!: string + }] + + // The Windows specific settings applied to all containers. + // If unspecified, the options within a container's + // SecurityContext will be used. + // If set in both SecurityContext and PodSecurityContext, the + // value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + windowsOptions?: { + // GMSACredentialSpec is where the GMSA admission webhook + // (https://github.com/kubernetes-sigs/windows-gmsa) inlines the + // contents of the + // GMSA credential spec named by the GMSACredentialSpecName field. + gmsaCredentialSpec?: string + + // GMSACredentialSpecName is the name of the GMSA credential spec + // to use. + gmsaCredentialSpecName?: string + + // HostProcess determines if a container should be run as a 'Host + // Process' container. + // All of a Pod's containers must have the same effective + // HostProcess value + // (it is not allowed to have a mix of HostProcess containers and + // non-HostProcess containers). + // In addition, if HostProcess is true then HostNetwork must also + // be set to true. + hostProcess?: bool + + // The UserName in Windows to run the entrypoint of the container + // process. + // Defaults to the user specified in image metadata if + // unspecified. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsUserName?: string + } + } + + // If specified, the pod's tolerations. + tolerations?: [...{ + // Effect indicates the taint effect to match. Empty means match + // all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule + // and NoExecute. + effect?: string + + // Key is the taint key that the toleration applies to. Empty + // means match all taint keys. + // If the key is empty, operator must be Exists; this combination + // means to match all values and all keys. + key?: string + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + operator?: string + + // TolerationSeconds represents the period of time the toleration + // (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates + // the taint. By default, + // it is not set, which means tolerate the taint forever (do not + // evict). Zero and + // negative values will be treated as 0 (evict immediately) by the + // system. + tolerationSeconds?: int64 + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise + // just a regular string. + value?: string + }] + + // TopologySpreadConstraints describes how a group of pods ought + // to spread across topology + // domains. Scheduler will schedule pods in a way which abides by + // the constraints. + // All topologySpreadConstraints are ANDed. + topologySpreadConstraints?: [...{ + // LabelSelector is used to find matching pods. + // Pods that match this label selector are counted to determine + // the number of pods + // in their corresponding topology domain. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select the pods + // over which + // spreading will be calculated. The keys are used to lookup + // values from the + // incoming pod labels, those key-value labels are ANDed with + // labelSelector + // to select the group of existing pods over which spreading will + // be calculated + // for the incoming pod. The same key is forbidden to exist in + // both MatchLabelKeys and LabelSelector. + // MatchLabelKeys cannot be set when LabelSelector isn't set. + // Keys that don't exist in the incoming pod labels will + // be ignored. A null or empty list means only match against + // labelSelector. + // + // This is a beta field and requires the + // MatchLabelKeysInPodTopologySpread feature gate to be enabled + // (enabled by default). + matchLabelKeys?: [...string] + + // MaxSkew describes the degree to which pods may be unevenly + // distributed. + // When `whenUnsatisfiable=DoNotSchedule`, it is the maximum + // permitted difference + // between the number of matching pods in the target topology and + // the global minimum. + // The global minimum is the minimum number of matching pods in an + // eligible domain + // or zero if the number of eligible domains is less than + // MinDomains. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods + // with the same + // labelSelector spread as 2/2/1: + // In this case, the global minimum is 1. + // | zone1 | zone2 | zone3 | + // | P P | P P | P | + // - if MaxSkew is 1, incoming pod can only be scheduled to zone3 + // to become 2/2/2; + // scheduling it onto zone1(zone2) would make the ActualSkew(3-1) + // on zone1(zone2) + // violate MaxSkew(1). + // - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + // When `whenUnsatisfiable=ScheduleAnyway`, it is used to give + // higher precedence + // to topologies that satisfy it. + // It's a required field. Default value is 1 and 0 is not allowed. + maxSkew!: int32 + + // MinDomains indicates a minimum number of eligible domains. + // When the number of eligible domains with matching topology keys + // is less than minDomains, + // Pod Topology Spread treats "global minimum" as 0, and then the + // calculation of Skew is performed. + // And when the number of eligible domains with matching topology + // keys equals or greater than minDomains, + // this value has no effect on scheduling. + // As a result, when the number of eligible domains is less than + // minDomains, + // scheduler won't schedule more than maxSkew Pods to those + // domains. + // If value is nil, the constraint behaves as if MinDomains is + // equal to 1. + // Valid values are integers greater than 0. + // When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + // + // For example, in a 3-zone cluster, MaxSkew is set to 2, + // MinDomains is set to 5 and pods with the same + // labelSelector spread as 2/2/2: + // | zone1 | zone2 | zone3 | + // | P P | P P | P P | + // The number of domains is less than 5(MinDomains), so "global + // minimum" is treated as 0. + // In this situation, new pod with the same labelSelector cannot + // be scheduled, + // because computed skew will be 3(3 - 0) if new Pod is scheduled + // to any of the three zones, + // it will violate MaxSkew. + minDomains?: int32 + + // NodeAffinityPolicy indicates how we will treat Pod's + // nodeAffinity/nodeSelector + // when calculating pod topology spread skew. Options are: + // - Honor: only nodes matching nodeAffinity/nodeSelector are + // included in the calculations. + // - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are + // included in the calculations. + // + // If this value is nil, the behavior is equivalent to the Honor + // policy. + // This is a beta-level feature default enabled by the + // NodeInclusionPolicyInPodTopologySpread feature flag. + nodeAffinityPolicy?: string + + // NodeTaintsPolicy indicates how we will treat node taints when + // calculating + // pod topology spread skew. Options are: + // - Honor: nodes without taints, along with tainted nodes for + // which the incoming pod + // has a toleration, are included. + // - Ignore: node taints are ignored. All nodes are included. + // + // If this value is nil, the behavior is equivalent to the Ignore + // policy. + // This is a beta-level feature default enabled by the + // NodeInclusionPolicyInPodTopologySpread feature flag. + nodeTaintsPolicy?: string + + // TopologyKey is the key of node labels. Nodes that have a label + // with this key + // and identical values are considered to be in the same topology. + // We consider each as a "bucket", and try to put + // balanced number + // of pods into each bucket. + // We define a domain as a particular instance of a topology. + // Also, we define an eligible domain as a domain whose nodes meet + // the requirements of + // nodeAffinityPolicy and nodeTaintsPolicy. + // e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a + // domain of that topology. + // And, if TopologyKey is "topology.kubernetes.io/zone", each zone + // is a domain of that topology. + // It's a required field. + topologyKey!: string + + // WhenUnsatisfiable indicates how to deal with a pod if it + // doesn't satisfy + // the spread constraint. + // - DoNotSchedule (default) tells the scheduler not to schedule + // it. + // - ScheduleAnyway tells the scheduler to schedule the pod in any + // location, + // but giving higher precedence to topologies that would help + // reduce the + // skew. + // A constraint is considered "Unsatisfiable" for an incoming pod + // if and only if every possible node assignment for that pod + // would violate + // "MaxSkew" on some topology. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods + // with the same + // labelSelector spread as 3/1/1: + // | zone1 | zone2 | zone3 | + // | P P P | P | P | + // If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can + // only be scheduled + // to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on + // zone2(zone3) satisfies + // MaxSkew(1). In other words, the cluster can still be + // imbalanced, but scheduler + // won't make it *more* imbalanced. + // It's a required field. + whenUnsatisfiable!: string + }] + + // Volumes that can be mounted by containers belonging to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes + volumes?: [...{ + // awsElasticBlockStore represents an AWS Disk resource that is + // attached to a + // kubelet's host machine and then exposed to the pod. + // Deprecated: AWSElasticBlockStore is deprecated. All operations + // for the in-tree + // awsElasticBlockStore type are redirected to the ebs.csi.aws.com + // CSI driver. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + awsElasticBlockStore?: { + // fsType is the filesystem type of the volume that you want to + // mount. + // Tip: Ensure that the filesystem type is supported by the host + // operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be + // "ext4" if unspecified. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + fsType?: string + + // partition is the partition in the volume that you want to + // mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as + // "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can + // leave the property empty). + partition?: int32 + + // readOnly value true will force the readOnly setting in + // VolumeMounts. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + readOnly?: bool + + // volumeID is unique ID of the persistent disk resource in AWS + // (Amazon EBS volume). + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + volumeID!: string + } + + // azureDisk represents an Azure Data Disk mount on the host and + // bind mount to the pod. + // Deprecated: AzureDisk is deprecated. All operations for the + // in-tree azureDisk type + // are redirected to the disk.csi.azure.com CSI driver. + azureDisk?: { + // cachingMode is the Host Caching mode: None, Read Only, Read + // Write. + cachingMode?: string + + // diskName is the Name of the data disk in the blob storage + diskName!: string + + // diskURI is the URI of data disk in the blob storage + diskURI!: string + + // fsType is Filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string | *"ext4" + + // kind expected values are Shared: multiple blob disks per + // storage account Dedicated: single blob disk per storage + // account Managed: azure managed data disk (only in managed + // availability set). defaults to shared + kind?: string + + // readOnly Defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool | *false + } + + // azureFile represents an Azure File Service mount on the host + // and bind mount to the pod. + // Deprecated: AzureFile is deprecated. All operations for the + // in-tree azureFile type + // are redirected to the file.csi.azure.com CSI driver. + azureFile?: { + // readOnly defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + + // secretName is the name of secret that contains Azure Storage + // Account Name and Key + secretName!: string + + // shareName is the azure share Name + shareName!: string + } + + // cephFS represents a Ceph FS mount on the host that shares a + // pod's lifetime. + // Deprecated: CephFS is deprecated and the in-tree cephfs type is + // no longer supported. + cephfs?: { + // monitors is Required: Monitors is a collection of Ceph monitors + // More info: + // https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + monitors!: [...string] + + // path is Optional: Used as the mounted root, rather than the + // full Ceph tree, default is / + path?: string + + // readOnly is Optional: Defaults to false (read/write). ReadOnly + // here will force + // the ReadOnly setting in VolumeMounts. + // More info: + // https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + readOnly?: bool + + // secretFile is Optional: SecretFile is the path to key ring for + // User, default is /etc/ceph/user.secret + // More info: + // https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + secretFile?: string + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // user is optional: User is the rados user name, default is admin + // More info: + // https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + user?: string + } + + // cinder represents a cinder volume attached and mounted on + // kubelets host machine. + // Deprecated: Cinder is deprecated. All operations for the + // in-tree cinder type + // are redirected to the cinder.csi.openstack.org CSI driver. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + cinder?: { + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be + // "ext4" if unspecified. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + fsType?: string + + // readOnly defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + readOnly?: bool + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // volumeID used to identify the volume in cinder. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + volumeID!: string + } + + // configMap represents a configMap that should populate this + // volume + configMap?: { + // defaultMode is optional: mode bits used to set permissions on + // created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + defaultMode?: int32 + + // items if unspecified, each key-value pair in the Data field of + // the referenced + // ConfigMap will be projected into the volume as a file whose + // name is the + // key and content is the value. If specified, the listed keys + // will be + // projected into the specified paths, and unlisted keys will not + // be + // present. If a key is specified which is not present in the + // ConfigMap, + // the volume setup will error unless it is marked optional. Paths + // must be + // relative and may not contain the '..' path or start with '..'. + items?: [...{ + // key is the key to project. + key!: string + + // mode is Optional: mode bits used to set permissions on this + // file. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path!: string + }] + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // optional specify whether the ConfigMap or its keys must be + // defined + optional?: bool + } + + // csi (Container Storage Interface) represents ephemeral storage + // that is handled by certain external CSI drivers. + csi?: { + // driver is the name of the CSI driver that handles this volume. + // Consult with your admin for the correct name as registered in + // the cluster. + driver!: string + + // fsType to mount. Ex. "ext4", "xfs", "ntfs". + // If not provided, the empty value is passed to the associated + // CSI driver + // which will determine the default filesystem to apply. + fsType?: string + nodePublishSecretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // readOnly specifies a read-only configuration for the volume. + // Defaults to false (read/write). + readOnly?: bool + + // volumeAttributes stores driver-specific properties that are + // passed to the CSI + // driver. Consult your driver's documentation for supported + // values. + volumeAttributes?: close({ + [string]: string + }) + } + + // downwardAPI represents downward API about the pod that should + // populate this volume + downwardAPI?: { + // Optional: mode bits to use on created files by default. Must be + // a + // Optional: mode bits used to set permissions on created files by + // default. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + defaultMode?: int32 + + // Items is a list of downward API volume file + items?: [...{ + // Required: Selects a field of the pod: only annotations, labels, + // name, namespace and uid are supported. + fieldRef?: { + // Version of the schema the FieldPath is written in terms of, + // defaults to "v1". + apiVersion?: string + + // Path of the field to select in the specified API version. + fieldPath!: string + } + + // Optional: mode bits used to set permissions on this file, must + // be an octal value + // between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // Required: Path is the relative path name of the file to be + // created. Must not be absolute or contain the '..' path. Must + // be utf-8 encoded. The first item of the relative path must not + // start with '..' + path!: string + + // Selects a resource of the container: only resources limits and + // requests + // (limits.cpu, limits.memory, requests.cpu and requests.memory) + // are currently supported. + resourceFieldRef?: { + // Container name: required for volumes, optional for env vars + containerName?: string + + // Specifies the output format of the exposed resources, defaults + // to "1" + divisor?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // Required: resource to select + resource!: string + } + }] + } + + // emptyDir represents a temporary directory that shares a pod's + // lifetime. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#emptydir + emptyDir?: { + // medium represents what type of storage medium should back this + // directory. + // The default is "" which means to use the node's default medium. + // Must be an empty string (default) or Memory. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#emptydir + medium?: string + + // sizeLimit is the total amount of local storage required for + // this EmptyDir volume. + // The size limit is also applicable for memory medium. + // The maximum usage on memory medium EmptyDir would be the + // minimum value between + // the SizeLimit specified here and the sum of memory limits of + // all containers in a pod. + // The default is nil which means that the limit is undefined. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#emptydir + sizeLimit?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + } + ephemeral?: { + // Will be used to create a stand-alone PVC to provision the + // volume. + // The pod in which this EphemeralVolumeSource is embedded will be + // the + // owner of the PVC, i.e. the PVC will be deleted together with + // the + // pod. The name of the PVC will be `-` + // where + // `` is the name from the `PodSpec.Volumes` array + // entry. Pod validation will reject the pod if the concatenated + // name + // is not valid for a PVC (for example, too long). + // + // An existing PVC with that name that is not owned by the pod + // will *not* be used for the pod to avoid using an unrelated + // volume by mistake. Starting the pod is then blocked until + // the unrelated PVC is removed. If such a pre-created PVC is + // meant to be used by the pod, the PVC has to updated with an + // owner reference to the pod once the pod exists. Normally + // this should not be necessary, but it may be useful when + // manually reconstructing a broken cluster. + // + // This field is read-only and no changes will be made by + // Kubernetes + // to the PVC after it has been created. + // + // Required, must not be nil. + volumeClaimTemplate?: { + // May contain labels and annotations that will be copied into the + // PVC + // when creating it. No other fields are allowed and will be + // rejected during + // validation. + metadata?: {} + + // The specification for the PersistentVolumeClaim. The entire + // content is + // copied unchanged into the PVC that gets created from this + // template. The same fields as in a PersistentVolumeClaim + // are also valid here. + spec!: { + // accessModes contains the desired access modes the volume should + // have. + // More info: + // https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + accessModes?: [...string] + + // dataSource field can be used to specify either: + // * An existing VolumeSnapshot object + // (snapshot.storage.k8s.io/VolumeSnapshot) + // * An existing PVC (PersistentVolumeClaim) + // If the provisioner or an external controller can support the + // specified data source, + // it will create a new volume based on the contents of the + // specified data source. + // When the AnyVolumeDataSource feature gate is enabled, + // dataSource contents will be copied to dataSourceRef, + // and dataSourceRef contents will be copied to dataSource when + // dataSourceRef.namespace is not specified. + // If the namespace is specified, then dataSourceRef will not be + // copied to dataSource. + dataSource?: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the + // core API group. + // For any other third-party types, APIGroup is required. + apiGroup?: string + + // Kind is the type of resource being referenced + kind!: string + + // Name is the name of resource being referenced + name!: string + } + + // dataSourceRef specifies the object from which to populate the + // volume with data, if a non-empty + // volume is desired. This may be any object from a non-empty API + // group (non + // core object) or a PersistentVolumeClaim object. + // When this field is specified, volume binding will only succeed + // if the type of + // the specified object matches some installed volume populator or + // dynamic + // provisioner. + // This field will replace the functionality of the dataSource + // field and as such + // if both fields are non-empty, they must have the same value. + // For backwards + // compatibility, when namespace isn't specified in dataSourceRef, + // both fields (dataSource and dataSourceRef) will be set to the + // same + // value automatically if one of them is empty and the other is + // non-empty. + // When namespace is specified in dataSourceRef, + // dataSource isn't set to the same value and must be empty. + // There are three important differences between dataSource and + // dataSourceRef: + // * While dataSource only allows two specific types of objects, + // dataSourceRef + // allows any non-core object, as well as PersistentVolumeClaim + // objects. + // * While dataSource ignores disallowed values (dropping them), + // dataSourceRef + // preserves all values, and generates an error if a disallowed + // value is + // specified. + // * While dataSource only allows local objects, dataSourceRef + // allows objects + // in any namespaces. + // (Beta) Using this field requires the AnyVolumeDataSource + // feature gate to be enabled. + // (Alpha) Using the namespace field of dataSourceRef requires the + // CrossNamespaceVolumeDataSource feature gate to be enabled. + dataSourceRef?: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the + // core API group. + // For any other third-party types, APIGroup is required. + apiGroup?: string + + // Kind is the type of resource being referenced + kind!: string + + // Name is the name of resource being referenced + name!: string + + // Namespace is the namespace of resource being referenced + // Note that when a namespace is specified, a + // gateway.networking.k8s.io/ReferenceGrant object is required in + // the referent namespace to allow that namespace's owner to + // accept the reference. See the ReferenceGrant documentation for + // details. + // (Alpha) This field requires the CrossNamespaceVolumeDataSource + // feature gate to be enabled. + namespace?: string + } + + // resources represents the minimum resources the volume should + // have. + // If RecoverVolumeExpansionFailure feature is enabled users are + // allowed to specify resource requirements + // that are lower than previous value but must still be higher + // than capacity recorded in the + // status field of the claim. + // More info: + // https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + resources?: { + // Limits describes the maximum amount of compute resources + // allowed. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + limits?: close({ + [string]: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + }) + + // Requests describes the minimum amount of compute resources + // required. + // If Requests is omitted for a container, it defaults to Limits + // if that is explicitly specified, + // otherwise to an implementation-defined value. Requests cannot + // exceed Limits. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + requests?: close({ + [string]: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + }) + } + + // selector is a label query over volumes to consider for binding. + selector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // storageClassName is the name of the StorageClass required by + // the claim. + // More info: + // https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + storageClassName?: string + + // volumeAttributesClassName may be used to set the + // VolumeAttributesClass used by this claim. + // If specified, the CSI driver will create or update the volume + // with the attributes defined + // in the corresponding VolumeAttributesClass. This has a + // different purpose than storageClassName, + // it can be changed after the claim is created. An empty string + // value means that no VolumeAttributesClass + // will be applied to the claim but it's not allowed to reset this + // field to empty string once it is set. + // If unspecified and the PersistentVolumeClaim is unbound, the + // default VolumeAttributesClass + // will be set by the persistentvolume controller if it exists. + // If the resource referred to by volumeAttributesClass does not + // exist, this PersistentVolumeClaim will be + // set to a Pending state, as reflected by the modifyVolumeStatus + // field, until such as a resource + // exists. + // More info: + // https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + // (Beta) Using this field requires the VolumeAttributesClass + // feature gate to be enabled (off by default). + volumeAttributesClassName?: string + + // volumeMode defines what type of volume is required by the + // claim. + // Value of Filesystem is implied when not included in claim spec. + volumeMode?: string + + // volumeName is the binding reference to the PersistentVolume + // backing this claim. + volumeName?: string + } + } + } + + // fc represents a Fibre Channel resource that is attached to a + // kubelet's host machine and then exposed to the pod. + fc?: { + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string + + // lun is Optional: FC target lun number + lun?: int32 + + // readOnly is Optional: Defaults to false (read/write). ReadOnly + // here will force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + + // targetWWNs is Optional: FC target worldwide names (WWNs) + targetWWNs?: [...string] + + // wwids Optional: FC volume world wide identifiers (wwids) + // Either wwids or combination of targetWWNs and lun must be set, + // but not both simultaneously. + wwids?: [...string] + } + + // flexVolume represents a generic volume resource that is + // provisioned/attached using an exec based plugin. + // Deprecated: FlexVolume is deprecated. Consider using a + // CSIDriver instead. + flexVolume?: { + // driver is the name of the driver to use for this volume. + driver!: string + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on + // FlexVolume script. + fsType?: string + + // options is Optional: this field holds extra command options if + // any. + options?: close({ + [string]: string + }) + + // readOnly is Optional: defaults to false (read/write). ReadOnly + // here will force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + } + + // flocker represents a Flocker volume attached to a kubelet's + // host machine. This depends on the Flocker control service + // being running. + // Deprecated: Flocker is deprecated and the in-tree flocker type + // is no longer supported. + flocker?: { + // datasetName is Name of the dataset stored as metadata -> name + // on the dataset for Flocker + // should be considered as deprecated + datasetName?: string + + // datasetUUID is the UUID of the dataset. This is unique + // identifier of a Flocker dataset + datasetUUID?: string + } + + // gcePersistentDisk represents a GCE Disk resource that is + // attached to a + // kubelet's host machine and then exposed to the pod. + // Deprecated: GCEPersistentDisk is deprecated. All operations for + // the in-tree + // gcePersistentDisk type are redirected to the + // pd.csi.storage.gke.io CSI driver. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + gcePersistentDisk?: { + // fsType is filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host + // operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be + // "ext4" if unspecified. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + fsType?: string + + // partition is the partition in the volume that you want to + // mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as + // "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can + // leave the property empty). + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + partition?: int32 + + // pdName is unique name of the PD resource in GCE. Used to + // identify the disk in GCE. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + pdName!: string + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + readOnly?: bool + } + + // gitRepo represents a git repository at a particular revision. + // Deprecated: GitRepo is deprecated. To provision a container + // with a git repo, mount an + // EmptyDir into an InitContainer that clones the repo using git, + // then mount the EmptyDir + // into the Pod's container. + gitRepo?: { + // directory is the target directory name. + // Must not contain or start with '..'. If '.' is supplied, the + // volume directory will be the + // git repository. Otherwise, if specified, the volume will + // contain the git repository in + // the subdirectory with the given name. + directory?: string + + // repository is the URL + repository!: string + + // revision is the commit hash for the specified revision. + revision?: string + } + + // glusterfs represents a Glusterfs mount on the host that shares + // a pod's lifetime. + // Deprecated: Glusterfs is deprecated and the in-tree glusterfs + // type is no longer supported. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md + glusterfs?: { + // endpoints is the endpoint name that details Glusterfs topology. + // More info: + // https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + endpoints!: string + + // path is the Glusterfs volume path. + // More info: + // https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + path!: string + + // readOnly here will force the Glusterfs volume to be mounted + // with read-only permissions. + // Defaults to false. + // More info: + // https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + readOnly?: bool + } + + // hostPath represents a pre-existing file or directory on the + // host + // machine that is directly exposed to the container. This is + // generally + // used for system agents or other privileged things that are + // allowed + // to see the host machine. Most containers will NOT need this. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#hostpath + hostPath?: { + // path of the directory on the host. + // If the path is a symlink, it will follow the link to the real + // path. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#hostpath + path!: string + + // type for HostPath Volume + // Defaults to "" + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type?: string + } + + // image represents an OCI object (a container image or artifact) + // pulled and mounted on the kubelet's host machine. + // The volume is resolved at pod startup depending on which + // PullPolicy value is provided: + // + // - Always: the kubelet always attempts to pull the reference. + // Container creation will fail If the pull fails. + // - Never: the kubelet never pulls the reference and only uses a + // local image or artifact. Container creation will fail if the + // reference isn't present. + // - IfNotPresent: the kubelet pulls if the reference isn't + // already present on disk. Container creation will fail if the + // reference isn't present and the pull fails. + // + // The volume gets re-resolved if the pod gets deleted and + // recreated, which means that new remote content will become + // available on pod recreation. + // A failure to resolve or pull the image during pod startup will + // block containers from starting and may add significant + // latency. Failures will be retried using normal volume backoff + // and will be reported on the pod reason and message. + // The types of objects that may be mounted by this volume are + // defined by the container runtime implementation on a host + // machine and at minimum must include all valid types supported + // by the container image field. + // The OCI object gets mounted in a single directory + // (spec.containers[*].volumeMounts.mountPath) by merging the + // manifest layers in the same way as for container images. + // The volume will be mounted read-only (ro) and non-executable + // files (noexec). + // Sub path mounts for containers are not supported + // (spec.containers[*].volumeMounts.subpath). + // The field spec.securityContext.fsGroupChangePolicy has no + // effect on this volume type. + image?: { + // Policy for pulling OCI objects. Possible values are: + // Always: the kubelet always attempts to pull the reference. + // Container creation will fail If the pull fails. + // Never: the kubelet never pulls the reference and only uses a + // local image or artifact. Container creation will fail if the + // reference isn't present. + // IfNotPresent: the kubelet pulls if the reference isn't already + // present on disk. Container creation will fail if the reference + // isn't present and the pull fails. + // Defaults to Always if :latest tag is specified, or IfNotPresent + // otherwise. + pullPolicy?: string + + // Required: Image or artifact reference to be used. + // Behaves in the same way as pod.spec.containers[*].image. + // Pull secrets will be assembled in the same way as for the + // container image by looking up node credentials, SA image pull + // secrets, and pod spec image pull secrets. + // More info: + // https://kubernetes.io/docs/concepts/containers/images + // This field is optional to allow higher level config management + // to default or override + // container images in workload controllers like Deployments and + // StatefulSets. + reference?: string + } + + // iscsi represents an ISCSI Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://examples.k8s.io/volumes/iscsi/README.md + iscsi?: { + // chapAuthDiscovery defines whether support iSCSI Discovery CHAP + // authentication + chapAuthDiscovery?: bool + + // chapAuthSession defines whether support iSCSI Session CHAP + // authentication + chapAuthSession?: bool + + // fsType is the filesystem type of the volume that you want to + // mount. + // Tip: Ensure that the filesystem type is supported by the host + // operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be + // "ext4" if unspecified. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#iscsi + fsType?: string + + // initiatorName is the custom iSCSI Initiator Name. + // If initiatorName is specified with iscsiInterface + // simultaneously, new iSCSI interface + // : will be created for the + // connection. + initiatorName?: string + + // iqn is the target iSCSI Qualified Name. + iqn!: string + + // iscsiInterface is the interface Name that uses an iSCSI + // transport. + // Defaults to 'default' (tcp). + iscsiInterface?: string | *"default" + + // lun represents iSCSI Target Lun number. + lun!: int32 + + // portals is the iSCSI Target Portal List. The portal is either + // an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + portals?: [...string] + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + readOnly?: bool + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // targetPortal is iSCSI Target Portal. The Portal is either an IP + // or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + targetPortal!: string + } + + // name of the volume. + // Must be a DNS_LABEL and unique within the pod. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + + // nfs represents an NFS mount on the host that shares a pod's + // lifetime + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#nfs + nfs?: { + // path that is exported by the NFS server. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#nfs + path!: string + + // readOnly here will force the NFS export to be mounted with + // read-only permissions. + // Defaults to false. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#nfs + readOnly?: bool + + // server is the hostname or IP address of the NFS server. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#nfs + server!: string + } + + // persistentVolumeClaimVolumeSource represents a reference to a + // PersistentVolumeClaim in the same namespace. + // More info: + // https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + persistentVolumeClaim?: { + // claimName is the name of a PersistentVolumeClaim in the same + // namespace as the pod using this volume. + // More info: + // https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + claimName!: string + + // readOnly Will force the ReadOnly setting in VolumeMounts. + // Default false. + readOnly?: bool + } + + // photonPersistentDisk represents a PhotonController persistent + // disk attached and mounted on kubelets host machine. + // Deprecated: PhotonPersistentDisk is deprecated and the in-tree + // photonPersistentDisk type is no longer supported. + photonPersistentDisk?: { + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string + + // pdID is the ID that identifies Photon Controller persistent + // disk + pdID!: string + } + + // portworxVolume represents a portworx volume attached and + // mounted on kubelets host machine. + // Deprecated: PortworxVolume is deprecated. All operations for + // the in-tree portworxVolume type + // are redirected to the pxd.portworx.com CSI driver when the + // CSIMigrationPortworx feature-gate + // is on. + portworxVolume?: { + // fSType represents the filesystem type to mount + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string + + // readOnly defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + + // volumeID uniquely identifies a Portworx volume + volumeID!: string + } + + // projected items for all in one resources secrets, configmaps, + // and downward API + projected?: { + // defaultMode are the mode bits used to set permissions on + // created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + defaultMode?: int32 + + // sources is the list of volume projections. Each entry in this + // list + // handles one source. + sources?: [...{ + // ClusterTrustBundle allows a pod to access the + // `.spec.trustBundle` field + // of ClusterTrustBundle objects in an auto-updating file. + // + // Alpha, gated by the ClusterTrustBundleProjection feature gate. + // + // ClusterTrustBundle objects can either be selected by name, or + // by the + // combination of signer name and a label selector. + // + // Kubelet performs aggressive normalization of the PEM contents + // written + // into the pod filesystem. Esoteric PEM features such as + // inter-block + // comments and block headers are stripped. Certificates are + // deduplicated. + // The ordering of certificates within the file is arbitrary, and + // Kubelet + // may change the order over time. + clusterTrustBundle?: { + // Select all ClusterTrustBundles that match this label selector. + // Only has + // effect if signerName is set. Mutually-exclusive with name. If + // unset, + // interpreted as "match nothing". If set but empty, interpreted + // as "match + // everything". + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // Select a single ClusterTrustBundle by object name. + // Mutually-exclusive + // with signerName and labelSelector. + name?: string + + // If true, don't block pod startup if the referenced + // ClusterTrustBundle(s) + // aren't available. If using name, then the named + // ClusterTrustBundle is + // allowed not to exist. If using signerName, then the combination + // of + // signerName and labelSelector is allowed to match zero + // ClusterTrustBundles. + optional?: bool + + // Relative path from the volume root to write the bundle. + path!: string + + // Select all ClusterTrustBundles that match this signer name. + // Mutually-exclusive with name. The contents of all selected + // ClusterTrustBundles will be unified and deduplicated. + signerName?: string + } + + // configMap information about the configMap data to project + configMap?: { + // items if unspecified, each key-value pair in the Data field of + // the referenced + // ConfigMap will be projected into the volume as a file whose + // name is the + // key and content is the value. If specified, the listed keys + // will be + // projected into the specified paths, and unlisted keys will not + // be + // present. If a key is specified which is not present in the + // ConfigMap, + // the volume setup will error unless it is marked optional. Paths + // must be + // relative and may not contain the '..' path or start with '..'. + items?: [...{ + // key is the key to project. + key!: string + + // mode is Optional: mode bits used to set permissions on this + // file. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path!: string + }] + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // optional specify whether the ConfigMap or its keys must be + // defined + optional?: bool + } + downwardAPI?: { + // Items is a list of DownwardAPIVolume file + items?: [...{ + // Required: Selects a field of the pod: only annotations, labels, + // name, namespace and uid are supported. + fieldRef?: { + // Version of the schema the FieldPath is written in terms of, + // defaults to "v1". + apiVersion?: string + + // Path of the field to select in the specified API version. + fieldPath!: string + } + + // Optional: mode bits used to set permissions on this file, must + // be an octal value + // between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // Required: Path is the relative path name of the file to be + // created. Must not be absolute or contain the '..' path. Must + // be utf-8 encoded. The first item of the relative path must not + // start with '..' + path!: string + + // Selects a resource of the container: only resources limits and + // requests + // (limits.cpu, limits.memory, requests.cpu and requests.memory) + // are currently supported. + resourceFieldRef?: { + // Container name: required for volumes, optional for env vars + containerName?: string + + // Specifies the output format of the exposed resources, defaults + // to "1" + divisor?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // Required: resource to select + resource!: string + } + }] + } + + // secret information about the secret data to project + secret?: { + // items if unspecified, each key-value pair in the Data field of + // the referenced + // Secret will be projected into the volume as a file whose name + // is the + // key and content is the value. If specified, the listed keys + // will be + // projected into the specified paths, and unlisted keys will not + // be + // present. If a key is specified which is not present in the + // Secret, + // the volume setup will error unless it is marked optional. Paths + // must be + // relative and may not contain the '..' path or start with '..'. + items?: [...{ + // key is the key to project. + key!: string + + // mode is Optional: mode bits used to set permissions on this + // file. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path!: string + }] + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // optional field specify whether the Secret or its key must be + // defined + optional?: bool + } + + // serviceAccountToken is information about the + // serviceAccountToken data to project + serviceAccountToken?: { + // audience is the intended audience of the token. A recipient of + // a token + // must identify itself with an identifier specified in the + // audience of the + // token, and otherwise should reject the token. The audience + // defaults to the + // identifier of the apiserver. + audience?: string + + // expirationSeconds is the requested duration of validity of the + // service + // account token. As the token approaches expiration, the kubelet + // volume + // plugin will proactively rotate the service account token. The + // kubelet will + // start trying to rotate the token if the token is older than 80 + // percent of + // its time to live or if the token is older than 24 + // hours.Defaults to 1 hour + // and must be at least 10 minutes. + expirationSeconds?: int64 + + // path is the path relative to the mount point of the file to + // project the + // token into. + path!: string + } + }] + } + + // quobyte represents a Quobyte mount on the host that shares a + // pod's lifetime. + // Deprecated: Quobyte is deprecated and the in-tree quobyte type + // is no longer supported. + quobyte?: { + // group to map volume access to + // Default is no group + group?: string + + // readOnly here will force the Quobyte volume to be mounted with + // read-only permissions. + // Defaults to false. + readOnly?: bool + + // registry represents a single or multiple Quobyte Registry + // services + // specified as a string as host:port pair (multiple entries are + // separated with commas) + // which acts as the central registry for volumes + registry!: string + + // tenant owning the given Quobyte volume in the Backend + // Used with dynamically provisioned Quobyte volumes, value is set + // by the plugin + tenant?: string + + // user to map volume access to + // Defaults to serivceaccount user + user?: string + + // volume is a string that references an already created Quobyte + // volume by name. + volume!: string + } + + // rbd represents a Rados Block Device mount on the host that + // shares a pod's lifetime. + // Deprecated: RBD is deprecated and the in-tree rbd type is no + // longer supported. + // More info: https://examples.k8s.io/volumes/rbd/README.md + rbd?: { + // fsType is the filesystem type of the volume that you want to + // mount. + // Tip: Ensure that the filesystem type is supported by the host + // operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be + // "ext4" if unspecified. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#rbd + fsType?: string + + // image is the rados image name. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + image!: string + + // keyring is the path to key ring for RBDUser. + // Default is /etc/ceph/keyring. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + keyring?: string | *"/etc/ceph/keyring" + + // monitors is a collection of Ceph monitors. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + monitors!: [...string] + + // pool is the rados pool name. + // Default is rbd. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + pool?: string | *"rbd" + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + readOnly?: bool + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // user is the rados user name. + // Default is admin. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + user?: string | *"admin" + } + + // scaleIO represents a ScaleIO persistent volume attached and + // mounted on Kubernetes nodes. + // Deprecated: ScaleIO is deprecated and the in-tree scaleIO type + // is no longer supported. + scaleIO?: { + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". + // Default is "xfs". + fsType?: string | *"xfs" + + // gateway is the host address of the ScaleIO API Gateway. + gateway!: string + + // protectionDomain is the name of the ScaleIO Protection Domain + // for the configured storage. + protectionDomain?: string + + // readOnly Defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + secretRef!: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // sslEnabled Flag enable/disable SSL communication with Gateway, + // default false + sslEnabled?: bool + + // storageMode indicates whether the storage for a volume should + // be ThickProvisioned or ThinProvisioned. + // Default is ThinProvisioned. + storageMode?: string | *"ThinProvisioned" + + // storagePool is the ScaleIO Storage Pool associated with the + // protection domain. + storagePool?: string + + // system is the name of the storage system as configured in + // ScaleIO. + system!: string + + // volumeName is the name of a volume already created in the + // ScaleIO system + // that is associated with this volume source. + volumeName?: string + } + + // secret represents a secret that should populate this volume. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#secret + secret?: { + // defaultMode is Optional: mode bits used to set permissions on + // created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values + // for mode bits. Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + defaultMode?: int32 + + // items If unspecified, each key-value pair in the Data field of + // the referenced + // Secret will be projected into the volume as a file whose name + // is the + // key and content is the value. If specified, the listed keys + // will be + // projected into the specified paths, and unlisted keys will not + // be + // present. If a key is specified which is not present in the + // Secret, + // the volume setup will error unless it is marked optional. Paths + // must be + // relative and may not contain the '..' path or start with '..'. + items?: [...{ + // key is the key to project. + key!: string + + // mode is Optional: mode bits used to set permissions on this + // file. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path!: string + }] + + // optional field specify whether the Secret or its keys must be + // defined + optional?: bool + + // secretName is the name of the secret in the pod's namespace to + // use. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#secret + secretName?: string + } + + // storageOS represents a StorageOS volume attached and mounted on + // Kubernetes nodes. + // Deprecated: StorageOS is deprecated and the in-tree storageos + // type is no longer supported. + storageos?: { + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string + + // readOnly defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // volumeName is the human-readable name of the StorageOS volume. + // Volume + // names are only unique within a namespace. + volumeName?: string + + // volumeNamespace specifies the scope of the volume within + // StorageOS. If no + // namespace is specified then the Pod's namespace will be used. + // This allows the + // Kubernetes name scoping to be mirrored within StorageOS for + // tighter integration. + // Set VolumeName to any name to override the default behaviour. + // Set to "default" if you are not using namespaces within + // StorageOS. + // Namespaces that do not pre-exist within StorageOS will be + // created. + volumeNamespace?: string + } + + // vsphereVolume represents a vSphere volume attached and mounted + // on kubelets host machine. + // Deprecated: VsphereVolume is deprecated. All operations for the + // in-tree vsphereVolume type + // are redirected to the csi.vsphere.vmware.com CSI driver. + vsphereVolume?: { + // fsType is filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string + + // storagePolicyID is the storage Policy Based Management (SPBM) + // profile ID associated with the StoragePolicyName. + storagePolicyID?: string + + // storagePolicyName is the storage Policy Based Management (SPBM) + // profile name. + storagePolicyName?: string + + // volumePath is the path that identifies vSphere volume vmdk + volumePath!: string + } + }] + } + + // The daemonset strategy to use to replace existing pods with new + // ones. + strategy?: { + // Rolling update config params. Present only if type = + // "RollingUpdate". + rollingUpdate?: { + // The maximum number of nodes with an existing available + // DaemonSet pod that + // can have an updated DaemonSet pod during during an update. + // Value can be an absolute number (ex: 5) or a percentage of + // desired pods (ex: 10%). + // This can not be 0 if MaxUnavailable is 0. + // Absolute number is calculated from percentage by rounding up to + // a minimum of 1. + // Default value is 0. + // Example: when this is set to 30%, at most 30% of the total + // number of nodes + // that should be running the daemon pod (i.e. + // status.desiredNumberScheduled) + // can have their a new pod created before the old pod is marked + // as deleted. + // The update starts by launching new pods on 30% of nodes. Once + // an updated + // pod is available (Ready for at least minReadySeconds) the old + // DaemonSet pod + // on that node is marked deleted. If the old pod becomes + // unavailable for any + // reason (Ready transitions to false, is evicted, or is drained) + // an updated + // pod is immediatedly created on that node without considering + // surge limits. + // Allowing surge implies the possibility that the resources + // consumed by the + // daemonset on any given node can double if the readiness check + // fails, and + // so resource intensive daemonsets should take into account that + // they may + // cause evictions during disruption. + maxSurge?: matchN(>=1, [int, string]) + + // The maximum number of DaemonSet pods that can be unavailable + // during the + // update. Value can be an absolute number (ex: 5) or a percentage + // of total + // number of DaemonSet pods at the start of the update (ex: 10%). + // Absolute + // number is calculated from percentage by rounding up. + // This cannot be 0 if MaxSurge is 0 + // Default value is 1. + // Example: when this is set to 30%, at most 30% of the total + // number of nodes + // that should be running the daemon pod (i.e. + // status.desiredNumberScheduled) + // can have their pods stopped for an update at any given time. + // The update + // starts by stopping at most 30% of those DaemonSet pods and then + // brings + // up new DaemonSet pods in their place. Once the new pods are + // available, + // it then proceeds onto other DaemonSet pods, thus ensuring that + // at least + // 70% of original number of DaemonSet pods are available at all + // times during + // the update. + maxUnavailable?: matchN(>=1, [int, string]) + } + + // Type of daemon set update. Can be "RollingUpdate" or + // "OnDelete". Default is RollingUpdate. + type?: string + } + } + + // EnvoyDeployment defines the desired state of the Envoy + // deployment resource. + // If unspecified, default settings for the managed Envoy + // deployment resource + // are applied. + envoyDeployment?: { + // Container defines the desired specification of main container. + container?: { + // List of environment variables to set in the container. + env?: [...{ + // Name of the environment variable. Must be a C_IDENTIFIER. + name!: string + + // Variable references $(VAR_NAME) are expanded + // using the previously defined environment variables in the + // container and + // any service environment variables. If a variable cannot be + // resolved, + // the reference in the input string will be unchanged. Double $$ + // are reduced + // to a single $, which allows for escaping the $(VAR_NAME) + // syntax: i.e. + // "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + // Escaped references will never be expanded, regardless of + // whether the variable + // exists or not. + // Defaults to "". + value?: string + + // Source for the environment variable's value. Cannot be used if + // value is not empty. + valueFrom?: { + // Selects a key of a ConfigMap. + configMapKeyRef?: { + // The key to select. + key!: string + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // Specify whether the ConfigMap or its key must be defined + optional?: bool + } + + // Selects a field of the pod: supports metadata.name, + // metadata.namespace, `metadata.labels['']`, + // `metadata.annotations['']`, + // spec.nodeName, spec.serviceAccountName, status.hostIP, + // status.podIP, status.podIPs. + fieldRef?: { + // Version of the schema the FieldPath is written in terms of, + // defaults to "v1". + apiVersion?: string + + // Path of the field to select in the specified API version. + fieldPath!: string + } + + // Selects a resource of the container: only resources limits and + // requests + // (limits.cpu, limits.memory, limits.ephemeral-storage, + // requests.cpu, requests.memory and requests.ephemeral-storage) + // are currently supported. + resourceFieldRef?: { + // Container name: required for volumes, optional for env vars + containerName?: string + + // Specifies the output format of the exposed resources, defaults + // to "1" + divisor?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // Required: resource to select + resource!: string + } + + // Selects a key of a secret in the pod's namespace + secretKeyRef?: { + // The key of the secret to select from. Must be a valid secret + // key. + key!: string + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // Specify whether the Secret or its key must be defined + optional?: bool + } + } + }] + + // Image specifies the EnvoyProxy container image to be used, + // instead of the default image. + image?: string + + // Resources required by this container. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources?: { + // Claims lists the names of resources, defined in + // spec.resourceClaims, + // that are used by this container. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. It can only be set for containers. + claims?: [...{ + // Name must match the name of one entry in + // pod.spec.resourceClaims of + // the Pod where this field is used. It makes that resource + // available + // inside a container. + name!: string + + // Request is the name chosen for a request in the referenced + // claim. + // If empty, everything from the claim is made available, + // otherwise + // only the result of this request. + request?: string + }] + + // Limits describes the maximum amount of compute resources + // allowed. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + limits?: close({ + [string]: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + }) + + // Requests describes the minimum amount of compute resources + // required. + // If Requests is omitted for a container, it defaults to Limits + // if that is explicitly specified, + // otherwise to an implementation-defined value. Requests cannot + // exceed Limits. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + requests?: close({ + [string]: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + }) + } + + // SecurityContext defines the security options the container + // should be run with. + // If set, the fields of SecurityContext override the equivalent + // fields of PodSecurityContext. + // More info: + // https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext?: { + // AllowPrivilegeEscalation controls whether a process can gain + // more + // privileges than its parent process. This bool directly controls + // if + // the no_new_privs flag will be set on the container process. + // AllowPrivilegeEscalation is true always when the container is: + // 1) run as Privileged + // 2) has CAP_SYS_ADMIN + // Note that this field cannot be set when spec.os.name is + // windows. + allowPrivilegeEscalation?: bool + + // appArmorProfile is the AppArmor options to use by this + // container. If set, this profile + // overrides the pod's appArmorProfile. + // Note that this field cannot be set when spec.os.name is + // windows. + appArmorProfile?: { + // localhostProfile indicates a profile loaded on the node that + // should be used. + // The profile must be preconfigured on the node to work. + // Must match the loaded name of the profile. + // Must be set if and only if type is "Localhost". + localhostProfile?: string + + // type indicates which kind of AppArmor profile will be applied. + // Valid options are: + // Localhost - a profile pre-loaded on the node. + // RuntimeDefault - the container runtime's default profile. + // Unconfined - no AppArmor enforcement. + type!: string + } + + // The capabilities to add/drop when running containers. + // Defaults to the default set of capabilities granted by the + // container runtime. + // Note that this field cannot be set when spec.os.name is + // windows. + capabilities?: { + // Added capabilities + add?: [...string] + + // Removed capabilities + drop?: [...string] + } + + // Run container in privileged mode. + // Processes in privileged containers are essentially equivalent + // to root on the host. + // Defaults to false. + // Note that this field cannot be set when spec.os.name is + // windows. + privileged?: bool + + // procMount denotes the type of proc mount to use for the + // containers. + // The default value is Default which uses the container runtime + // defaults for + // readonly paths and masked paths. + // This requires the ProcMountType feature flag to be enabled. + // Note that this field cannot be set when spec.os.name is + // windows. + procMount?: string + + // Whether this container has a read-only root filesystem. + // Default is false. + // Note that this field cannot be set when spec.os.name is + // windows. + readOnlyRootFilesystem?: bool + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // The SELinux context to be applied to the container. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in PodSecurityContext. If set in + // both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by this container. If seccomp + // options are + // provided at both the pod & container level, the container + // options + // override the pod options. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // The Windows specific settings applied to all containers. + // If unspecified, the options from the PodSecurityContext will be + // used. + // If set in both SecurityContext and PodSecurityContext, the + // value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + windowsOptions?: { + // GMSACredentialSpec is where the GMSA admission webhook + // (https://github.com/kubernetes-sigs/windows-gmsa) inlines the + // contents of the + // GMSA credential spec named by the GMSACredentialSpecName field. + gmsaCredentialSpec?: string + + // GMSACredentialSpecName is the name of the GMSA credential spec + // to use. + gmsaCredentialSpecName?: string + + // HostProcess determines if a container should be run as a 'Host + // Process' container. + // All of a Pod's containers must have the same effective + // HostProcess value + // (it is not allowed to have a mix of HostProcess containers and + // non-HostProcess containers). + // In addition, if HostProcess is true then HostNetwork must also + // be set to true. + hostProcess?: bool + + // The UserName in Windows to run the entrypoint of the container + // process. + // Defaults to the user specified in image metadata if + // unspecified. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsUserName?: string + } + } + + // VolumeMounts are volumes to mount into the container's + // filesystem. + // Cannot be updated. + volumeMounts?: [...{ + // Path within the container at which the volume should be + // mounted. Must + // not contain ':'. + mountPath!: string + + // mountPropagation determines how mounts are propagated from the + // host + // to container and the other way around. + // When not set, MountPropagationNone is used. + // This field is beta in 1.10. + // When RecursiveReadOnly is set to IfPossible or to Enabled, + // MountPropagation must be None or unspecified + // (which defaults to None). + mountPropagation?: string + + // This must match the Name of a Volume. + name!: string + + // Mounted read-only if true, read-write otherwise (false or + // unspecified). + // Defaults to false. + readOnly?: bool + + // RecursiveReadOnly specifies whether read-only mounts should be + // handled + // recursively. + // + // If ReadOnly is false, this field has no meaning and must be + // unspecified. + // + // If ReadOnly is true, and this field is set to Disabled, the + // mount is not made + // recursively read-only. If this field is set to IfPossible, the + // mount is made + // recursively read-only, if it is supported by the container + // runtime. If this + // field is set to Enabled, the mount is made recursively + // read-only if it is + // supported by the container runtime, otherwise the pod will not + // be started and + // an error will be generated to indicate the reason. + // + // If this field is set to IfPossible or Enabled, MountPropagation + // must be set to + // None (or be unspecified, which defaults to None). + // + // If this field is not specified, it is treated as an equivalent + // of Disabled. + recursiveReadOnly?: string + + // Path within the volume from which the container's volume should + // be mounted. + // Defaults to "" (volume's root). + subPath?: string + + // Expanded path within the volume from which the container's + // volume should be mounted. + // Behaves similarly to SubPath but environment variable + // references $(VAR_NAME) are expanded using the container's + // environment. + // Defaults to "" (volume's root). + // SubPathExpr and SubPath are mutually exclusive. + subPathExpr?: string + }] + } + + // List of initialization containers belonging to the pod. + // More info: + // https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers?: [...{ + // Arguments to the entrypoint. + // The container image's CMD is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the + // container's environment. If a variable + // cannot be resolved, the reference in the input string will be + // unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) + // syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references + // will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: + // https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + args?: [...string] + + // Entrypoint array. Not executed within a shell. + // The container image's ENTRYPOINT is used if this is not + // provided. + // Variable references $(VAR_NAME) are expanded using the + // container's environment. If a variable + // cannot be resolved, the reference in the input string will be + // unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) + // syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references + // will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: + // https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + command?: [...string] + + // List of environment variables to set in the container. + // Cannot be updated. + env?: [...{ + // Name of the environment variable. Must be a C_IDENTIFIER. + name!: string + + // Variable references $(VAR_NAME) are expanded + // using the previously defined environment variables in the + // container and + // any service environment variables. If a variable cannot be + // resolved, + // the reference in the input string will be unchanged. Double $$ + // are reduced + // to a single $, which allows for escaping the $(VAR_NAME) + // syntax: i.e. + // "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + // Escaped references will never be expanded, regardless of + // whether the variable + // exists or not. + // Defaults to "". + value?: string + + // Source for the environment variable's value. Cannot be used if + // value is not empty. + valueFrom?: { + // Selects a key of a ConfigMap. + configMapKeyRef?: { + // The key to select. + key!: string + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // Specify whether the ConfigMap or its key must be defined + optional?: bool + } + + // Selects a field of the pod: supports metadata.name, + // metadata.namespace, `metadata.labels['']`, + // `metadata.annotations['']`, + // spec.nodeName, spec.serviceAccountName, status.hostIP, + // status.podIP, status.podIPs. + fieldRef?: { + // Version of the schema the FieldPath is written in terms of, + // defaults to "v1". + apiVersion?: string + + // Path of the field to select in the specified API version. + fieldPath!: string + } + + // Selects a resource of the container: only resources limits and + // requests + // (limits.cpu, limits.memory, limits.ephemeral-storage, + // requests.cpu, requests.memory and requests.ephemeral-storage) + // are currently supported. + resourceFieldRef?: { + // Container name: required for volumes, optional for env vars + containerName?: string + + // Specifies the output format of the exposed resources, defaults + // to "1" + divisor?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // Required: resource to select + resource!: string + } + + // Selects a key of a secret in the pod's namespace + secretKeyRef?: { + // The key of the secret to select from. Must be a valid secret + // key. + key!: string + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // Specify whether the Secret or its key must be defined + optional?: bool + } + } + }] + + // List of sources to populate environment variables in the + // container. + // The keys defined within a source must be a C_IDENTIFIER. All + // invalid keys + // will be reported as an event when the container is starting. + // When a key exists in multiple + // sources, the value associated with the last source will take + // precedence. + // Values defined by an Env with a duplicate key will take + // precedence. + // Cannot be updated. + envFrom?: [...{ + // The ConfigMap to select from + configMapRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // Specify whether the ConfigMap must be defined + optional?: bool + } + + // An optional identifier to prepend to each key in the ConfigMap. + // Must be a C_IDENTIFIER. + prefix?: string + + // The Secret to select from + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // Specify whether the Secret must be defined + optional?: bool + } + }] + + // Container image name. + // More info: + // https://kubernetes.io/docs/concepts/containers/images + // This field is optional to allow higher level config management + // to default or override + // container images in workload controllers like Deployments and + // StatefulSets. + image?: string + + // Image pull policy. + // One of Always, Never, IfNotPresent. + // Defaults to Always if :latest tag is specified, or IfNotPresent + // otherwise. + // Cannot be updated. + // More info: + // https://kubernetes.io/docs/concepts/containers/images#updating-images + imagePullPolicy?: string + + // Actions that the management system should take in response to + // container lifecycle events. + // Cannot be updated. + lifecycle?: { + // PostStart is called immediately after a container is created. + // If the handler fails, + // the container is terminated and restarted according to its + // restart policy. + // Other management of the container blocks until the hook + // completes. + // More info: + // https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + postStart?: { + exec?: { + // Command is the command line to execute inside the container, + // the working directory for the + // command is root ('/') in the container's filesystem. The + // command is simply exec'd, it is + // not run inside a shell, so traditional shell instructions ('|', + // etc) won't work. To use + // a shell, you need to explicitly call out to that shell. + // Exit status of 0 is treated as live/healthy and non-zero is + // unhealthy. + command?: [...string] + } + + // HTTPGet specifies an HTTP GET request to perform. + httpGet?: { + // Host name to connect to, defaults to the pod IP. You probably + // want to set + // "Host" in httpHeaders instead. + host?: string + + // Custom headers to set in the request. HTTP allows repeated + // headers. + httpHeaders?: [...{ + // The header field name. + // This will be canonicalized upon output, so case-variant names + // will be understood as the same header. + name!: string + + // The header field value + value!: string + }] + + // Path to access on the HTTP server. + path?: string + + // Name or number of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port!: matchN(>=1, [int, string]) + + // Scheme to use for connecting to the host. + // Defaults to HTTP. + scheme?: string + } + sleep?: { + // Seconds is the number of seconds to sleep. + seconds!: int64 + } + + // Deprecated. TCPSocket is NOT supported as a LifecycleHandler + // and kept + // for backward compatibility. There is no validation of this + // field and + // lifecycle hooks will fail at runtime when it is specified. + tcpSocket?: { + // Optional: Host name to connect to, defaults to the pod IP. + host?: string + + // Number or name of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port!: matchN(>=1, [int, string]) + } + } + + // PreStop is called immediately before a container is terminated + // due to an + // API request or management event such as liveness/startup probe + // failure, + // preemption, resource contention, etc. The handler is not called + // if the + // container crashes or exits. The Pod's termination grace period + // countdown begins before the + // PreStop hook is executed. Regardless of the outcome of the + // handler, the + // container will eventually terminate within the Pod's + // termination grace + // period (unless delayed by finalizers). Other management of the + // container blocks until the hook completes + // or until the termination grace period is reached. + // More info: + // https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + preStop?: { + exec?: { + // Command is the command line to execute inside the container, + // the working directory for the + // command is root ('/') in the container's filesystem. The + // command is simply exec'd, it is + // not run inside a shell, so traditional shell instructions ('|', + // etc) won't work. To use + // a shell, you need to explicitly call out to that shell. + // Exit status of 0 is treated as live/healthy and non-zero is + // unhealthy. + command?: [...string] + } + + // HTTPGet specifies an HTTP GET request to perform. + httpGet?: { + // Host name to connect to, defaults to the pod IP. You probably + // want to set + // "Host" in httpHeaders instead. + host?: string + + // Custom headers to set in the request. HTTP allows repeated + // headers. + httpHeaders?: [...{ + // The header field name. + // This will be canonicalized upon output, so case-variant names + // will be understood as the same header. + name!: string + + // The header field value + value!: string + }] + + // Path to access on the HTTP server. + path?: string + + // Name or number of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port!: matchN(>=1, [int, string]) + + // Scheme to use for connecting to the host. + // Defaults to HTTP. + scheme?: string + } + sleep?: { + // Seconds is the number of seconds to sleep. + seconds!: int64 + } + + // Deprecated. TCPSocket is NOT supported as a LifecycleHandler + // and kept + // for backward compatibility. There is no validation of this + // field and + // lifecycle hooks will fail at runtime when it is specified. + tcpSocket?: { + // Optional: Host name to connect to, defaults to the pod IP. + host?: string + + // Number or name of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port!: matchN(>=1, [int, string]) + } + } + } + + // Periodic probe of container liveness. + // Container will be restarted if the probe fails. + // Cannot be updated. + // More info: + // https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + livenessProbe?: { + exec?: { + // Command is the command line to execute inside the container, + // the working directory for the + // command is root ('/') in the container's filesystem. The + // command is simply exec'd, it is + // not run inside a shell, so traditional shell instructions ('|', + // etc) won't work. To use + // a shell, you need to explicitly call out to that shell. + // Exit status of 0 is treated as live/healthy and non-zero is + // unhealthy. + command?: [...string] + } + + // Minimum consecutive failures for the probe to be considered + // failed after having succeeded. + // Defaults to 3. Minimum value is 1. + failureThreshold?: int32 + + // GRPC specifies a GRPC HealthCheckRequest. + grpc?: { + // Port number of the gRPC service. Number must be in the range 1 + // to 65535. + port!: int32 + + // Service is the name of the service to place in the gRPC + // HealthCheckRequest + // (see + // https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + // + // If this is not specified, the default behavior is defined by + // gRPC. + service?: string | *"" + } + + // HTTPGet specifies an HTTP GET request to perform. + httpGet?: { + // Host name to connect to, defaults to the pod IP. You probably + // want to set + // "Host" in httpHeaders instead. + host?: string + + // Custom headers to set in the request. HTTP allows repeated + // headers. + httpHeaders?: [...{ + // The header field name. + // This will be canonicalized upon output, so case-variant names + // will be understood as the same header. + name!: string + + // The header field value + value!: string + }] + + // Path to access on the HTTP server. + path?: string + + // Name or number of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port!: matchN(>=1, [int, string]) + + // Scheme to use for connecting to the host. + // Defaults to HTTP. + scheme?: string + } + + // Number of seconds after the container has started before + // liveness probes are initiated. + // More info: + // https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + initialDelaySeconds?: int32 + + // How often (in seconds) to perform the probe. + // Default to 10 seconds. Minimum value is 1. + periodSeconds?: int32 + + // Minimum consecutive successes for the probe to be considered + // successful after having failed. + // Defaults to 1. Must be 1 for liveness and startup. Minimum + // value is 1. + successThreshold?: int32 + + // TCPSocket specifies a connection to a TCP port. + tcpSocket?: { + // Optional: Host name to connect to, defaults to the pod IP. + host?: string + + // Number or name of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port!: matchN(>=1, [int, string]) + } + + // Optional duration in seconds the pod needs to terminate + // gracefully upon probe failure. + // The grace period is the duration in seconds after the processes + // running in the pod are sent + // a termination signal and the time when the processes are + // forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your + // process. + // If this value is nil, the pod's terminationGracePeriodSeconds + // will be used. Otherwise, this + // value overrides the value provided by the pod spec. + // Value must be non-negative integer. The value zero indicates + // stop immediately via + // the kill signal (no opportunity to shut down). + // This is a beta field and requires enabling + // ProbeTerminationGracePeriod feature gate. + // Minimum value is 1. spec.terminationGracePeriodSeconds is used + // if unset. + terminationGracePeriodSeconds?: int64 + + // Number of seconds after which the probe times out. + // Defaults to 1 second. Minimum value is 1. + // More info: + // https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + timeoutSeconds?: int32 + } + + // Name of the container specified as a DNS_LABEL. + // Each container in a pod must have a unique name (DNS_LABEL). + // Cannot be updated. + name!: string + + // List of ports to expose from the container. Not specifying a + // port here + // DOES NOT prevent that port from being exposed. Any port which + // is + // listening on the default "0.0.0.0" address inside a container + // will be + // accessible from the network. + // Modifying this array with strategic merge patch may corrupt the + // data. + // For more information See + // https://github.com/kubernetes/kubernetes/issues/108255. + // Cannot be updated. + ports?: [...{ + // Number of port to expose on the pod's IP address. + // This must be a valid port number, 0 < x < 65536. + containerPort!: int32 + + // What host IP to bind the external port to. + hostIP?: string + + // Number of port to expose on the host. + // If specified, this must be a valid port number, 0 < x < 65536. + // If HostNetwork is specified, this must match ContainerPort. + // Most containers do not need this. + hostPort?: int32 + + // If specified, this must be an IANA_SVC_NAME and unique within + // the pod. Each + // named port in a pod must have a unique name. Name for the port + // that can be + // referred to by services. + name?: string + + // Protocol for port. Must be UDP, TCP, or SCTP. + // Defaults to "TCP". + protocol?: string | *"TCP" + }] + + // Periodic probe of container service readiness. + // Container will be removed from service endpoints if the probe + // fails. + // Cannot be updated. + // More info: + // https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + readinessProbe?: { + exec?: { + // Command is the command line to execute inside the container, + // the working directory for the + // command is root ('/') in the container's filesystem. The + // command is simply exec'd, it is + // not run inside a shell, so traditional shell instructions ('|', + // etc) won't work. To use + // a shell, you need to explicitly call out to that shell. + // Exit status of 0 is treated as live/healthy and non-zero is + // unhealthy. + command?: [...string] + } + + // Minimum consecutive failures for the probe to be considered + // failed after having succeeded. + // Defaults to 3. Minimum value is 1. + failureThreshold?: int32 + + // GRPC specifies a GRPC HealthCheckRequest. + grpc?: { + // Port number of the gRPC service. Number must be in the range 1 + // to 65535. + port!: int32 + + // Service is the name of the service to place in the gRPC + // HealthCheckRequest + // (see + // https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + // + // If this is not specified, the default behavior is defined by + // gRPC. + service?: string | *"" + } + + // HTTPGet specifies an HTTP GET request to perform. + httpGet?: { + // Host name to connect to, defaults to the pod IP. You probably + // want to set + // "Host" in httpHeaders instead. + host?: string + + // Custom headers to set in the request. HTTP allows repeated + // headers. + httpHeaders?: [...{ + // The header field name. + // This will be canonicalized upon output, so case-variant names + // will be understood as the same header. + name!: string + + // The header field value + value!: string + }] + + // Path to access on the HTTP server. + path?: string + + // Name or number of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port!: matchN(>=1, [int, string]) + + // Scheme to use for connecting to the host. + // Defaults to HTTP. + scheme?: string + } + + // Number of seconds after the container has started before + // liveness probes are initiated. + // More info: + // https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + initialDelaySeconds?: int32 + + // How often (in seconds) to perform the probe. + // Default to 10 seconds. Minimum value is 1. + periodSeconds?: int32 + + // Minimum consecutive successes for the probe to be considered + // successful after having failed. + // Defaults to 1. Must be 1 for liveness and startup. Minimum + // value is 1. + successThreshold?: int32 + + // TCPSocket specifies a connection to a TCP port. + tcpSocket?: { + // Optional: Host name to connect to, defaults to the pod IP. + host?: string + + // Number or name of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port!: matchN(>=1, [int, string]) + } + + // Optional duration in seconds the pod needs to terminate + // gracefully upon probe failure. + // The grace period is the duration in seconds after the processes + // running in the pod are sent + // a termination signal and the time when the processes are + // forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your + // process. + // If this value is nil, the pod's terminationGracePeriodSeconds + // will be used. Otherwise, this + // value overrides the value provided by the pod spec. + // Value must be non-negative integer. The value zero indicates + // stop immediately via + // the kill signal (no opportunity to shut down). + // This is a beta field and requires enabling + // ProbeTerminationGracePeriod feature gate. + // Minimum value is 1. spec.terminationGracePeriodSeconds is used + // if unset. + terminationGracePeriodSeconds?: int64 + + // Number of seconds after which the probe times out. + // Defaults to 1 second. Minimum value is 1. + // More info: + // https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + timeoutSeconds?: int32 + } + + // Resources resize policy for the container. + resizePolicy?: [...{ + // Name of the resource to which this resource resize policy + // applies. + // Supported values: cpu, memory. + resourceName!: string + + // Restart policy to apply when specified resource is resized. + // If not specified, it defaults to NotRequired. + restartPolicy!: string + }] + + // Compute Resources required by this container. + // Cannot be updated. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources?: { + // Claims lists the names of resources, defined in + // spec.resourceClaims, + // that are used by this container. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. It can only be set for containers. + claims?: [...{ + // Name must match the name of one entry in + // pod.spec.resourceClaims of + // the Pod where this field is used. It makes that resource + // available + // inside a container. + name!: string + + // Request is the name chosen for a request in the referenced + // claim. + // If empty, everything from the claim is made available, + // otherwise + // only the result of this request. + request?: string + }] + + // Limits describes the maximum amount of compute resources + // allowed. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + limits?: close({ + [string]: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + }) + + // Requests describes the minimum amount of compute resources + // required. + // If Requests is omitted for a container, it defaults to Limits + // if that is explicitly specified, + // otherwise to an implementation-defined value. Requests cannot + // exceed Limits. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + requests?: close({ + [string]: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + }) + } + + // RestartPolicy defines the restart behavior of individual + // containers in a pod. + // This field may only be set for init containers, and the only + // allowed value is "Always". + // For non-init containers or when this field is not specified, + // the restart behavior is defined by the Pod's restart policy and + // the container type. + // Setting the RestartPolicy as "Always" for the init container + // will have the following effect: + // this init container will be continually restarted on + // exit until all regular containers have terminated. Once all + // regular + // containers have completed, all init containers with + // restartPolicy "Always" + // will be shut down. This lifecycle differs from normal init + // containers and + // is often referred to as a "sidecar" container. Although this + // init + // container still starts in the init container sequence, it does + // not wait + // for the container to complete before proceeding to the next + // init + // container. Instead, the next init container starts immediately + // after this + // init container is started, or after any startupProbe has + // successfully + // completed. + restartPolicy?: string + + // SecurityContext defines the security options the container + // should be run with. + // If set, the fields of SecurityContext override the equivalent + // fields of PodSecurityContext. + // More info: + // https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext?: { + // AllowPrivilegeEscalation controls whether a process can gain + // more + // privileges than its parent process. This bool directly controls + // if + // the no_new_privs flag will be set on the container process. + // AllowPrivilegeEscalation is true always when the container is: + // 1) run as Privileged + // 2) has CAP_SYS_ADMIN + // Note that this field cannot be set when spec.os.name is + // windows. + allowPrivilegeEscalation?: bool + + // appArmorProfile is the AppArmor options to use by this + // container. If set, this profile + // overrides the pod's appArmorProfile. + // Note that this field cannot be set when spec.os.name is + // windows. + appArmorProfile?: { + // localhostProfile indicates a profile loaded on the node that + // should be used. + // The profile must be preconfigured on the node to work. + // Must match the loaded name of the profile. + // Must be set if and only if type is "Localhost". + localhostProfile?: string + + // type indicates which kind of AppArmor profile will be applied. + // Valid options are: + // Localhost - a profile pre-loaded on the node. + // RuntimeDefault - the container runtime's default profile. + // Unconfined - no AppArmor enforcement. + type!: string + } + + // The capabilities to add/drop when running containers. + // Defaults to the default set of capabilities granted by the + // container runtime. + // Note that this field cannot be set when spec.os.name is + // windows. + capabilities?: { + // Added capabilities + add?: [...string] + + // Removed capabilities + drop?: [...string] + } + + // Run container in privileged mode. + // Processes in privileged containers are essentially equivalent + // to root on the host. + // Defaults to false. + // Note that this field cannot be set when spec.os.name is + // windows. + privileged?: bool + + // procMount denotes the type of proc mount to use for the + // containers. + // The default value is Default which uses the container runtime + // defaults for + // readonly paths and masked paths. + // This requires the ProcMountType feature flag to be enabled. + // Note that this field cannot be set when spec.os.name is + // windows. + procMount?: string + + // Whether this container has a read-only root filesystem. + // Default is false. + // Note that this field cannot be set when spec.os.name is + // windows. + readOnlyRootFilesystem?: bool + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // The SELinux context to be applied to the container. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in PodSecurityContext. If set in + // both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by this container. If seccomp + // options are + // provided at both the pod & container level, the container + // options + // override the pod options. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // The Windows specific settings applied to all containers. + // If unspecified, the options from the PodSecurityContext will be + // used. + // If set in both SecurityContext and PodSecurityContext, the + // value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + windowsOptions?: { + // GMSACredentialSpec is where the GMSA admission webhook + // (https://github.com/kubernetes-sigs/windows-gmsa) inlines the + // contents of the + // GMSA credential spec named by the GMSACredentialSpecName field. + gmsaCredentialSpec?: string + + // GMSACredentialSpecName is the name of the GMSA credential spec + // to use. + gmsaCredentialSpecName?: string + + // HostProcess determines if a container should be run as a 'Host + // Process' container. + // All of a Pod's containers must have the same effective + // HostProcess value + // (it is not allowed to have a mix of HostProcess containers and + // non-HostProcess containers). + // In addition, if HostProcess is true then HostNetwork must also + // be set to true. + hostProcess?: bool + + // The UserName in Windows to run the entrypoint of the container + // process. + // Defaults to the user specified in image metadata if + // unspecified. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsUserName?: string + } + } + + // StartupProbe indicates that the Pod has successfully + // initialized. + // If specified, no other probes are executed until this completes + // successfully. + // If this probe fails, the Pod will be restarted, just as if the + // livenessProbe failed. + // This can be used to provide different probe parameters at the + // beginning of a Pod's lifecycle, + // when it might take a long time to load data or warm a cache, + // than during steady-state operation. + // This cannot be updated. + // More info: + // https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + startupProbe?: { + exec?: { + // Command is the command line to execute inside the container, + // the working directory for the + // command is root ('/') in the container's filesystem. The + // command is simply exec'd, it is + // not run inside a shell, so traditional shell instructions ('|', + // etc) won't work. To use + // a shell, you need to explicitly call out to that shell. + // Exit status of 0 is treated as live/healthy and non-zero is + // unhealthy. + command?: [...string] + } + + // Minimum consecutive failures for the probe to be considered + // failed after having succeeded. + // Defaults to 3. Minimum value is 1. + failureThreshold?: int32 + + // GRPC specifies a GRPC HealthCheckRequest. + grpc?: { + // Port number of the gRPC service. Number must be in the range 1 + // to 65535. + port!: int32 + + // Service is the name of the service to place in the gRPC + // HealthCheckRequest + // (see + // https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + // + // If this is not specified, the default behavior is defined by + // gRPC. + service?: string | *"" + } + + // HTTPGet specifies an HTTP GET request to perform. + httpGet?: { + // Host name to connect to, defaults to the pod IP. You probably + // want to set + // "Host" in httpHeaders instead. + host?: string + + // Custom headers to set in the request. HTTP allows repeated + // headers. + httpHeaders?: [...{ + // The header field name. + // This will be canonicalized upon output, so case-variant names + // will be understood as the same header. + name!: string + + // The header field value + value!: string + }] + + // Path to access on the HTTP server. + path?: string + + // Name or number of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port!: matchN(>=1, [int, string]) + + // Scheme to use for connecting to the host. + // Defaults to HTTP. + scheme?: string + } + + // Number of seconds after the container has started before + // liveness probes are initiated. + // More info: + // https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + initialDelaySeconds?: int32 + + // How often (in seconds) to perform the probe. + // Default to 10 seconds. Minimum value is 1. + periodSeconds?: int32 + + // Minimum consecutive successes for the probe to be considered + // successful after having failed. + // Defaults to 1. Must be 1 for liveness and startup. Minimum + // value is 1. + successThreshold?: int32 + + // TCPSocket specifies a connection to a TCP port. + tcpSocket?: { + // Optional: Host name to connect to, defaults to the pod IP. + host?: string + + // Number or name of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port!: matchN(>=1, [int, string]) + } + + // Optional duration in seconds the pod needs to terminate + // gracefully upon probe failure. + // The grace period is the duration in seconds after the processes + // running in the pod are sent + // a termination signal and the time when the processes are + // forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your + // process. + // If this value is nil, the pod's terminationGracePeriodSeconds + // will be used. Otherwise, this + // value overrides the value provided by the pod spec. + // Value must be non-negative integer. The value zero indicates + // stop immediately via + // the kill signal (no opportunity to shut down). + // This is a beta field and requires enabling + // ProbeTerminationGracePeriod feature gate. + // Minimum value is 1. spec.terminationGracePeriodSeconds is used + // if unset. + terminationGracePeriodSeconds?: int64 + + // Number of seconds after which the probe times out. + // Defaults to 1 second. Minimum value is 1. + // More info: + // https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + timeoutSeconds?: int32 + } + + // Whether this container should allocate a buffer for stdin in + // the container runtime. If this + // is not set, reads from stdin in the container will always + // result in EOF. + // Default is false. + stdin?: bool + + // Whether the container runtime should close the stdin channel + // after it has been opened by + // a single attach. When stdin is true the stdin stream will + // remain open across multiple attach + // sessions. If stdinOnce is set to true, stdin is opened on + // container start, is empty until the + // first client attaches to stdin, and then remains open and + // accepts data until the client disconnects, + // at which time stdin is closed and remains closed until the + // container is restarted. If this + // flag is false, a container processes that reads from stdin will + // never receive an EOF. + // Default is false + stdinOnce?: bool + + // Optional: Path at which the file to which the container's + // termination message + // will be written is mounted into the container's filesystem. + // Message written is intended to be brief final status, such as + // an assertion failure message. + // Will be truncated by the node if greater than 4096 bytes. The + // total message length across + // all containers will be limited to 12kb. + // Defaults to /dev/termination-log. + // Cannot be updated. + terminationMessagePath?: string + + // Indicate how the termination message should be populated. File + // will use the contents of + // terminationMessagePath to populate the container status message + // on both success and failure. + // FallbackToLogsOnError will use the last chunk of container log + // output if the termination + // message file is empty and the container exited with an error. + // The log output is limited to 2048 bytes or 80 lines, whichever + // is smaller. + // Defaults to File. + // Cannot be updated. + terminationMessagePolicy?: string + + // Whether this container should allocate a TTY for itself, also + // requires 'stdin' to be true. + // Default is false. + tty?: bool + + // volumeDevices is the list of block devices to be used by the + // container. + volumeDevices?: [...{ + // devicePath is the path inside of the container that the device + // will be mapped to. + devicePath!: string + + // name must match the name of a persistentVolumeClaim in the pod + name!: string + }] + + // Pod volumes to mount into the container's filesystem. + // Cannot be updated. + volumeMounts?: [...{ + // Path within the container at which the volume should be + // mounted. Must + // not contain ':'. + mountPath!: string + + // mountPropagation determines how mounts are propagated from the + // host + // to container and the other way around. + // When not set, MountPropagationNone is used. + // This field is beta in 1.10. + // When RecursiveReadOnly is set to IfPossible or to Enabled, + // MountPropagation must be None or unspecified + // (which defaults to None). + mountPropagation?: string + + // This must match the Name of a Volume. + name!: string + + // Mounted read-only if true, read-write otherwise (false or + // unspecified). + // Defaults to false. + readOnly?: bool + + // RecursiveReadOnly specifies whether read-only mounts should be + // handled + // recursively. + // + // If ReadOnly is false, this field has no meaning and must be + // unspecified. + // + // If ReadOnly is true, and this field is set to Disabled, the + // mount is not made + // recursively read-only. If this field is set to IfPossible, the + // mount is made + // recursively read-only, if it is supported by the container + // runtime. If this + // field is set to Enabled, the mount is made recursively + // read-only if it is + // supported by the container runtime, otherwise the pod will not + // be started and + // an error will be generated to indicate the reason. + // + // If this field is set to IfPossible or Enabled, MountPropagation + // must be set to + // None (or be unspecified, which defaults to None). + // + // If this field is not specified, it is treated as an equivalent + // of Disabled. + recursiveReadOnly?: string + + // Path within the volume from which the container's volume should + // be mounted. + // Defaults to "" (volume's root). + subPath?: string + + // Expanded path within the volume from which the container's + // volume should be mounted. + // Behaves similarly to SubPath but environment variable + // references $(VAR_NAME) are expanded using the container's + // environment. + // Defaults to "" (volume's root). + // SubPathExpr and SubPath are mutually exclusive. + subPathExpr?: string + }] + + // Container's working directory. + // If not specified, the container runtime's default will be used, + // which + // might be configured in the container image. + // Cannot be updated. + workingDir?: string + }] + + // Name of the deployment. + // When unset, this defaults to an autogenerated name. + name?: string + + // Patch defines how to perform the patch operation to deployment + patch?: { + // Type is the type of merge operation to perform + // + // By default, StrategicMerge is used as the patch type. + type?: string + + // Object contains the raw configuration for merged object + value!: _ + } + + // Pod defines the desired specification of pod. + pod?: { + // If specified, the pod's scheduling constraints. + affinity?: { + // Describes node affinity scheduling rules for the pod. + nodeAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node matches the corresponding + // matchExpressions; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // A node selector term, associated with the corresponding weight. + preference!: { + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + } + + // Weight associated with matching the corresponding + // nodeSelectorTerm, in the range 1-100. + weight!: int32 + }] + requiredDuringSchedulingIgnoredDuringExecution?: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms!: [...{ + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + }] + } + } + + // Describes pod affinity scheduling rules (e.g. co-locate this + // pod in the same node, zone, etc. as some other pod(s)). + podAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the affinity requirements specified by this field are not + // met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to + // be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + + // Describes pod anti-affinity scheduling rules (e.g. avoid + // putting this pod in the same node, zone, etc. as some other + // pod(s)). + podAntiAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the anti-affinity expressions specified by this field, but it + // may choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling anti-affinity expressions, + // etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the anti-affinity requirements specified by this field are + // not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease + // to be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + } + + // Annotations are the annotations that should be appended to the + // pods. + // By default, no pod annotations are appended. + annotations?: close({ + [string]: string + }) + + // ImagePullSecrets is an optional list of references to secrets + // in the same namespace to use for pulling any of the images used + // by this PodSpec. + // If specified, these secrets will be passed to individual puller + // implementations for them to use. + // More info: + // https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + imagePullSecrets?: [...{ + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + }] + + // Labels are the additional labels that should be tagged to the + // pods. + // By default, no additional pod labels are tagged. + labels?: close({ + [string]: string + }) + + // NodeSelector is a selector which must be true for the pod to + // fit on a node. + // Selector which must match a node's labels for the pod to be + // scheduled on that node. + // More info: + // https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector?: close({ + [string]: string + }) + + // SecurityContext holds pod-level security attributes and common + // container settings. + // Optional: Defaults to empty. See type description for default + // values of each field. + securityContext?: { + // appArmorProfile is the AppArmor options to use by the + // containers in this pod. + // Note that this field cannot be set when spec.os.name is + // windows. + appArmorProfile?: { + // localhostProfile indicates a profile loaded on the node that + // should be used. + // The profile must be preconfigured on the node to work. + // Must match the loaded name of the profile. + // Must be set if and only if type is "Localhost". + localhostProfile?: string + + // type indicates which kind of AppArmor profile will be applied. + // Valid options are: + // Localhost - a profile pre-loaded on the node. + // RuntimeDefault - the container runtime's default profile. + // Unconfined - no AppArmor enforcement. + type!: string + } + + // A special supplemental group that applies to all containers in + // a pod. + // Some volume types allow the Kubelet to change the ownership of + // that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will + // be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and + // permissions of any volume. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroup?: int64 + + // fsGroupChangePolicy defines behavior of changing ownership and + // permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and + // permissions). + // It will have no effect on ephemeral volume types such as: + // secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not + // specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroupChangePolicy?: string + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // seLinuxChangePolicy defines how the container's SELinux label + // is applied to all volumes used by the Pod. + // It has no effect on nodes that do not support SELinux or to + // volumes does not support SELinux. + // Valid values are "MountOption" and "Recursive". + // + // "Recursive" means relabeling of all files on all Pod volumes by + // the container runtime. + // This may be slow for large volumes, but allows mixing + // privileged and unprivileged Pods sharing the same volume on + // the same node. + // + // "MountOption" mounts all eligible Pod volumes with `-o context` + // mount option. + // This requires all Pods that share the same volume to use the + // same SELinux label. + // It is not possible to share the same volume among privileged + // and unprivileged Pods. + // Eligible volumes are in-tree FibreChannel and iSCSI volumes, + // and all CSI volumes + // whose CSI driver announces SELinux support by setting + // spec.seLinuxMount: true in their + // CSIDriver instance. Other volumes are always re-labelled + // recursively. + // "MountOption" value is allowed only when SELinuxMount feature + // gate is enabled. + // + // If not specified and SELinuxMount feature gate is enabled, + // "MountOption" is used. + // If not specified and SELinuxMount feature gate is disabled, + // "MountOption" is used for ReadWriteOncePod volumes + // and "Recursive" for all other volumes. + // + // This field affects only Pods that have SELinux label set, + // either in PodSecurityContext or in SecurityContext of all + // containers. + // + // All Pods that use the same volume should use the same + // seLinuxChangePolicy, otherwise some pods can get stuck in + // ContainerCreating state. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxChangePolicy?: string + + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value + // specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // A list of groups applied to the first process run in each + // container, in + // addition to the container's primary GID and fsGroup (if + // specified). If + // the SupplementalGroupsPolicy feature is enabled, the + // supplementalGroupsPolicy field determines whether these are in + // addition + // to or instead of any group memberships defined in the container + // image. + // If unspecified, no additional groups are added, though group + // memberships + // defined in the container image may still be used, depending on + // the + // supplementalGroupsPolicy field. + // Note that this field cannot be set when spec.os.name is + // windows. + supplementalGroups?: [...int64 & int] + + // Defines how supplemental groups of the first container + // processes are calculated. + // Valid values are "Merge" and "Strict". If not specified, + // "Merge" is used. + // (Alpha) Using the field requires the SupplementalGroupsPolicy + // feature gate to be enabled + // and the container runtime must implement support for this + // feature. + // Note that this field cannot be set when spec.os.name is + // windows. + supplementalGroupsPolicy?: string + + // Sysctls hold a list of namespaced sysctls used for the pod. + // Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is + // windows. + sysctls?: [...{ + // Name of a property to set + name!: string + + // Value of a property to set + value!: string + }] + + // The Windows specific settings applied to all containers. + // If unspecified, the options within a container's + // SecurityContext will be used. + // If set in both SecurityContext and PodSecurityContext, the + // value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + windowsOptions?: { + // GMSACredentialSpec is where the GMSA admission webhook + // (https://github.com/kubernetes-sigs/windows-gmsa) inlines the + // contents of the + // GMSA credential spec named by the GMSACredentialSpecName field. + gmsaCredentialSpec?: string + + // GMSACredentialSpecName is the name of the GMSA credential spec + // to use. + gmsaCredentialSpecName?: string + + // HostProcess determines if a container should be run as a 'Host + // Process' container. + // All of a Pod's containers must have the same effective + // HostProcess value + // (it is not allowed to have a mix of HostProcess containers and + // non-HostProcess containers). + // In addition, if HostProcess is true then HostNetwork must also + // be set to true. + hostProcess?: bool + + // The UserName in Windows to run the entrypoint of the container + // process. + // Defaults to the user specified in image metadata if + // unspecified. + // May also be set in PodSecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsUserName?: string + } + } + + // If specified, the pod's tolerations. + tolerations?: [...{ + // Effect indicates the taint effect to match. Empty means match + // all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule + // and NoExecute. + effect?: string + + // Key is the taint key that the toleration applies to. Empty + // means match all taint keys. + // If the key is empty, operator must be Exists; this combination + // means to match all values and all keys. + key?: string + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + operator?: string + + // TolerationSeconds represents the period of time the toleration + // (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates + // the taint. By default, + // it is not set, which means tolerate the taint forever (do not + // evict). Zero and + // negative values will be treated as 0 (evict immediately) by the + // system. + tolerationSeconds?: int64 + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise + // just a regular string. + value?: string + }] + + // TopologySpreadConstraints describes how a group of pods ought + // to spread across topology + // domains. Scheduler will schedule pods in a way which abides by + // the constraints. + // All topologySpreadConstraints are ANDed. + topologySpreadConstraints?: [...{ + // LabelSelector is used to find matching pods. + // Pods that match this label selector are counted to determine + // the number of pods + // in their corresponding topology domain. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select the pods + // over which + // spreading will be calculated. The keys are used to lookup + // values from the + // incoming pod labels, those key-value labels are ANDed with + // labelSelector + // to select the group of existing pods over which spreading will + // be calculated + // for the incoming pod. The same key is forbidden to exist in + // both MatchLabelKeys and LabelSelector. + // MatchLabelKeys cannot be set when LabelSelector isn't set. + // Keys that don't exist in the incoming pod labels will + // be ignored. A null or empty list means only match against + // labelSelector. + // + // This is a beta field and requires the + // MatchLabelKeysInPodTopologySpread feature gate to be enabled + // (enabled by default). + matchLabelKeys?: [...string] + + // MaxSkew describes the degree to which pods may be unevenly + // distributed. + // When `whenUnsatisfiable=DoNotSchedule`, it is the maximum + // permitted difference + // between the number of matching pods in the target topology and + // the global minimum. + // The global minimum is the minimum number of matching pods in an + // eligible domain + // or zero if the number of eligible domains is less than + // MinDomains. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods + // with the same + // labelSelector spread as 2/2/1: + // In this case, the global minimum is 1. + // | zone1 | zone2 | zone3 | + // | P P | P P | P | + // - if MaxSkew is 1, incoming pod can only be scheduled to zone3 + // to become 2/2/2; + // scheduling it onto zone1(zone2) would make the ActualSkew(3-1) + // on zone1(zone2) + // violate MaxSkew(1). + // - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + // When `whenUnsatisfiable=ScheduleAnyway`, it is used to give + // higher precedence + // to topologies that satisfy it. + // It's a required field. Default value is 1 and 0 is not allowed. + maxSkew!: int32 + + // MinDomains indicates a minimum number of eligible domains. + // When the number of eligible domains with matching topology keys + // is less than minDomains, + // Pod Topology Spread treats "global minimum" as 0, and then the + // calculation of Skew is performed. + // And when the number of eligible domains with matching topology + // keys equals or greater than minDomains, + // this value has no effect on scheduling. + // As a result, when the number of eligible domains is less than + // minDomains, + // scheduler won't schedule more than maxSkew Pods to those + // domains. + // If value is nil, the constraint behaves as if MinDomains is + // equal to 1. + // Valid values are integers greater than 0. + // When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + // + // For example, in a 3-zone cluster, MaxSkew is set to 2, + // MinDomains is set to 5 and pods with the same + // labelSelector spread as 2/2/2: + // | zone1 | zone2 | zone3 | + // | P P | P P | P P | + // The number of domains is less than 5(MinDomains), so "global + // minimum" is treated as 0. + // In this situation, new pod with the same labelSelector cannot + // be scheduled, + // because computed skew will be 3(3 - 0) if new Pod is scheduled + // to any of the three zones, + // it will violate MaxSkew. + minDomains?: int32 + + // NodeAffinityPolicy indicates how we will treat Pod's + // nodeAffinity/nodeSelector + // when calculating pod topology spread skew. Options are: + // - Honor: only nodes matching nodeAffinity/nodeSelector are + // included in the calculations. + // - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are + // included in the calculations. + // + // If this value is nil, the behavior is equivalent to the Honor + // policy. + // This is a beta-level feature default enabled by the + // NodeInclusionPolicyInPodTopologySpread feature flag. + nodeAffinityPolicy?: string + + // NodeTaintsPolicy indicates how we will treat node taints when + // calculating + // pod topology spread skew. Options are: + // - Honor: nodes without taints, along with tainted nodes for + // which the incoming pod + // has a toleration, are included. + // - Ignore: node taints are ignored. All nodes are included. + // + // If this value is nil, the behavior is equivalent to the Ignore + // policy. + // This is a beta-level feature default enabled by the + // NodeInclusionPolicyInPodTopologySpread feature flag. + nodeTaintsPolicy?: string + + // TopologyKey is the key of node labels. Nodes that have a label + // with this key + // and identical values are considered to be in the same topology. + // We consider each as a "bucket", and try to put + // balanced number + // of pods into each bucket. + // We define a domain as a particular instance of a topology. + // Also, we define an eligible domain as a domain whose nodes meet + // the requirements of + // nodeAffinityPolicy and nodeTaintsPolicy. + // e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a + // domain of that topology. + // And, if TopologyKey is "topology.kubernetes.io/zone", each zone + // is a domain of that topology. + // It's a required field. + topologyKey!: string + + // WhenUnsatisfiable indicates how to deal with a pod if it + // doesn't satisfy + // the spread constraint. + // - DoNotSchedule (default) tells the scheduler not to schedule + // it. + // - ScheduleAnyway tells the scheduler to schedule the pod in any + // location, + // but giving higher precedence to topologies that would help + // reduce the + // skew. + // A constraint is considered "Unsatisfiable" for an incoming pod + // if and only if every possible node assignment for that pod + // would violate + // "MaxSkew" on some topology. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods + // with the same + // labelSelector spread as 3/1/1: + // | zone1 | zone2 | zone3 | + // | P P P | P | P | + // If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can + // only be scheduled + // to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on + // zone2(zone3) satisfies + // MaxSkew(1). In other words, the cluster can still be + // imbalanced, but scheduler + // won't make it *more* imbalanced. + // It's a required field. + whenUnsatisfiable!: string + }] + + // Volumes that can be mounted by containers belonging to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes + volumes?: [...{ + // awsElasticBlockStore represents an AWS Disk resource that is + // attached to a + // kubelet's host machine and then exposed to the pod. + // Deprecated: AWSElasticBlockStore is deprecated. All operations + // for the in-tree + // awsElasticBlockStore type are redirected to the ebs.csi.aws.com + // CSI driver. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + awsElasticBlockStore?: { + // fsType is the filesystem type of the volume that you want to + // mount. + // Tip: Ensure that the filesystem type is supported by the host + // operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be + // "ext4" if unspecified. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + fsType?: string + + // partition is the partition in the volume that you want to + // mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as + // "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can + // leave the property empty). + partition?: int32 + + // readOnly value true will force the readOnly setting in + // VolumeMounts. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + readOnly?: bool + + // volumeID is unique ID of the persistent disk resource in AWS + // (Amazon EBS volume). + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + volumeID!: string + } + + // azureDisk represents an Azure Data Disk mount on the host and + // bind mount to the pod. + // Deprecated: AzureDisk is deprecated. All operations for the + // in-tree azureDisk type + // are redirected to the disk.csi.azure.com CSI driver. + azureDisk?: { + // cachingMode is the Host Caching mode: None, Read Only, Read + // Write. + cachingMode?: string + + // diskName is the Name of the data disk in the blob storage + diskName!: string + + // diskURI is the URI of data disk in the blob storage + diskURI!: string + + // fsType is Filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string | *"ext4" + + // kind expected values are Shared: multiple blob disks per + // storage account Dedicated: single blob disk per storage + // account Managed: azure managed data disk (only in managed + // availability set). defaults to shared + kind?: string + + // readOnly Defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool | *false + } + + // azureFile represents an Azure File Service mount on the host + // and bind mount to the pod. + // Deprecated: AzureFile is deprecated. All operations for the + // in-tree azureFile type + // are redirected to the file.csi.azure.com CSI driver. + azureFile?: { + // readOnly defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + + // secretName is the name of secret that contains Azure Storage + // Account Name and Key + secretName!: string + + // shareName is the azure share Name + shareName!: string + } + + // cephFS represents a Ceph FS mount on the host that shares a + // pod's lifetime. + // Deprecated: CephFS is deprecated and the in-tree cephfs type is + // no longer supported. + cephfs?: { + // monitors is Required: Monitors is a collection of Ceph monitors + // More info: + // https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + monitors!: [...string] + + // path is Optional: Used as the mounted root, rather than the + // full Ceph tree, default is / + path?: string + + // readOnly is Optional: Defaults to false (read/write). ReadOnly + // here will force + // the ReadOnly setting in VolumeMounts. + // More info: + // https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + readOnly?: bool + + // secretFile is Optional: SecretFile is the path to key ring for + // User, default is /etc/ceph/user.secret + // More info: + // https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + secretFile?: string + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // user is optional: User is the rados user name, default is admin + // More info: + // https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + user?: string + } + + // cinder represents a cinder volume attached and mounted on + // kubelets host machine. + // Deprecated: Cinder is deprecated. All operations for the + // in-tree cinder type + // are redirected to the cinder.csi.openstack.org CSI driver. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + cinder?: { + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be + // "ext4" if unspecified. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + fsType?: string + + // readOnly defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + readOnly?: bool + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // volumeID used to identify the volume in cinder. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + volumeID!: string + } + + // configMap represents a configMap that should populate this + // volume + configMap?: { + // defaultMode is optional: mode bits used to set permissions on + // created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + defaultMode?: int32 + + // items if unspecified, each key-value pair in the Data field of + // the referenced + // ConfigMap will be projected into the volume as a file whose + // name is the + // key and content is the value. If specified, the listed keys + // will be + // projected into the specified paths, and unlisted keys will not + // be + // present. If a key is specified which is not present in the + // ConfigMap, + // the volume setup will error unless it is marked optional. Paths + // must be + // relative and may not contain the '..' path or start with '..'. + items?: [...{ + // key is the key to project. + key!: string + + // mode is Optional: mode bits used to set permissions on this + // file. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path!: string + }] + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // optional specify whether the ConfigMap or its keys must be + // defined + optional?: bool + } + + // csi (Container Storage Interface) represents ephemeral storage + // that is handled by certain external CSI drivers. + csi?: { + // driver is the name of the CSI driver that handles this volume. + // Consult with your admin for the correct name as registered in + // the cluster. + driver!: string + + // fsType to mount. Ex. "ext4", "xfs", "ntfs". + // If not provided, the empty value is passed to the associated + // CSI driver + // which will determine the default filesystem to apply. + fsType?: string + nodePublishSecretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // readOnly specifies a read-only configuration for the volume. + // Defaults to false (read/write). + readOnly?: bool + + // volumeAttributes stores driver-specific properties that are + // passed to the CSI + // driver. Consult your driver's documentation for supported + // values. + volumeAttributes?: close({ + [string]: string + }) + } + + // downwardAPI represents downward API about the pod that should + // populate this volume + downwardAPI?: { + // Optional: mode bits to use on created files by default. Must be + // a + // Optional: mode bits used to set permissions on created files by + // default. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + defaultMode?: int32 + + // Items is a list of downward API volume file + items?: [...{ + // Required: Selects a field of the pod: only annotations, labels, + // name, namespace and uid are supported. + fieldRef?: { + // Version of the schema the FieldPath is written in terms of, + // defaults to "v1". + apiVersion?: string + + // Path of the field to select in the specified API version. + fieldPath!: string + } + + // Optional: mode bits used to set permissions on this file, must + // be an octal value + // between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // Required: Path is the relative path name of the file to be + // created. Must not be absolute or contain the '..' path. Must + // be utf-8 encoded. The first item of the relative path must not + // start with '..' + path!: string + + // Selects a resource of the container: only resources limits and + // requests + // (limits.cpu, limits.memory, requests.cpu and requests.memory) + // are currently supported. + resourceFieldRef?: { + // Container name: required for volumes, optional for env vars + containerName?: string + + // Specifies the output format of the exposed resources, defaults + // to "1" + divisor?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // Required: resource to select + resource!: string + } + }] + } + + // emptyDir represents a temporary directory that shares a pod's + // lifetime. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#emptydir + emptyDir?: { + // medium represents what type of storage medium should back this + // directory. + // The default is "" which means to use the node's default medium. + // Must be an empty string (default) or Memory. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#emptydir + medium?: string + + // sizeLimit is the total amount of local storage required for + // this EmptyDir volume. + // The size limit is also applicable for memory medium. + // The maximum usage on memory medium EmptyDir would be the + // minimum value between + // the SizeLimit specified here and the sum of memory limits of + // all containers in a pod. + // The default is nil which means that the limit is undefined. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#emptydir + sizeLimit?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + } + ephemeral?: { + // Will be used to create a stand-alone PVC to provision the + // volume. + // The pod in which this EphemeralVolumeSource is embedded will be + // the + // owner of the PVC, i.e. the PVC will be deleted together with + // the + // pod. The name of the PVC will be `-` + // where + // `` is the name from the `PodSpec.Volumes` array + // entry. Pod validation will reject the pod if the concatenated + // name + // is not valid for a PVC (for example, too long). + // + // An existing PVC with that name that is not owned by the pod + // will *not* be used for the pod to avoid using an unrelated + // volume by mistake. Starting the pod is then blocked until + // the unrelated PVC is removed. If such a pre-created PVC is + // meant to be used by the pod, the PVC has to updated with an + // owner reference to the pod once the pod exists. Normally + // this should not be necessary, but it may be useful when + // manually reconstructing a broken cluster. + // + // This field is read-only and no changes will be made by + // Kubernetes + // to the PVC after it has been created. + // + // Required, must not be nil. + volumeClaimTemplate?: { + // May contain labels and annotations that will be copied into the + // PVC + // when creating it. No other fields are allowed and will be + // rejected during + // validation. + metadata?: {} + + // The specification for the PersistentVolumeClaim. The entire + // content is + // copied unchanged into the PVC that gets created from this + // template. The same fields as in a PersistentVolumeClaim + // are also valid here. + spec!: { + // accessModes contains the desired access modes the volume should + // have. + // More info: + // https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + accessModes?: [...string] + + // dataSource field can be used to specify either: + // * An existing VolumeSnapshot object + // (snapshot.storage.k8s.io/VolumeSnapshot) + // * An existing PVC (PersistentVolumeClaim) + // If the provisioner or an external controller can support the + // specified data source, + // it will create a new volume based on the contents of the + // specified data source. + // When the AnyVolumeDataSource feature gate is enabled, + // dataSource contents will be copied to dataSourceRef, + // and dataSourceRef contents will be copied to dataSource when + // dataSourceRef.namespace is not specified. + // If the namespace is specified, then dataSourceRef will not be + // copied to dataSource. + dataSource?: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the + // core API group. + // For any other third-party types, APIGroup is required. + apiGroup?: string + + // Kind is the type of resource being referenced + kind!: string + + // Name is the name of resource being referenced + name!: string + } + + // dataSourceRef specifies the object from which to populate the + // volume with data, if a non-empty + // volume is desired. This may be any object from a non-empty API + // group (non + // core object) or a PersistentVolumeClaim object. + // When this field is specified, volume binding will only succeed + // if the type of + // the specified object matches some installed volume populator or + // dynamic + // provisioner. + // This field will replace the functionality of the dataSource + // field and as such + // if both fields are non-empty, they must have the same value. + // For backwards + // compatibility, when namespace isn't specified in dataSourceRef, + // both fields (dataSource and dataSourceRef) will be set to the + // same + // value automatically if one of them is empty and the other is + // non-empty. + // When namespace is specified in dataSourceRef, + // dataSource isn't set to the same value and must be empty. + // There are three important differences between dataSource and + // dataSourceRef: + // * While dataSource only allows two specific types of objects, + // dataSourceRef + // allows any non-core object, as well as PersistentVolumeClaim + // objects. + // * While dataSource ignores disallowed values (dropping them), + // dataSourceRef + // preserves all values, and generates an error if a disallowed + // value is + // specified. + // * While dataSource only allows local objects, dataSourceRef + // allows objects + // in any namespaces. + // (Beta) Using this field requires the AnyVolumeDataSource + // feature gate to be enabled. + // (Alpha) Using the namespace field of dataSourceRef requires the + // CrossNamespaceVolumeDataSource feature gate to be enabled. + dataSourceRef?: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the + // core API group. + // For any other third-party types, APIGroup is required. + apiGroup?: string + + // Kind is the type of resource being referenced + kind!: string + + // Name is the name of resource being referenced + name!: string + + // Namespace is the namespace of resource being referenced + // Note that when a namespace is specified, a + // gateway.networking.k8s.io/ReferenceGrant object is required in + // the referent namespace to allow that namespace's owner to + // accept the reference. See the ReferenceGrant documentation for + // details. + // (Alpha) This field requires the CrossNamespaceVolumeDataSource + // feature gate to be enabled. + namespace?: string + } + + // resources represents the minimum resources the volume should + // have. + // If RecoverVolumeExpansionFailure feature is enabled users are + // allowed to specify resource requirements + // that are lower than previous value but must still be higher + // than capacity recorded in the + // status field of the claim. + // More info: + // https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + resources?: { + // Limits describes the maximum amount of compute resources + // allowed. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + limits?: close({ + [string]: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + }) + + // Requests describes the minimum amount of compute resources + // required. + // If Requests is omitted for a container, it defaults to Limits + // if that is explicitly specified, + // otherwise to an implementation-defined value. Requests cannot + // exceed Limits. + // More info: + // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + requests?: close({ + [string]: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + }) + } + + // selector is a label query over volumes to consider for binding. + selector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // storageClassName is the name of the StorageClass required by + // the claim. + // More info: + // https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + storageClassName?: string + + // volumeAttributesClassName may be used to set the + // VolumeAttributesClass used by this claim. + // If specified, the CSI driver will create or update the volume + // with the attributes defined + // in the corresponding VolumeAttributesClass. This has a + // different purpose than storageClassName, + // it can be changed after the claim is created. An empty string + // value means that no VolumeAttributesClass + // will be applied to the claim but it's not allowed to reset this + // field to empty string once it is set. + // If unspecified and the PersistentVolumeClaim is unbound, the + // default VolumeAttributesClass + // will be set by the persistentvolume controller if it exists. + // If the resource referred to by volumeAttributesClass does not + // exist, this PersistentVolumeClaim will be + // set to a Pending state, as reflected by the modifyVolumeStatus + // field, until such as a resource + // exists. + // More info: + // https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + // (Beta) Using this field requires the VolumeAttributesClass + // feature gate to be enabled (off by default). + volumeAttributesClassName?: string + + // volumeMode defines what type of volume is required by the + // claim. + // Value of Filesystem is implied when not included in claim spec. + volumeMode?: string + + // volumeName is the binding reference to the PersistentVolume + // backing this claim. + volumeName?: string + } + } + } + + // fc represents a Fibre Channel resource that is attached to a + // kubelet's host machine and then exposed to the pod. + fc?: { + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string + + // lun is Optional: FC target lun number + lun?: int32 + + // readOnly is Optional: Defaults to false (read/write). ReadOnly + // here will force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + + // targetWWNs is Optional: FC target worldwide names (WWNs) + targetWWNs?: [...string] + + // wwids Optional: FC volume world wide identifiers (wwids) + // Either wwids or combination of targetWWNs and lun must be set, + // but not both simultaneously. + wwids?: [...string] + } + + // flexVolume represents a generic volume resource that is + // provisioned/attached using an exec based plugin. + // Deprecated: FlexVolume is deprecated. Consider using a + // CSIDriver instead. + flexVolume?: { + // driver is the name of the driver to use for this volume. + driver!: string + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on + // FlexVolume script. + fsType?: string + + // options is Optional: this field holds extra command options if + // any. + options?: close({ + [string]: string + }) + + // readOnly is Optional: defaults to false (read/write). ReadOnly + // here will force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + } + + // flocker represents a Flocker volume attached to a kubelet's + // host machine. This depends on the Flocker control service + // being running. + // Deprecated: Flocker is deprecated and the in-tree flocker type + // is no longer supported. + flocker?: { + // datasetName is Name of the dataset stored as metadata -> name + // on the dataset for Flocker + // should be considered as deprecated + datasetName?: string + + // datasetUUID is the UUID of the dataset. This is unique + // identifier of a Flocker dataset + datasetUUID?: string + } + + // gcePersistentDisk represents a GCE Disk resource that is + // attached to a + // kubelet's host machine and then exposed to the pod. + // Deprecated: GCEPersistentDisk is deprecated. All operations for + // the in-tree + // gcePersistentDisk type are redirected to the + // pd.csi.storage.gke.io CSI driver. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + gcePersistentDisk?: { + // fsType is filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host + // operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be + // "ext4" if unspecified. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + fsType?: string + + // partition is the partition in the volume that you want to + // mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as + // "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can + // leave the property empty). + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + partition?: int32 + + // pdName is unique name of the PD resource in GCE. Used to + // identify the disk in GCE. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + pdName!: string + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + readOnly?: bool + } + + // gitRepo represents a git repository at a particular revision. + // Deprecated: GitRepo is deprecated. To provision a container + // with a git repo, mount an + // EmptyDir into an InitContainer that clones the repo using git, + // then mount the EmptyDir + // into the Pod's container. + gitRepo?: { + // directory is the target directory name. + // Must not contain or start with '..'. If '.' is supplied, the + // volume directory will be the + // git repository. Otherwise, if specified, the volume will + // contain the git repository in + // the subdirectory with the given name. + directory?: string + + // repository is the URL + repository!: string + + // revision is the commit hash for the specified revision. + revision?: string + } + + // glusterfs represents a Glusterfs mount on the host that shares + // a pod's lifetime. + // Deprecated: Glusterfs is deprecated and the in-tree glusterfs + // type is no longer supported. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md + glusterfs?: { + // endpoints is the endpoint name that details Glusterfs topology. + // More info: + // https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + endpoints!: string + + // path is the Glusterfs volume path. + // More info: + // https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + path!: string + + // readOnly here will force the Glusterfs volume to be mounted + // with read-only permissions. + // Defaults to false. + // More info: + // https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + readOnly?: bool + } + + // hostPath represents a pre-existing file or directory on the + // host + // machine that is directly exposed to the container. This is + // generally + // used for system agents or other privileged things that are + // allowed + // to see the host machine. Most containers will NOT need this. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#hostpath + hostPath?: { + // path of the directory on the host. + // If the path is a symlink, it will follow the link to the real + // path. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#hostpath + path!: string + + // type for HostPath Volume + // Defaults to "" + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type?: string + } + + // image represents an OCI object (a container image or artifact) + // pulled and mounted on the kubelet's host machine. + // The volume is resolved at pod startup depending on which + // PullPolicy value is provided: + // + // - Always: the kubelet always attempts to pull the reference. + // Container creation will fail If the pull fails. + // - Never: the kubelet never pulls the reference and only uses a + // local image or artifact. Container creation will fail if the + // reference isn't present. + // - IfNotPresent: the kubelet pulls if the reference isn't + // already present on disk. Container creation will fail if the + // reference isn't present and the pull fails. + // + // The volume gets re-resolved if the pod gets deleted and + // recreated, which means that new remote content will become + // available on pod recreation. + // A failure to resolve or pull the image during pod startup will + // block containers from starting and may add significant + // latency. Failures will be retried using normal volume backoff + // and will be reported on the pod reason and message. + // The types of objects that may be mounted by this volume are + // defined by the container runtime implementation on a host + // machine and at minimum must include all valid types supported + // by the container image field. + // The OCI object gets mounted in a single directory + // (spec.containers[*].volumeMounts.mountPath) by merging the + // manifest layers in the same way as for container images. + // The volume will be mounted read-only (ro) and non-executable + // files (noexec). + // Sub path mounts for containers are not supported + // (spec.containers[*].volumeMounts.subpath). + // The field spec.securityContext.fsGroupChangePolicy has no + // effect on this volume type. + image?: { + // Policy for pulling OCI objects. Possible values are: + // Always: the kubelet always attempts to pull the reference. + // Container creation will fail If the pull fails. + // Never: the kubelet never pulls the reference and only uses a + // local image or artifact. Container creation will fail if the + // reference isn't present. + // IfNotPresent: the kubelet pulls if the reference isn't already + // present on disk. Container creation will fail if the reference + // isn't present and the pull fails. + // Defaults to Always if :latest tag is specified, or IfNotPresent + // otherwise. + pullPolicy?: string + + // Required: Image or artifact reference to be used. + // Behaves in the same way as pod.spec.containers[*].image. + // Pull secrets will be assembled in the same way as for the + // container image by looking up node credentials, SA image pull + // secrets, and pod spec image pull secrets. + // More info: + // https://kubernetes.io/docs/concepts/containers/images + // This field is optional to allow higher level config management + // to default or override + // container images in workload controllers like Deployments and + // StatefulSets. + reference?: string + } + + // iscsi represents an ISCSI Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://examples.k8s.io/volumes/iscsi/README.md + iscsi?: { + // chapAuthDiscovery defines whether support iSCSI Discovery CHAP + // authentication + chapAuthDiscovery?: bool + + // chapAuthSession defines whether support iSCSI Session CHAP + // authentication + chapAuthSession?: bool + + // fsType is the filesystem type of the volume that you want to + // mount. + // Tip: Ensure that the filesystem type is supported by the host + // operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be + // "ext4" if unspecified. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#iscsi + fsType?: string + + // initiatorName is the custom iSCSI Initiator Name. + // If initiatorName is specified with iscsiInterface + // simultaneously, new iSCSI interface + // : will be created for the + // connection. + initiatorName?: string + + // iqn is the target iSCSI Qualified Name. + iqn!: string + + // iscsiInterface is the interface Name that uses an iSCSI + // transport. + // Defaults to 'default' (tcp). + iscsiInterface?: string | *"default" + + // lun represents iSCSI Target Lun number. + lun!: int32 + + // portals is the iSCSI Target Portal List. The portal is either + // an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + portals?: [...string] + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + readOnly?: bool + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // targetPortal is iSCSI Target Portal. The Portal is either an IP + // or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + targetPortal!: string + } + + // name of the volume. + // Must be a DNS_LABEL and unique within the pod. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + + // nfs represents an NFS mount on the host that shares a pod's + // lifetime + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#nfs + nfs?: { + // path that is exported by the NFS server. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#nfs + path!: string + + // readOnly here will force the NFS export to be mounted with + // read-only permissions. + // Defaults to false. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#nfs + readOnly?: bool + + // server is the hostname or IP address of the NFS server. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#nfs + server!: string + } + + // persistentVolumeClaimVolumeSource represents a reference to a + // PersistentVolumeClaim in the same namespace. + // More info: + // https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + persistentVolumeClaim?: { + // claimName is the name of a PersistentVolumeClaim in the same + // namespace as the pod using this volume. + // More info: + // https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + claimName!: string + + // readOnly Will force the ReadOnly setting in VolumeMounts. + // Default false. + readOnly?: bool + } + + // photonPersistentDisk represents a PhotonController persistent + // disk attached and mounted on kubelets host machine. + // Deprecated: PhotonPersistentDisk is deprecated and the in-tree + // photonPersistentDisk type is no longer supported. + photonPersistentDisk?: { + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string + + // pdID is the ID that identifies Photon Controller persistent + // disk + pdID!: string + } + + // portworxVolume represents a portworx volume attached and + // mounted on kubelets host machine. + // Deprecated: PortworxVolume is deprecated. All operations for + // the in-tree portworxVolume type + // are redirected to the pxd.portworx.com CSI driver when the + // CSIMigrationPortworx feature-gate + // is on. + portworxVolume?: { + // fSType represents the filesystem type to mount + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string + + // readOnly defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + + // volumeID uniquely identifies a Portworx volume + volumeID!: string + } + + // projected items for all in one resources secrets, configmaps, + // and downward API + projected?: { + // defaultMode are the mode bits used to set permissions on + // created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + defaultMode?: int32 + + // sources is the list of volume projections. Each entry in this + // list + // handles one source. + sources?: [...{ + // ClusterTrustBundle allows a pod to access the + // `.spec.trustBundle` field + // of ClusterTrustBundle objects in an auto-updating file. + // + // Alpha, gated by the ClusterTrustBundleProjection feature gate. + // + // ClusterTrustBundle objects can either be selected by name, or + // by the + // combination of signer name and a label selector. + // + // Kubelet performs aggressive normalization of the PEM contents + // written + // into the pod filesystem. Esoteric PEM features such as + // inter-block + // comments and block headers are stripped. Certificates are + // deduplicated. + // The ordering of certificates within the file is arbitrary, and + // Kubelet + // may change the order over time. + clusterTrustBundle?: { + // Select all ClusterTrustBundles that match this label selector. + // Only has + // effect if signerName is set. Mutually-exclusive with name. If + // unset, + // interpreted as "match nothing". If set but empty, interpreted + // as "match + // everything". + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // Select a single ClusterTrustBundle by object name. + // Mutually-exclusive + // with signerName and labelSelector. + name?: string + + // If true, don't block pod startup if the referenced + // ClusterTrustBundle(s) + // aren't available. If using name, then the named + // ClusterTrustBundle is + // allowed not to exist. If using signerName, then the combination + // of + // signerName and labelSelector is allowed to match zero + // ClusterTrustBundles. + optional?: bool + + // Relative path from the volume root to write the bundle. + path!: string + + // Select all ClusterTrustBundles that match this signer name. + // Mutually-exclusive with name. The contents of all selected + // ClusterTrustBundles will be unified and deduplicated. + signerName?: string + } + + // configMap information about the configMap data to project + configMap?: { + // items if unspecified, each key-value pair in the Data field of + // the referenced + // ConfigMap will be projected into the volume as a file whose + // name is the + // key and content is the value. If specified, the listed keys + // will be + // projected into the specified paths, and unlisted keys will not + // be + // present. If a key is specified which is not present in the + // ConfigMap, + // the volume setup will error unless it is marked optional. Paths + // must be + // relative and may not contain the '..' path or start with '..'. + items?: [...{ + // key is the key to project. + key!: string + + // mode is Optional: mode bits used to set permissions on this + // file. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path!: string + }] + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // optional specify whether the ConfigMap or its keys must be + // defined + optional?: bool + } + downwardAPI?: { + // Items is a list of DownwardAPIVolume file + items?: [...{ + // Required: Selects a field of the pod: only annotations, labels, + // name, namespace and uid are supported. + fieldRef?: { + // Version of the schema the FieldPath is written in terms of, + // defaults to "v1". + apiVersion?: string + + // Path of the field to select in the specified API version. + fieldPath!: string + } + + // Optional: mode bits used to set permissions on this file, must + // be an octal value + // between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // Required: Path is the relative path name of the file to be + // created. Must not be absolute or contain the '..' path. Must + // be utf-8 encoded. The first item of the relative path must not + // start with '..' + path!: string + + // Selects a resource of the container: only resources limits and + // requests + // (limits.cpu, limits.memory, requests.cpu and requests.memory) + // are currently supported. + resourceFieldRef?: { + // Container name: required for volumes, optional for env vars + containerName?: string + + // Specifies the output format of the exposed resources, defaults + // to "1" + divisor?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // Required: resource to select + resource!: string + } + }] + } + + // secret information about the secret data to project + secret?: { + // items if unspecified, each key-value pair in the Data field of + // the referenced + // Secret will be projected into the volume as a file whose name + // is the + // key and content is the value. If specified, the listed keys + // will be + // projected into the specified paths, and unlisted keys will not + // be + // present. If a key is specified which is not present in the + // Secret, + // the volume setup will error unless it is marked optional. Paths + // must be + // relative and may not contain the '..' path or start with '..'. + items?: [...{ + // key is the key to project. + key!: string + + // mode is Optional: mode bits used to set permissions on this + // file. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path!: string + }] + + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + + // optional field specify whether the Secret or its key must be + // defined + optional?: bool + } + + // serviceAccountToken is information about the + // serviceAccountToken data to project + serviceAccountToken?: { + // audience is the intended audience of the token. A recipient of + // a token + // must identify itself with an identifier specified in the + // audience of the + // token, and otherwise should reject the token. The audience + // defaults to the + // identifier of the apiserver. + audience?: string + + // expirationSeconds is the requested duration of validity of the + // service + // account token. As the token approaches expiration, the kubelet + // volume + // plugin will proactively rotate the service account token. The + // kubelet will + // start trying to rotate the token if the token is older than 80 + // percent of + // its time to live or if the token is older than 24 + // hours.Defaults to 1 hour + // and must be at least 10 minutes. + expirationSeconds?: int64 + + // path is the path relative to the mount point of the file to + // project the + // token into. + path!: string + } + }] + } + + // quobyte represents a Quobyte mount on the host that shares a + // pod's lifetime. + // Deprecated: Quobyte is deprecated and the in-tree quobyte type + // is no longer supported. + quobyte?: { + // group to map volume access to + // Default is no group + group?: string + + // readOnly here will force the Quobyte volume to be mounted with + // read-only permissions. + // Defaults to false. + readOnly?: bool + + // registry represents a single or multiple Quobyte Registry + // services + // specified as a string as host:port pair (multiple entries are + // separated with commas) + // which acts as the central registry for volumes + registry!: string + + // tenant owning the given Quobyte volume in the Backend + // Used with dynamically provisioned Quobyte volumes, value is set + // by the plugin + tenant?: string + + // user to map volume access to + // Defaults to serivceaccount user + user?: string + + // volume is a string that references an already created Quobyte + // volume by name. + volume!: string + } + + // rbd represents a Rados Block Device mount on the host that + // shares a pod's lifetime. + // Deprecated: RBD is deprecated and the in-tree rbd type is no + // longer supported. + // More info: https://examples.k8s.io/volumes/rbd/README.md + rbd?: { + // fsType is the filesystem type of the volume that you want to + // mount. + // Tip: Ensure that the filesystem type is supported by the host + // operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be + // "ext4" if unspecified. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#rbd + fsType?: string + + // image is the rados image name. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + image!: string + + // keyring is the path to key ring for RBDUser. + // Default is /etc/ceph/keyring. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + keyring?: string | *"/etc/ceph/keyring" + + // monitors is a collection of Ceph monitors. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + monitors!: [...string] + + // pool is the rados pool name. + // Default is rbd. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + pool?: string | *"rbd" + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + readOnly?: bool + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // user is the rados user name. + // Default is admin. + // More info: + // https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + user?: string | *"admin" + } + + // scaleIO represents a ScaleIO persistent volume attached and + // mounted on Kubernetes nodes. + // Deprecated: ScaleIO is deprecated and the in-tree scaleIO type + // is no longer supported. + scaleIO?: { + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". + // Default is "xfs". + fsType?: string | *"xfs" + + // gateway is the host address of the ScaleIO API Gateway. + gateway!: string + + // protectionDomain is the name of the ScaleIO Protection Domain + // for the configured storage. + protectionDomain?: string + + // readOnly Defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + secretRef!: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // sslEnabled Flag enable/disable SSL communication with Gateway, + // default false + sslEnabled?: bool + + // storageMode indicates whether the storage for a volume should + // be ThickProvisioned or ThinProvisioned. + // Default is ThinProvisioned. + storageMode?: string | *"ThinProvisioned" + + // storagePool is the ScaleIO Storage Pool associated with the + // protection domain. + storagePool?: string + + // system is the name of the storage system as configured in + // ScaleIO. + system!: string + + // volumeName is the name of a volume already created in the + // ScaleIO system + // that is associated with this volume source. + volumeName?: string + } + + // secret represents a secret that should populate this volume. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#secret + secret?: { + // defaultMode is Optional: mode bits used to set permissions on + // created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values + // for mode bits. Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + defaultMode?: int32 + + // items If unspecified, each key-value pair in the Data field of + // the referenced + // Secret will be projected into the volume as a file whose name + // is the + // key and content is the value. If specified, the listed keys + // will be + // projected into the specified paths, and unlisted keys will not + // be + // present. If a key is specified which is not present in the + // Secret, + // the volume setup will error unless it is marked optional. Paths + // must be + // relative and may not contain the '..' path or start with '..'. + items?: [...{ + // key is the key to project. + key!: string + + // mode is Optional: mode bits used to set permissions on this + // file. + // Must be an octal value between 0000 and 0777 or a decimal value + // between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires + // decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the + // file + // mode, like fsGroup, and the result can be other mode bits set. + mode?: int32 + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path!: string + }] + + // optional field specify whether the Secret or its keys must be + // defined + optional?: bool + + // secretName is the name of the secret in the pod's namespace to + // use. + // More info: + // https://kubernetes.io/docs/concepts/storage/volumes#secret + secretName?: string + } + + // storageOS represents a StorageOS volume attached and mounted on + // Kubernetes nodes. + // Deprecated: StorageOS is deprecated and the in-tree storageos + // type is no longer supported. + storageos?: { + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string + + // readOnly defaults to false (read/write). ReadOnly here will + // force + // the ReadOnly setting in VolumeMounts. + readOnly?: bool + secretRef?: { + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + } + + // volumeName is the human-readable name of the StorageOS volume. + // Volume + // names are only unique within a namespace. + volumeName?: string + + // volumeNamespace specifies the scope of the volume within + // StorageOS. If no + // namespace is specified then the Pod's namespace will be used. + // This allows the + // Kubernetes name scoping to be mirrored within StorageOS for + // tighter integration. + // Set VolumeName to any name to override the default behaviour. + // Set to "default" if you are not using namespaces within + // StorageOS. + // Namespaces that do not pre-exist within StorageOS will be + // created. + volumeNamespace?: string + } + + // vsphereVolume represents a vSphere volume attached and mounted + // on kubelets host machine. + // Deprecated: VsphereVolume is deprecated. All operations for the + // in-tree vsphereVolume type + // are redirected to the csi.vsphere.vmware.com CSI driver. + vsphereVolume?: { + // fsType is filesystem type to mount. + // Must be a filesystem type supported by the host operating + // system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if + // unspecified. + fsType?: string + + // storagePolicyID is the storage Policy Based Management (SPBM) + // profile ID associated with the StoragePolicyName. + storagePolicyID?: string + + // storagePolicyName is the storage Policy Based Management (SPBM) + // profile name. + storagePolicyName?: string + + // volumePath is the path that identifies vSphere volume vmdk + volumePath!: string + } + }] + } + + // Replicas is the number of desired pods. Defaults to 1. + replicas?: int32 + + // The deployment strategy to use to replace existing pods with + // new ones. + strategy?: { + // Rolling update config params. Present only if + // DeploymentStrategyType = + // RollingUpdate. + rollingUpdate?: { + // The maximum number of pods that can be scheduled above the + // desired number of + // pods. + // Value can be an absolute number (ex: 5) or a percentage of + // desired pods (ex: 10%). + // This can not be 0 if MaxUnavailable is 0. + // Absolute number is calculated from percentage by rounding up. + // Defaults to 25%. + // Example: when this is set to 30%, the new ReplicaSet can be + // scaled up immediately when + // the rolling update starts, such that the total number of old + // and new pods do not exceed + // 130% of desired pods. Once old pods have been killed, + // new ReplicaSet can be scaled up further, ensuring that total + // number of pods running + // at any time during the update is at most 130% of desired pods. + maxSurge?: matchN(>=1, [int, string]) + + // The maximum number of pods that can be unavailable during the + // update. + // Value can be an absolute number (ex: 5) or a percentage of + // desired pods (ex: 10%). + // Absolute number is calculated from percentage by rounding down. + // This can not be 0 if MaxSurge is 0. + // Defaults to 25%. + // Example: when this is set to 30%, the old ReplicaSet can be + // scaled down to 70% of desired pods + // immediately when the rolling update starts. Once new pods are + // ready, old ReplicaSet + // can be scaled down further, followed by scaling up the new + // ReplicaSet, ensuring + // that the total number of pods available at all times during the + // update is at + // least 70% of desired pods. + maxUnavailable?: matchN(>=1, [int, string]) + } + + // Type of deployment. Can be "Recreate" or "RollingUpdate". + // Default is RollingUpdate. + type?: string + } + } + + // EnvoyHpa defines the Horizontal Pod Autoscaler settings for + // Envoy Proxy Deployment. + // Once the HPA is being set, Replicas field from EnvoyDeployment + // will be ignored. + envoyHpa?: { + // behavior configures the scaling behavior of the target + // in both Up and Down directions (scaleUp and scaleDown fields + // respectively). + // If not set, the default HPAScalingRules for scale up and scale + // down are used. + // See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. + behavior?: { + // scaleDown is scaling policy for scaling Down. + // If not set, the default value is to allow to scale down to + // minReplicas pods, with a + // 300 second stabilization window (i.e., the highest + // recommendation for + // the last 300sec is used). + scaleDown?: { + // policies is a list of potential scaling polices which can be + // used during scaling. + // At least one policy must be specified, otherwise the + // HPAScalingRules will be discarded as invalid + policies?: [...{ + // periodSeconds specifies the window of time for which the policy + // should hold true. + // PeriodSeconds must be greater than zero and less than or equal + // to 1800 (30 min). + periodSeconds!: int32 + + // type is used to specify the scaling policy. + type!: string + + // value contains the amount of change which is permitted by the + // policy. + // It must be greater than zero + value!: int32 + }] + + // selectPolicy is used to specify which policy should be used. + // If not set, the default value Max is used. + selectPolicy?: string + + // stabilizationWindowSeconds is the number of seconds for which + // past recommendations should be + // considered while scaling up or scaling down. + // StabilizationWindowSeconds must be greater than or equal to + // zero and less than or equal to 3600 (one hour). + // If not set, use the default values: + // - For scale up: 0 (i.e. no stabilization is done). + // - For scale down: 300 (i.e. the stabilization window is 300 + // seconds long). + stabilizationWindowSeconds?: int32 + } + + // scaleUp is scaling policy for scaling Up. + // If not set, the default value is the higher of: + // * increase no more than 4 pods per 60 seconds + // * double the number of pods per 60 seconds + // No stabilization is used. + scaleUp?: { + // policies is a list of potential scaling polices which can be + // used during scaling. + // At least one policy must be specified, otherwise the + // HPAScalingRules will be discarded as invalid + policies?: [...{ + // periodSeconds specifies the window of time for which the policy + // should hold true. + // PeriodSeconds must be greater than zero and less than or equal + // to 1800 (30 min). + periodSeconds!: int32 + + // type is used to specify the scaling policy. + type!: string + + // value contains the amount of change which is permitted by the + // policy. + // It must be greater than zero + value!: int32 + }] + + // selectPolicy is used to specify which policy should be used. + // If not set, the default value Max is used. + selectPolicy?: string + + // stabilizationWindowSeconds is the number of seconds for which + // past recommendations should be + // considered while scaling up or scaling down. + // StabilizationWindowSeconds must be greater than or equal to + // zero and less than or equal to 3600 (one hour). + // If not set, use the default values: + // - For scale up: 0 (i.e. no stabilization is done). + // - For scale down: 300 (i.e. the stabilization window is 300 + // seconds long). + stabilizationWindowSeconds?: int32 + } + } + + // maxReplicas is the upper limit for the number of replicas to + // which the autoscaler can scale up. + // It cannot be less that minReplicas. + maxReplicas!: int32 + + // metrics contains the specifications for which to use to + // calculate the + // desired replica count (the maximum replica count across all + // metrics will + // be used). + // If left empty, it defaults to being based on CPU utilization + // with average on 80% usage. + metrics?: [...{ + // containerResource refers to a resource metric (such as those + // specified in + // requests and limits) known to Kubernetes describing a single + // container in + // each pod of the current scale target (e.g. CPU or memory). Such + // metrics are + // built in to Kubernetes, and have special scaling options on top + // of those + // available to normal per-pod metrics using the "pods" source. + containerResource?: { + // container is the name of the container in the pods of the + // scaling target + container!: string + + // name is the name of the resource in question. + name!: string + + // target specifies the target value for the given metric + target!: { + // averageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a + // percentage of + // the requested value of the resource for the pods. + // Currently only valid for Resource metric source type + averageUtilization?: int32 + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + averageValue?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // type represents whether the metric type is Utilization, Value, + // or AverageValue + type!: string + + // value is the target value of the metric (as a quantity). + value?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + } + } + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on + // information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + external?: { + // metric identifies the target metric by name and selector + metric!: { + // name is the name of the given metric + name!: string + + // selector is the string-encoded form of a standard kubernetes + // label selector for the given metric + // When set, it is passed as an additional parameter to the + // metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + selector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + } + + // target specifies the target value for the given metric + target!: { + // averageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a + // percentage of + // the requested value of the resource for the pods. + // Currently only valid for Resource metric source type + averageUtilization?: int32 + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + averageValue?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // type represents whether the metric type is Utilization, Value, + // or AverageValue + type!: string + + // value is the target value of the metric (as a quantity). + value?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + } + } + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + object?: { + // describedObject specifies the descriptions of a object,such as + // kind,name apiVersion + describedObject!: { + // apiVersion is the API version of the referent + apiVersion?: string + + // kind is the kind of the referent; More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind!: string + + // name is the name of the referent; More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // metric identifies the target metric by name and selector + metric!: { + // name is the name of the given metric + name!: string + + // selector is the string-encoded form of a standard kubernetes + // label selector for the given metric + // When set, it is passed as an additional parameter to the + // metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + selector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + } + + // target specifies the target value for the given metric + target!: { + // averageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a + // percentage of + // the requested value of the resource for the pods. + // Currently only valid for Resource metric source type + averageUtilization?: int32 + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + averageValue?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // type represents whether the metric type is Utilization, Value, + // or AverageValue + type!: string + + // value is the target value of the metric (as a quantity). + value?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + } + } + + // pods refers to a metric describing each pod in the current + // scale target + // (for example, transactions-processed-per-second). The values + // will be + // averaged together before being compared to the target value. + pods?: { + // metric identifies the target metric by name and selector + metric!: { + // name is the name of the given metric + name!: string + + // selector is the string-encoded form of a standard kubernetes + // label selector for the given metric + // When set, it is passed as an additional parameter to the + // metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + selector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + } + + // target specifies the target value for the given metric + target!: { + // averageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a + // percentage of + // the requested value of the resource for the pods. + // Currently only valid for Resource metric source type + averageUtilization?: int32 + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + averageValue?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // type represents whether the metric type is Utilization, Value, + // or AverageValue + type!: string + + // value is the target value of the metric (as a quantity). + value?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + } + } + + // resource refers to a resource metric (such as those specified + // in + // requests and limits) known to Kubernetes describing each pod in + // the + // current scale target (e.g. CPU or memory). Such metrics are + // built in to + // Kubernetes, and have special scaling options on top of those + // available + // to normal per-pod metrics using the "pods" source. + resource?: { + // name is the name of the resource in question. + name!: string + + // target specifies the target value for the given metric + target!: { + // averageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a + // percentage of + // the requested value of the resource for the pods. + // Currently only valid for Resource metric source type + averageUtilization?: int32 + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + averageValue?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + + // type represents whether the metric type is Utilization, Value, + // or AverageValue + type!: string + + // value is the target value of the metric (as a quantity). + value?: matchN(>=1, [int, string]) & (number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$") + } + } + + // type is the type of metric source. It should be one of + // "ContainerResource", "External", + // "Object", "Pods" or "Resource", each mapping to a matching + // field in the object. + type!: string + }] + + // minReplicas is the lower limit for the number of replicas to + // which the autoscaler + // can scale down. It defaults to 1 replica. + minReplicas?: int32 + + // Patch defines how to perform the patch operation to the + // HorizontalPodAutoscaler + patch?: { + // Type is the type of merge operation to perform + // + // By default, StrategicMerge is used as the patch type. + type?: string + + // Object contains the raw configuration for merged object + value!: _ + } + } + + // EnvoyPDB allows to control the pod disruption budget of an + // Envoy Proxy. + envoyPDB?: { + // MinAvailable specifies the minimum number of pods that must be + // available at all times during voluntary disruptions, + // such as node drains or updates. This setting ensures that your + // envoy proxy maintains a certain level of availability + // and resilience during maintenance operations. + minAvailable?: int32 + + // Patch defines how to perform the patch operation to the + // PodDisruptionBudget + patch?: { + // Type is the type of merge operation to perform + // + // By default, StrategicMerge is used as the patch type. + type?: string + + // Object contains the raw configuration for merged object + value!: _ + } + } + + // EnvoyService defines the desired state of the Envoy service + // resource. + // If unspecified, default settings for the managed Envoy service + // resource + // are applied. + envoyService?: { + // AllocateLoadBalancerNodePorts defines if NodePorts will be + // automatically allocated for + // services with type LoadBalancer. Default is "true". It may be + // set to "false" if the cluster + // load-balancer does not rely on NodePorts. If the caller + // requests specific NodePorts (by specifying a + // value), those requests will be respected, regardless of this + // field. This field may only be set for + // services with type LoadBalancer and will be cleared if the type + // is changed to any other type. + allocateLoadBalancerNodePorts?: bool + + // Annotations that should be appended to the service. + // By default, no annotations are appended. + annotations?: close({ + [string]: string + }) + + // ExternalTrafficPolicy determines the externalTrafficPolicy for + // the Envoy Service. Valid options + // are Local and Cluster. Default is "Local". "Local" means + // traffic will only go to pods on the node + // receiving the traffic. "Cluster" means connections are + // loadbalanced to all pods in the cluster. + externalTrafficPolicy?: "Local" | "Cluster" | *"Local" + + // Labels that should be appended to the service. + // By default, no labels are appended. + labels?: close({ + [string]: string + }) + + // LoadBalancerClass, when specified, allows for choosing the + // LoadBalancer provider + // implementation if more than one are available or is otherwise + // expected to be specified + loadBalancerClass?: string + + // LoadBalancerIP defines the IP Address of the underlying load + // balancer service. This field + // may be ignored if the load balancer provider does not support + // this feature. + // This field has been deprecated in Kubernetes, but it is still + // used for setting the IP Address in some cloud + // providers such as GCP. + loadBalancerIP?: string + + // LoadBalancerSourceRanges defines a list of allowed IP addresses + // which will be configured as + // firewall rules on the platform providers load balancer. This is + // not guaranteed to be working as + // it happens outside of kubernetes and has to be supported and + // handled by the platform provider. + // This field may only be set for services with type LoadBalancer + // and will be cleared if the type + // is changed to any other type. + loadBalancerSourceRanges?: [...string] + + // Name of the service. + // When unset, this defaults to an autogenerated name. + name?: string + + // Patch defines how to perform the patch operation to the service + patch?: { + // Type is the type of merge operation to perform + // + // By default, StrategicMerge is used as the patch type. + type?: string + + // Object contains the raw configuration for merged object + value!: _ + } + + // Type determines how the Service is exposed. Defaults to + // LoadBalancer. + // Valid options are ClusterIP, LoadBalancer and NodePort. + // "LoadBalancer" means a service will be exposed via an external + // load balancer (if the cloud provider supports it). + // "ClusterIP" means a service will only be accessible inside the + // cluster, via the cluster IP. + // "NodePort" means a service will be exposed on a static Port on + // all Nodes of the cluster. + type?: "ClusterIP" | "LoadBalancer" | "NodePort" | *"LoadBalancer" + } + + // UseListenerPortAsContainerPort disables the port shifting + // feature in the Envoy Proxy. + // When set to false (default value), if the service port is a + // privileged port (1-1023), add a constant to the value + // converting it into an ephemeral port. + // This allows the container to bind to the port without needing a + // CAP_NET_BIND_SERVICE capability. + useListenerPortAsContainerPort?: bool + } + + // Type is the type of resource provider to use. A resource + // provider provides + // infrastructure resources for running the data plane, e.g. Envoy + // proxy, and + // optional auxiliary control planes. Supported types are + // "Kubernetes". + type!: "Kubernetes" | "Custom" + } + + // RoutingType can be set to "Service" to use the Service Cluster + // IP for routing to the backend, + // or it can be set to "Endpoint" to use Endpoint routing. The + // default is "Endpoint". + routingType?: string + + // Shutdown defines configuration for graceful envoy shutdown + // process. + shutdown?: { + // DrainTimeout defines the graceful drain timeout. This should be + // less than the pod's terminationGracePeriodSeconds. + // If unspecified, defaults to 60 seconds. + drainTimeout?: string + + // MinDrainDuration defines the minimum drain duration allowing + // time for endpoint deprogramming to complete. + // If unspecified, defaults to 10 seconds. + minDrainDuration?: string + } + + // Telemetry defines telemetry parameters for managed proxies. + telemetry?: { + // AccessLogs defines accesslog parameters for managed proxies. + // If unspecified, will send default format to stdout. + accessLog?: { + // Disable disables access logging for managed proxies if set to + // true. + disable?: bool + + // Settings defines accesslog settings for managed proxies. + // If unspecified, will send default format to stdout. + settings?: list.MaxItems(50) & [...{ + // Format defines the format of accesslog. + // This will be ignored if sink type is ALS. + format?: { + // JSON is additional attributes that describe the specific event + // occurrence. + // Structured format for the envoy access logs. Envoy [command + // operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + // can be used as values for fields within the Struct. + // It's required when the format type is "JSON". + json?: close({ + [string]: string + }) + + // Text defines the text accesslog format, following Envoy + // accesslog formatting, + // It's required when the format type is "Text". + // Envoy [command + // operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) + // may be used in the format. + // The [format string + // documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + // provides more information. + text?: string + + // Type defines the type of accesslog format. + type?: "Text" | "JSON" + } + + // Matches defines the match conditions for accesslog in CEL + // expression. + // An accesslog will be emitted only when one or more match + // conditions are evaluated to true. + // Invalid + // [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) + // expressions will be ignored. + matches?: list.MaxItems(10) & [...string] + + // Sinks defines the sinks of accesslog. + sinks!: list.MaxItems(50) & [...{ + // ALS defines the gRPC Access Log Service (ALS) sink. + als?: { + // BackendRef references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // Deprecated: Use BackendRefs instead. + backendRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // BackendRefs references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + backendRefs?: list.MaxItems(16) & [...{ + // Fallback indicates whether the backend is designated as a + // fallback. + // Multiple fallback backends can be configured. + // It is highly recommended to configure active or passive health + // checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically + // readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the fallback + // backends will only start receiving traffic when + // the health of the active backends falls below 72%. + fallback?: bool + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + }] + + // BackendSettings holds configuration for managing the connection + // to the backend. + backendSettings?: { + // Circuit Breaker settings for the upstream connections and + // requests. + // If not set, circuit breakers will be enabled with the default + // thresholds + circuitBreaker?: { + // The maximum number of connections that Envoy will establish to + // the referenced backend defined within a xRoute rule. + maxConnections?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel requests that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel retries that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRetries?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of pending requests that Envoy will queue to + // the referenced backend defined within a xRoute rule. + maxPendingRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of requests that Envoy will make over a + // single connection to the referenced backend defined within a + // xRoute rule. + // Default: unlimited. + maxRequestsPerConnection?: uint32 + } + + // Connection includes backend connection settings. + connection?: { + // BufferLimit Soft limit on size of the cluster’s connections + // read and write buffers. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // If unspecified, an implementation defined default is applied + // (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is + // interpreted as bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // DNS includes dns resolution settings. + dns?: { + // DNSRefreshRate specifies the rate at which DNS records should + // be refreshed. + // Defaults to 30 seconds. + dnsRefreshRate?: string + + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) + // should be respected. + // If the value is set to true, the DNS refresh rate will be set + // to the resource record’s TTL. + // Defaults to true. + respectDnsTtl?: bool + } + + // HealthCheck allows gateway to perform active health checking on + // backends. + healthCheck?: { + // Active health check configuration + active?: { + grpc?: { + // Service to send in the health check request. + // If this is not specified, then the health check request applies + // to the entire + // server and not to a specific service. + service?: string + } + + // HealthyThreshold defines the number of healthy health checks + // required before a backend host is marked healthy. + healthyThreshold?: int32 & int & >=1 | *1 + + // HTTP defines the configuration of http health checker. + // It's required while the health checker type is HTTP. + http?: { + // ExpectedResponse defines a list of HTTP expected responses to + // match. + expectedResponse?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // ExpectedStatuses defines a list of HTTP response statuses + // considered healthy. + // Defaults to 200 only + expectedStatuses?: [...int & <600 & >=100] + + // Method defines the HTTP method used for health checking. + // Defaults to GET + method?: string + + // Path defines the HTTP path that will be requested during health + // checking. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // Interval defines the time between active health checks. + interval?: string | *"3s" + + // TCP defines the configuration of tcp health checker. + // It's required while the health checker type is TCP. + tcp?: { + // Receive defines the expected response payload. + receive?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // Send defines the request payload. + send?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + } + + // Timeout defines the time to wait for a health check response. + timeout?: string | *"1s" + + // Type defines the type of health checker. + type!: matchN(2, ["HTTP" | "TCP" | "GRPC", "HTTP" | "TCP" | "GRPC"]) + + // UnhealthyThreshold defines the number of unhealthy health + // checks required before a backend host is marked unhealthy. + unhealthyThreshold?: int32 & int & >=1 | *3 + } + + // Passive passive check configuration + passive?: { + // BaseEjectionTime defines the base duration for which a host + // will be ejected on consecutive failures. + baseEjectionTime?: string | *"30s" + + // Consecutive5xxErrors sets the number of consecutive 5xx errors + // triggering ejection. + consecutive5XxErrors?: int32 & int | *5 + + // ConsecutiveGatewayErrors sets the number of consecutive gateway + // errors triggering ejection. + consecutiveGatewayErrors?: int32 & int | *0 + + // ConsecutiveLocalOriginFailures sets the number of consecutive + // local origin failures triggering ejection. + // Parameter takes effect only when + // split_external_local_origin_errors is set to true. + consecutiveLocalOriginFailures?: int32 & int | *5 + + // Interval defines the time between passive health checks. + interval?: string | *"3s" + + // MaxEjectionPercent sets the maximum percentage of hosts in a + // cluster that can be ejected. + maxEjectionPercent?: int32 & int | *10 + + // SplitExternalLocalOriginErrors enables splitting of errors + // between external and local origin. + splitExternalLocalOriginErrors?: bool | *false + } + } + + // HTTP2 provides HTTP/2 configuration for backend connections. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // LoadBalancer policy to apply when routing traffic from the + // gateway to + // the backend endpoints. Defaults to `LeastRequest`. + loadBalancer?: { + // ConsistentHash defines the configuration when the load balancer + // type is + // set to ConsistentHash + consistentHash?: { + // Cookie configures the cookie hash policy when the consistent + // hash type is set to Cookie. + cookie?: { + // Additional Attributes to set for the generated cookie. + attributes?: close({ + [string]: string + }) + + // Name of the cookie to hash. + // If this cookie does not exist in the request, Envoy will + // generate a cookie and set + // the TTL on the response back to the client based on Layer 4 + // attributes of the backend endpoint, to ensure that these future + // requests + // go to the same backend endpoint. Make sure to set the TTL field + // for this case. + name!: string + + // TTL of the generated cookie if the cookie is not present. This + // value sets the + // Max-Age attribute value. + ttl?: string + } + header?: { + // Name of the header to hash. + name!: string + } + + // The table size for consistent hashing, must be prime number + // limited to 5000011. + tableSize?: int64 & int & <=5000011 & >=2 | *65537 + + // ConsistentHashType defines the type of input to hash on. Valid + // Type values are + // "SourceIP", + // "Header", + // "Cookie". + type!: "SourceIP" | "Header" | "Cookie" + } + slowStart?: { + // Window defines the duration of the warm up period for newly + // added host. + // During slow start window, traffic sent to the newly added hosts + // will gradually increase. + // Currently only supports linear growth of traffic. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + window!: string + } + + // Type decides the type of Load Balancer policy. + // Valid LoadBalancerType values are + // "ConsistentHash", + // "LeastRequest", + // "Random", + // "RoundRobin". + type!: "ConsistentHash" | "LeastRequest" | "Random" | "RoundRobin" + } + proxyProtocol?: { + // Version of ProxyProtol + // Valid ProxyProtocolVersion values are + // "V1" + // "V2" + version!: "V1" | "V2" + } + + // Retry provides more advanced usage, allowing users to customize + // the number of retries, retry fallback strategy, and retry + // triggering conditions. + // If not set, retry will be disabled. + retry?: { + // NumRetries is the number of retries to be attempted. Defaults + // to 2. + numRetries?: int32 & int & >=0 | *2 + + // PerRetry is the retry policy to be applied per retry attempt. + perRetry?: { + // Backoff is the backoff policy to be applied per retry attempt. + // gateway uses a fully jittered exponential + // back-off algorithm for retries. For additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + backOff?: { + // BaseInterval is the base interval between retries. + baseInterval?: string + + // MaxInterval is the maximum interval between retries. This + // parameter is optional, but must be greater than or equal to + // the base_interval if set. + // The default is 10 times the base_interval + maxInterval?: string + } + + // Timeout is the timeout per retry attempt. + timeout?: string + } + + // RetryOn specifies the retry trigger condition. + // + // If not specified, the default is to retry on + // connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + retryOn?: { + // HttpStatusCodes specifies the http status codes to be retried. + // The retriable-status-codes trigger must also be configured for + // these status codes to trigger a retry. + httpStatusCodes?: [...int & <600 & >=100] + + // Triggers specifies the retry trigger condition(Http/Grpc). + triggers?: [..."5xx" | "gateway-error" | "reset" | "connect-failure" | "retriable-4xx" | "refused-stream" | "retriable-status-codes" | "cancelled" | "deadline-exceeded" | "internal" | "resource-exhausted" | "unavailable"] + } + } + + // TcpKeepalive settings associated with the upstream client + // connection. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the backend connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // The idle timeout for an HTTP connection. Idle time is defined + // as a period in which there are no active requests in the + // connection. + // Default: 1 hour. + connectionIdleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The maximum duration of an HTTP connection. + // Default: unlimited. + maxConnectionDuration?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestTimeout is the time until which entire response is + // received from the upstream. + requestTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // The timeout for network connection establishment, including TCP + // and TLS handshakes. + // Default: 10 seconds. + connectTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + } + + // HTTP defines additional configuration specific to HTTP access + // logs. + http?: { + // RequestHeaders defines request headers to include in log + // entries sent to the access log service. + requestHeaders?: [...string] + + // ResponseHeaders defines response headers to include in log + // entries sent to the access log service. + responseHeaders?: [...string] + + // ResponseTrailers defines response trailers to include in log + // entries sent to the access log service. + responseTrailers?: [...string] + } + + // LogName defines the friendly name of the access log to be + // returned in + // StreamAccessLogsMessage.Identifier. This allows the access log + // server + // to differentiate between different access logs coming from the + // same Envoy. + logName?: strings.MinRunes(1) + + // Type defines the type of accesslog. Supported types are "HTTP" + // and "TCP". + type!: "HTTP" | "TCP" + } + file?: { + // Path defines the file path used to expose envoy access log(e.g. + // /dev/stdout). + path?: strings.MinRunes(1) + } + + // OpenTelemetry defines the OpenTelemetry accesslog sink. + openTelemetry?: { + // BackendRef references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // Deprecated: Use BackendRefs instead. + backendRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // BackendRefs references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + backendRefs?: list.MaxItems(16) & [...{ + // Fallback indicates whether the backend is designated as a + // fallback. + // Multiple fallback backends can be configured. + // It is highly recommended to configure active or passive health + // checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically + // readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the fallback + // backends will only start receiving traffic when + // the health of the active backends falls below 72%. + fallback?: bool + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + }] + + // BackendSettings holds configuration for managing the connection + // to the backend. + backendSettings?: { + // Circuit Breaker settings for the upstream connections and + // requests. + // If not set, circuit breakers will be enabled with the default + // thresholds + circuitBreaker?: { + // The maximum number of connections that Envoy will establish to + // the referenced backend defined within a xRoute rule. + maxConnections?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel requests that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel retries that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRetries?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of pending requests that Envoy will queue to + // the referenced backend defined within a xRoute rule. + maxPendingRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of requests that Envoy will make over a + // single connection to the referenced backend defined within a + // xRoute rule. + // Default: unlimited. + maxRequestsPerConnection?: uint32 + } + + // Connection includes backend connection settings. + connection?: { + // BufferLimit Soft limit on size of the cluster’s connections + // read and write buffers. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // If unspecified, an implementation defined default is applied + // (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is + // interpreted as bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // DNS includes dns resolution settings. + dns?: { + // DNSRefreshRate specifies the rate at which DNS records should + // be refreshed. + // Defaults to 30 seconds. + dnsRefreshRate?: string + + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) + // should be respected. + // If the value is set to true, the DNS refresh rate will be set + // to the resource record’s TTL. + // Defaults to true. + respectDnsTtl?: bool + } + + // HealthCheck allows gateway to perform active health checking on + // backends. + healthCheck?: { + // Active health check configuration + active?: { + grpc?: { + // Service to send in the health check request. + // If this is not specified, then the health check request applies + // to the entire + // server and not to a specific service. + service?: string + } + + // HealthyThreshold defines the number of healthy health checks + // required before a backend host is marked healthy. + healthyThreshold?: int32 & int & >=1 | *1 + + // HTTP defines the configuration of http health checker. + // It's required while the health checker type is HTTP. + http?: { + // ExpectedResponse defines a list of HTTP expected responses to + // match. + expectedResponse?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // ExpectedStatuses defines a list of HTTP response statuses + // considered healthy. + // Defaults to 200 only + expectedStatuses?: [...int & <600 & >=100] + + // Method defines the HTTP method used for health checking. + // Defaults to GET + method?: string + + // Path defines the HTTP path that will be requested during health + // checking. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // Interval defines the time between active health checks. + interval?: string | *"3s" + + // TCP defines the configuration of tcp health checker. + // It's required while the health checker type is TCP. + tcp?: { + // Receive defines the expected response payload. + receive?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // Send defines the request payload. + send?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + } + + // Timeout defines the time to wait for a health check response. + timeout?: string | *"1s" + + // Type defines the type of health checker. + type!: matchN(2, ["HTTP" | "TCP" | "GRPC", "HTTP" | "TCP" | "GRPC"]) + + // UnhealthyThreshold defines the number of unhealthy health + // checks required before a backend host is marked unhealthy. + unhealthyThreshold?: int32 & int & >=1 | *3 + } + + // Passive passive check configuration + passive?: { + // BaseEjectionTime defines the base duration for which a host + // will be ejected on consecutive failures. + baseEjectionTime?: string | *"30s" + + // Consecutive5xxErrors sets the number of consecutive 5xx errors + // triggering ejection. + consecutive5XxErrors?: int32 & int | *5 + + // ConsecutiveGatewayErrors sets the number of consecutive gateway + // errors triggering ejection. + consecutiveGatewayErrors?: int32 & int | *0 + + // ConsecutiveLocalOriginFailures sets the number of consecutive + // local origin failures triggering ejection. + // Parameter takes effect only when + // split_external_local_origin_errors is set to true. + consecutiveLocalOriginFailures?: int32 & int | *5 + + // Interval defines the time between passive health checks. + interval?: string | *"3s" + + // MaxEjectionPercent sets the maximum percentage of hosts in a + // cluster that can be ejected. + maxEjectionPercent?: int32 & int | *10 + + // SplitExternalLocalOriginErrors enables splitting of errors + // between external and local origin. + splitExternalLocalOriginErrors?: bool | *false + } + } + + // HTTP2 provides HTTP/2 configuration for backend connections. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // LoadBalancer policy to apply when routing traffic from the + // gateway to + // the backend endpoints. Defaults to `LeastRequest`. + loadBalancer?: { + // ConsistentHash defines the configuration when the load balancer + // type is + // set to ConsistentHash + consistentHash?: { + // Cookie configures the cookie hash policy when the consistent + // hash type is set to Cookie. + cookie?: { + // Additional Attributes to set for the generated cookie. + attributes?: close({ + [string]: string + }) + + // Name of the cookie to hash. + // If this cookie does not exist in the request, Envoy will + // generate a cookie and set + // the TTL on the response back to the client based on Layer 4 + // attributes of the backend endpoint, to ensure that these future + // requests + // go to the same backend endpoint. Make sure to set the TTL field + // for this case. + name!: string + + // TTL of the generated cookie if the cookie is not present. This + // value sets the + // Max-Age attribute value. + ttl?: string + } + header?: { + // Name of the header to hash. + name!: string + } + + // The table size for consistent hashing, must be prime number + // limited to 5000011. + tableSize?: int64 & int & <=5000011 & >=2 | *65537 + + // ConsistentHashType defines the type of input to hash on. Valid + // Type values are + // "SourceIP", + // "Header", + // "Cookie". + type!: "SourceIP" | "Header" | "Cookie" + } + slowStart?: { + // Window defines the duration of the warm up period for newly + // added host. + // During slow start window, traffic sent to the newly added hosts + // will gradually increase. + // Currently only supports linear growth of traffic. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + window!: string + } + + // Type decides the type of Load Balancer policy. + // Valid LoadBalancerType values are + // "ConsistentHash", + // "LeastRequest", + // "Random", + // "RoundRobin". + type!: "ConsistentHash" | "LeastRequest" | "Random" | "RoundRobin" + } + proxyProtocol?: { + // Version of ProxyProtol + // Valid ProxyProtocolVersion values are + // "V1" + // "V2" + version!: "V1" | "V2" + } + + // Retry provides more advanced usage, allowing users to customize + // the number of retries, retry fallback strategy, and retry + // triggering conditions. + // If not set, retry will be disabled. + retry?: { + // NumRetries is the number of retries to be attempted. Defaults + // to 2. + numRetries?: int32 & int & >=0 | *2 + + // PerRetry is the retry policy to be applied per retry attempt. + perRetry?: { + // Backoff is the backoff policy to be applied per retry attempt. + // gateway uses a fully jittered exponential + // back-off algorithm for retries. For additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + backOff?: { + // BaseInterval is the base interval between retries. + baseInterval?: string + + // MaxInterval is the maximum interval between retries. This + // parameter is optional, but must be greater than or equal to + // the base_interval if set. + // The default is 10 times the base_interval + maxInterval?: string + } + + // Timeout is the timeout per retry attempt. + timeout?: string + } + + // RetryOn specifies the retry trigger condition. + // + // If not specified, the default is to retry on + // connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + retryOn?: { + // HttpStatusCodes specifies the http status codes to be retried. + // The retriable-status-codes trigger must also be configured for + // these status codes to trigger a retry. + httpStatusCodes?: [...int & <600 & >=100] + + // Triggers specifies the retry trigger condition(Http/Grpc). + triggers?: [..."5xx" | "gateway-error" | "reset" | "connect-failure" | "retriable-4xx" | "refused-stream" | "retriable-status-codes" | "cancelled" | "deadline-exceeded" | "internal" | "resource-exhausted" | "unavailable"] + } + } + + // TcpKeepalive settings associated with the upstream client + // connection. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the backend connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // The idle timeout for an HTTP connection. Idle time is defined + // as a period in which there are no active requests in the + // connection. + // Default: 1 hour. + connectionIdleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The maximum duration of an HTTP connection. + // Default: unlimited. + maxConnectionDuration?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestTimeout is the time until which entire response is + // received from the upstream. + requestTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // The timeout for network connection establishment, including TCP + // and TLS handshakes. + // Default: 10 seconds. + connectTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + } + + // Host define the extension service hostname. + // Deprecated: Use BackendRefs instead. + host?: string + + // Port defines the port the extension service is exposed on. + // Deprecated: Use BackendRefs instead. + port?: int32 & int & >=0 | *4317 + + // Resources is a set of labels that describe the source of a log + // entry, including envoy node info. + // It's recommended to follow [semantic + // conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). + resources?: close({ + [string]: string + }) + } + + // Type defines the type of accesslog sink. + type?: "ALS" | "File" | "OpenTelemetry" + }] & [_, ...] + + // Type defines the component emitting the accesslog, such as + // Listener and Route. + // If type not defined, the setting would apply to: + // (1) All Routes. + // (2) Listeners if and only if Envoy does not find a matching + // route for a request. + // If type is defined, the accesslog settings would apply to the + // relevant component (as-is). + type?: "Listener" | "Route" + }] & [_, ...] + } + + // Metrics defines metrics configuration for managed proxies. + metrics?: { + // EnablePerEndpointStats enables per endpoint envoy stats + // metrics. + // Please use with caution. + enablePerEndpointStats?: bool + + // EnableRequestResponseSizesStats enables publishing of + // histograms tracking header and body sizes of requests and + // responses. + enableRequestResponseSizesStats?: bool + + // EnableVirtualHostStats enables envoy stat metrics for virtual + // hosts. + enableVirtualHostStats?: bool + + // Matches defines configuration for selecting specific metrics + // instead of generating all metrics stats + // that are enabled by default. This helps reduce CPU and memory + // overhead in Envoy, but eliminating some stats + // may after critical functionality. Here are the stats that we + // strongly recommend not disabling: + // `cluster_manager.warming_clusters`, + // `cluster..membership_total`,`cluster..membership_healthy`, + // `cluster..membership_degraded`,reference + // https://github.com/envoyproxy/envoy/issues/9856, + // https://github.com/envoyproxy/envoy/issues/14610 + matches?: [...{ + // Type specifies how to match against a string. + type?: "Exact" | "Prefix" | "Suffix" | "RegularExpression" | *"Exact" + + // Value specifies the string value that the match must have. + value!: strings.MaxRunes(1024) & strings.MinRunes(1) + }] + + // Prometheus defines the configuration for Admin endpoint + // `/stats/prometheus`. + prometheus?: { + // Configure the compression on Prometheus endpoint. Compression + // is useful in situations when bandwidth is scarce and large + // payloads can be effectively compressed at the expense of + // higher CPU load. + compression?: { + // The configuration for Brotli compressor. + brotli?: {} + + // The configuration for GZIP compressor. + gzip?: {} + + // CompressorType defines the compressor type to use for + // compression. + type!: "Gzip" | "Brotli" + } + + // Disable the Prometheus endpoint. + disable?: bool + } + + // Sinks defines the metric sinks where metrics are sent to. + sinks?: list.MaxItems(16) & [...{ + // OpenTelemetry defines the configuration for OpenTelemetry sink. + // It's required if the sink type is OpenTelemetry. + openTelemetry?: { + // BackendRef references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // Deprecated: Use BackendRefs instead. + backendRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // BackendRefs references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + backendRefs?: list.MaxItems(16) & [...{ + // Fallback indicates whether the backend is designated as a + // fallback. + // Multiple fallback backends can be configured. + // It is highly recommended to configure active or passive health + // checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically + // readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the fallback + // backends will only start receiving traffic when + // the health of the active backends falls below 72%. + fallback?: bool + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + }] + + // BackendSettings holds configuration for managing the connection + // to the backend. + backendSettings?: { + // Circuit Breaker settings for the upstream connections and + // requests. + // If not set, circuit breakers will be enabled with the default + // thresholds + circuitBreaker?: { + // The maximum number of connections that Envoy will establish to + // the referenced backend defined within a xRoute rule. + maxConnections?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel requests that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel retries that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRetries?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of pending requests that Envoy will queue to + // the referenced backend defined within a xRoute rule. + maxPendingRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of requests that Envoy will make over a + // single connection to the referenced backend defined within a + // xRoute rule. + // Default: unlimited. + maxRequestsPerConnection?: uint32 + } + + // Connection includes backend connection settings. + connection?: { + // BufferLimit Soft limit on size of the cluster’s connections + // read and write buffers. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // If unspecified, an implementation defined default is applied + // (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is + // interpreted as bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // DNS includes dns resolution settings. + dns?: { + // DNSRefreshRate specifies the rate at which DNS records should + // be refreshed. + // Defaults to 30 seconds. + dnsRefreshRate?: string + + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) + // should be respected. + // If the value is set to true, the DNS refresh rate will be set + // to the resource record’s TTL. + // Defaults to true. + respectDnsTtl?: bool + } + + // HealthCheck allows gateway to perform active health checking on + // backends. + healthCheck?: { + // Active health check configuration + active?: { + grpc?: { + // Service to send in the health check request. + // If this is not specified, then the health check request applies + // to the entire + // server and not to a specific service. + service?: string + } + + // HealthyThreshold defines the number of healthy health checks + // required before a backend host is marked healthy. + healthyThreshold?: int32 & int & >=1 | *1 + + // HTTP defines the configuration of http health checker. + // It's required while the health checker type is HTTP. + http?: { + // ExpectedResponse defines a list of HTTP expected responses to + // match. + expectedResponse?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // ExpectedStatuses defines a list of HTTP response statuses + // considered healthy. + // Defaults to 200 only + expectedStatuses?: [...int & <600 & >=100] + + // Method defines the HTTP method used for health checking. + // Defaults to GET + method?: string + + // Path defines the HTTP path that will be requested during health + // checking. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // Interval defines the time between active health checks. + interval?: string | *"3s" + + // TCP defines the configuration of tcp health checker. + // It's required while the health checker type is TCP. + tcp?: { + // Receive defines the expected response payload. + receive?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // Send defines the request payload. + send?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + } + + // Timeout defines the time to wait for a health check response. + timeout?: string | *"1s" + + // Type defines the type of health checker. + type!: matchN(2, ["HTTP" | "TCP" | "GRPC", "HTTP" | "TCP" | "GRPC"]) + + // UnhealthyThreshold defines the number of unhealthy health + // checks required before a backend host is marked unhealthy. + unhealthyThreshold?: int32 & int & >=1 | *3 + } + + // Passive passive check configuration + passive?: { + // BaseEjectionTime defines the base duration for which a host + // will be ejected on consecutive failures. + baseEjectionTime?: string | *"30s" + + // Consecutive5xxErrors sets the number of consecutive 5xx errors + // triggering ejection. + consecutive5XxErrors?: int32 & int | *5 + + // ConsecutiveGatewayErrors sets the number of consecutive gateway + // errors triggering ejection. + consecutiveGatewayErrors?: int32 & int | *0 + + // ConsecutiveLocalOriginFailures sets the number of consecutive + // local origin failures triggering ejection. + // Parameter takes effect only when + // split_external_local_origin_errors is set to true. + consecutiveLocalOriginFailures?: int32 & int | *5 + + // Interval defines the time between passive health checks. + interval?: string | *"3s" + + // MaxEjectionPercent sets the maximum percentage of hosts in a + // cluster that can be ejected. + maxEjectionPercent?: int32 & int | *10 + + // SplitExternalLocalOriginErrors enables splitting of errors + // between external and local origin. + splitExternalLocalOriginErrors?: bool | *false + } + } + + // HTTP2 provides HTTP/2 configuration for backend connections. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // LoadBalancer policy to apply when routing traffic from the + // gateway to + // the backend endpoints. Defaults to `LeastRequest`. + loadBalancer?: { + // ConsistentHash defines the configuration when the load balancer + // type is + // set to ConsistentHash + consistentHash?: { + // Cookie configures the cookie hash policy when the consistent + // hash type is set to Cookie. + cookie?: { + // Additional Attributes to set for the generated cookie. + attributes?: close({ + [string]: string + }) + + // Name of the cookie to hash. + // If this cookie does not exist in the request, Envoy will + // generate a cookie and set + // the TTL on the response back to the client based on Layer 4 + // attributes of the backend endpoint, to ensure that these future + // requests + // go to the same backend endpoint. Make sure to set the TTL field + // for this case. + name!: string + + // TTL of the generated cookie if the cookie is not present. This + // value sets the + // Max-Age attribute value. + ttl?: string + } + header?: { + // Name of the header to hash. + name!: string + } + + // The table size for consistent hashing, must be prime number + // limited to 5000011. + tableSize?: int64 & int & <=5000011 & >=2 | *65537 + + // ConsistentHashType defines the type of input to hash on. Valid + // Type values are + // "SourceIP", + // "Header", + // "Cookie". + type!: "SourceIP" | "Header" | "Cookie" + } + slowStart?: { + // Window defines the duration of the warm up period for newly + // added host. + // During slow start window, traffic sent to the newly added hosts + // will gradually increase. + // Currently only supports linear growth of traffic. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + window!: string + } + + // Type decides the type of Load Balancer policy. + // Valid LoadBalancerType values are + // "ConsistentHash", + // "LeastRequest", + // "Random", + // "RoundRobin". + type!: "ConsistentHash" | "LeastRequest" | "Random" | "RoundRobin" + } + proxyProtocol?: { + // Version of ProxyProtol + // Valid ProxyProtocolVersion values are + // "V1" + // "V2" + version!: "V1" | "V2" + } + + // Retry provides more advanced usage, allowing users to customize + // the number of retries, retry fallback strategy, and retry + // triggering conditions. + // If not set, retry will be disabled. + retry?: { + // NumRetries is the number of retries to be attempted. Defaults + // to 2. + numRetries?: int32 & int & >=0 | *2 + + // PerRetry is the retry policy to be applied per retry attempt. + perRetry?: { + // Backoff is the backoff policy to be applied per retry attempt. + // gateway uses a fully jittered exponential + // back-off algorithm for retries. For additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + backOff?: { + // BaseInterval is the base interval between retries. + baseInterval?: string + + // MaxInterval is the maximum interval between retries. This + // parameter is optional, but must be greater than or equal to + // the base_interval if set. + // The default is 10 times the base_interval + maxInterval?: string + } + + // Timeout is the timeout per retry attempt. + timeout?: string + } + + // RetryOn specifies the retry trigger condition. + // + // If not specified, the default is to retry on + // connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + retryOn?: { + // HttpStatusCodes specifies the http status codes to be retried. + // The retriable-status-codes trigger must also be configured for + // these status codes to trigger a retry. + httpStatusCodes?: [...int & <600 & >=100] + + // Triggers specifies the retry trigger condition(Http/Grpc). + triggers?: [..."5xx" | "gateway-error" | "reset" | "connect-failure" | "retriable-4xx" | "refused-stream" | "retriable-status-codes" | "cancelled" | "deadline-exceeded" | "internal" | "resource-exhausted" | "unavailable"] + } + } + + // TcpKeepalive settings associated with the upstream client + // connection. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the backend connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // The idle timeout for an HTTP connection. Idle time is defined + // as a period in which there are no active requests in the + // connection. + // Default: 1 hour. + connectionIdleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The maximum duration of an HTTP connection. + // Default: unlimited. + maxConnectionDuration?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestTimeout is the time until which entire response is + // received from the upstream. + requestTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // The timeout for network connection establishment, including TCP + // and TLS handshakes. + // Default: 10 seconds. + connectTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + } + + // Host define the service hostname. + // Deprecated: Use BackendRefs instead. + host?: string + + // Port defines the port the service is exposed on. + // Deprecated: Use BackendRefs instead. + port?: int32 & int & <=65535 & >=0 | *4317 + } + + // Type defines the metric sink type. + // EG currently only supports OpenTelemetry. + type!: "OpenTelemetry" | *"OpenTelemetry" + }] + } + + // Tracing defines tracing configuration for managed proxies. + // If unspecified, will not send tracing data. + tracing?: { + // CustomTags defines the custom tags to add to each span. + // If provider is kubernetes, pod name and namespace are added by + // default. + customTags?: close({ + [string]: { + // Environment adds value from environment variable to each span. + // It's required when the type is "Environment". + environment?: { + // DefaultValue defines the default value to use if the + // environment variable is not set. + defaultValue?: string + + // Name defines the name of the environment variable which to + // extract the value from. + name!: string + } + literal?: { + // Value defines the hard-coded value to add to each span. + value!: string + } + + // RequestHeader adds value from request header to each span. + // It's required when the type is "RequestHeader". + requestHeader?: { + // DefaultValue defines the default value to use if the request + // header is not set. + defaultValue?: string + + // Name defines the name of the request header which to extract + // the value from. + name!: string + } + + // Type defines the type of custom tag. + type!: "Literal" | "Environment" | "RequestHeader" | *"Literal" + } + }) + + // Provider defines the tracing provider. + provider!: { + // BackendRef references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // Deprecated: Use BackendRefs instead. + backendRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // BackendRefs references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + backendRefs?: list.MaxItems(16) & [...{ + // Fallback indicates whether the backend is designated as a + // fallback. + // Multiple fallback backends can be configured. + // It is highly recommended to configure active or passive health + // checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically + // readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the fallback + // backends will only start receiving traffic when + // the health of the active backends falls below 72%. + fallback?: bool + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + }] + + // BackendSettings holds configuration for managing the connection + // to the backend. + backendSettings?: { + // Circuit Breaker settings for the upstream connections and + // requests. + // If not set, circuit breakers will be enabled with the default + // thresholds + circuitBreaker?: { + // The maximum number of connections that Envoy will establish to + // the referenced backend defined within a xRoute rule. + maxConnections?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel requests that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel retries that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRetries?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of pending requests that Envoy will queue to + // the referenced backend defined within a xRoute rule. + maxPendingRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of requests that Envoy will make over a + // single connection to the referenced backend defined within a + // xRoute rule. + // Default: unlimited. + maxRequestsPerConnection?: uint32 + } + + // Connection includes backend connection settings. + connection?: { + // BufferLimit Soft limit on size of the cluster’s connections + // read and write buffers. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // If unspecified, an implementation defined default is applied + // (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is + // interpreted as bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // DNS includes dns resolution settings. + dns?: { + // DNSRefreshRate specifies the rate at which DNS records should + // be refreshed. + // Defaults to 30 seconds. + dnsRefreshRate?: string + + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) + // should be respected. + // If the value is set to true, the DNS refresh rate will be set + // to the resource record’s TTL. + // Defaults to true. + respectDnsTtl?: bool + } + + // HealthCheck allows gateway to perform active health checking on + // backends. + healthCheck?: { + // Active health check configuration + active?: { + grpc?: { + // Service to send in the health check request. + // If this is not specified, then the health check request applies + // to the entire + // server and not to a specific service. + service?: string + } + + // HealthyThreshold defines the number of healthy health checks + // required before a backend host is marked healthy. + healthyThreshold?: int32 & int & >=1 | *1 + + // HTTP defines the configuration of http health checker. + // It's required while the health checker type is HTTP. + http?: { + // ExpectedResponse defines a list of HTTP expected responses to + // match. + expectedResponse?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // ExpectedStatuses defines a list of HTTP response statuses + // considered healthy. + // Defaults to 200 only + expectedStatuses?: [...int & <600 & >=100] + + // Method defines the HTTP method used for health checking. + // Defaults to GET + method?: string + + // Path defines the HTTP path that will be requested during health + // checking. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // Interval defines the time between active health checks. + interval?: string | *"3s" + + // TCP defines the configuration of tcp health checker. + // It's required while the health checker type is TCP. + tcp?: { + // Receive defines the expected response payload. + receive?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // Send defines the request payload. + send?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + } + + // Timeout defines the time to wait for a health check response. + timeout?: string | *"1s" + + // Type defines the type of health checker. + type!: matchN(2, ["HTTP" | "TCP" | "GRPC", "HTTP" | "TCP" | "GRPC"]) + + // UnhealthyThreshold defines the number of unhealthy health + // checks required before a backend host is marked unhealthy. + unhealthyThreshold?: int32 & int & >=1 | *3 + } + + // Passive passive check configuration + passive?: { + // BaseEjectionTime defines the base duration for which a host + // will be ejected on consecutive failures. + baseEjectionTime?: string | *"30s" + + // Consecutive5xxErrors sets the number of consecutive 5xx errors + // triggering ejection. + consecutive5XxErrors?: int32 & int | *5 + + // ConsecutiveGatewayErrors sets the number of consecutive gateway + // errors triggering ejection. + consecutiveGatewayErrors?: int32 & int | *0 + + // ConsecutiveLocalOriginFailures sets the number of consecutive + // local origin failures triggering ejection. + // Parameter takes effect only when + // split_external_local_origin_errors is set to true. + consecutiveLocalOriginFailures?: int32 & int | *5 + + // Interval defines the time between passive health checks. + interval?: string | *"3s" + + // MaxEjectionPercent sets the maximum percentage of hosts in a + // cluster that can be ejected. + maxEjectionPercent?: int32 & int | *10 + + // SplitExternalLocalOriginErrors enables splitting of errors + // between external and local origin. + splitExternalLocalOriginErrors?: bool | *false + } + } + + // HTTP2 provides HTTP/2 configuration for backend connections. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // LoadBalancer policy to apply when routing traffic from the + // gateway to + // the backend endpoints. Defaults to `LeastRequest`. + loadBalancer?: { + // ConsistentHash defines the configuration when the load balancer + // type is + // set to ConsistentHash + consistentHash?: { + // Cookie configures the cookie hash policy when the consistent + // hash type is set to Cookie. + cookie?: { + // Additional Attributes to set for the generated cookie. + attributes?: close({ + [string]: string + }) + + // Name of the cookie to hash. + // If this cookie does not exist in the request, Envoy will + // generate a cookie and set + // the TTL on the response back to the client based on Layer 4 + // attributes of the backend endpoint, to ensure that these future + // requests + // go to the same backend endpoint. Make sure to set the TTL field + // for this case. + name!: string + + // TTL of the generated cookie if the cookie is not present. This + // value sets the + // Max-Age attribute value. + ttl?: string + } + header?: { + // Name of the header to hash. + name!: string + } + + // The table size for consistent hashing, must be prime number + // limited to 5000011. + tableSize?: int64 & int & <=5000011 & >=2 | *65537 + + // ConsistentHashType defines the type of input to hash on. Valid + // Type values are + // "SourceIP", + // "Header", + // "Cookie". + type!: "SourceIP" | "Header" | "Cookie" + } + slowStart?: { + // Window defines the duration of the warm up period for newly + // added host. + // During slow start window, traffic sent to the newly added hosts + // will gradually increase. + // Currently only supports linear growth of traffic. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + window!: string + } + + // Type decides the type of Load Balancer policy. + // Valid LoadBalancerType values are + // "ConsistentHash", + // "LeastRequest", + // "Random", + // "RoundRobin". + type!: "ConsistentHash" | "LeastRequest" | "Random" | "RoundRobin" + } + proxyProtocol?: { + // Version of ProxyProtol + // Valid ProxyProtocolVersion values are + // "V1" + // "V2" + version!: "V1" | "V2" + } + + // Retry provides more advanced usage, allowing users to customize + // the number of retries, retry fallback strategy, and retry + // triggering conditions. + // If not set, retry will be disabled. + retry?: { + // NumRetries is the number of retries to be attempted. Defaults + // to 2. + numRetries?: int32 & int & >=0 | *2 + + // PerRetry is the retry policy to be applied per retry attempt. + perRetry?: { + // Backoff is the backoff policy to be applied per retry attempt. + // gateway uses a fully jittered exponential + // back-off algorithm for retries. For additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + backOff?: { + // BaseInterval is the base interval between retries. + baseInterval?: string + + // MaxInterval is the maximum interval between retries. This + // parameter is optional, but must be greater than or equal to + // the base_interval if set. + // The default is 10 times the base_interval + maxInterval?: string + } + + // Timeout is the timeout per retry attempt. + timeout?: string + } + + // RetryOn specifies the retry trigger condition. + // + // If not specified, the default is to retry on + // connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + retryOn?: { + // HttpStatusCodes specifies the http status codes to be retried. + // The retriable-status-codes trigger must also be configured for + // these status codes to trigger a retry. + httpStatusCodes?: [...int & <600 & >=100] + + // Triggers specifies the retry trigger condition(Http/Grpc). + triggers?: [..."5xx" | "gateway-error" | "reset" | "connect-failure" | "retriable-4xx" | "refused-stream" | "retriable-status-codes" | "cancelled" | "deadline-exceeded" | "internal" | "resource-exhausted" | "unavailable"] + } + } + + // TcpKeepalive settings associated with the upstream client + // connection. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the backend connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // The idle timeout for an HTTP connection. Idle time is defined + // as a period in which there are no active requests in the + // connection. + // Default: 1 hour. + connectionIdleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The maximum duration of an HTTP connection. + // Default: unlimited. + maxConnectionDuration?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestTimeout is the time until which entire response is + // received from the upstream. + requestTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // The timeout for network connection establishment, including TCP + // and TLS handshakes. + // Default: 10 seconds. + connectTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + } + + // Host define the provider service hostname. + // Deprecated: Use BackendRefs instead. + host?: string + + // Port defines the port the provider service is exposed on. + // Deprecated: Use BackendRefs instead. + port?: int32 & int & >=0 | *4317 + + // Type defines the tracing provider type. + type!: "OpenTelemetry" | "Zipkin" | "Datadog" | *"OpenTelemetry" + + // Zipkin defines the Zipkin tracing provider configuration + zipkin?: { + // DisableSharedSpanContext determines whether the default Envoy + // behaviour of + // client and server spans sharing the same span context should be + // disabled. + disableSharedSpanContext?: bool + + // Enable128BitTraceID determines whether a 128bit trace id will + // be used + // when creating a new trace instance. If set to false, a 64bit + // trace + // id will be used. + enable128BitTraceId?: bool + } + } + + // SamplingFraction represents the fraction of requests that + // should be + // selected for tracing if no prior sampling decision has been + // made. + // + // Only one of SamplingRate or SamplingFraction may be specified. + // If neither field is specified, all requests will be sampled. + samplingFraction?: { + denominator?: int32 & int & >=1 | *100 + numerator!: int32 & >=0 + } + + // SamplingRate controls the rate at which traffic will be + // selected for tracing if no prior sampling decision has been + // made. + // Defaults to 100, valid values [0-100]. 100 indicates 100% + // sampling. + // + // Only one of SamplingRate or SamplingFraction may be specified. + // If neither field is specified, all requests will be sampled. + samplingRate?: int32 & int & <=100 & >=0 | *100 + } + } +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/httproutefilter/v1alpha1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/httproutefilter/v1alpha1/types_gen.cue new file mode 100644 index 000000000..638e769b7 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/httproutefilter/v1alpha1/types_gen.cue @@ -0,0 +1,159 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha1 + +import "strings" + +// HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which +// provides extended +// traffic processing options such as path regex rewrite, direct +// response and more. +#HTTPRouteFilter: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.envoyproxy.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "HTTPRouteFilter" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of HTTPRouteFilter. + spec!: #HTTPRouteFilterSpec +} + +// Spec defines the desired state of HTTPRouteFilter. +#HTTPRouteFilterSpec: { + // HTTPDirectResponseFilter defines the configuration to return a + // fixed response. + directResponse?: { + // Body of the Response + body?: { + // Inline contains the value as an inline string. + inline?: string + + // Type is the type of method to use to read the body value. + // Valid values are Inline and ValueRef, default is Inline. + type!: matchN(2, ["Inline" | "ValueRef", "Inline" | "ValueRef"]) | *"Inline" + + // ValueRef contains the contents of the body + // specified as a local object reference. + // Only a reference to ConfigMap is supported. + // + // The value of key `response.body` in the ConfigMap will be used + // as the response body. + // If the key is not found, the first value in the ConfigMap will + // be used. + valueRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + } + + // Content Type of the response. This will be set in the + // Content-Type header. + contentType?: string + + // Status Code of the HTTP response + // If unset, defaults to 200. + statusCode?: int + } + + // HTTPURLRewriteFilter define rewrites of HTTP URL components + // such as path and host + urlRewrite?: { + // Hostname is the value to be used to replace the Host header + // value during + // forwarding. + hostname?: { + // Header is the name of the header whose value would be used to + // rewrite the Host header + header?: string + + // HTTPPathModifierType defines the type of Hostname rewrite. + type!: "Header" | "Backend" + } + + // Path defines a path rewrite. + path?: { + // ReplaceRegexMatch defines a path regex rewrite. The path + // portions matched by the regex pattern are replaced by the + // defined substitution. + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite + // Some examples: + // (1) replaceRegexMatch: + // pattern: ^/service/([^/]+)(/.*)$ + // substitution: \2/instance/\1 + // Would transform /service/foo/v1/api into /v1/api/instance/foo. + // (2) replaceRegexMatch: + // pattern: one + // substitution: two + // Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz. + // (3) replaceRegexMatch: + // pattern: ^(.*?)one(.*)$ + // substitution: \1two\2 + // Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz. + // (3) replaceRegexMatch: + // pattern: (?i)/xxx/ + // substitution: /yyy/ + // Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb + // (case-insensitive). + replaceRegexMatch?: { + // Pattern matches a regular expression against the value of the + // HTTP Path.The regex string must + // adhere to the syntax documented in + // https://github.com/google/re2/wiki/Syntax. + pattern!: strings.MinRunes(1) + + // Substitution is an expression that replaces the matched + // portion.The expression may include numbered + // capture groups that adhere to syntax documented in + // https://github.com/google/re2/wiki/Syntax. + substitution!: string + } + + // HTTPPathModifierType defines the type of path redirect or + // rewrite. + type!: "ReplaceRegexMatch" + } + } +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/securitypolicy/v1alpha1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/securitypolicy/v1alpha1/types_gen.cue new file mode 100644 index 000000000..e2ea49906 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.envoyproxy.io/securitypolicy/v1alpha1/types_gen.cue @@ -0,0 +1,2888 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha1 + +import ( + "strings" + "list" +) + +// SecurityPolicy allows the user to configure various security +// settings for a +// Gateway. +#SecurityPolicy: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.envoyproxy.io/v1alpha1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "SecurityPolicy" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of SecurityPolicy. + spec!: #SecurityPolicySpec +} + +// Spec defines the desired state of SecurityPolicy. +#SecurityPolicySpec: { + // APIKeyAuth defines the configuration for the API Key + // Authentication. + apiKeyAuth?: { + // CredentialRefs is the Kubernetes secret which contains the API + // keys. + // This is an Opaque secret. + // Each API key is stored in the key representing the client id. + // If the secrets have a key for a duplicated client, the first + // one will be used. + credentialRefs!: [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + }] + + // ExtractFrom is where to fetch the key from the coming request. + // The value from the first source that has a key will be used. + extractFrom!: [...{ + // Cookies is the names of the cookie to fetch the key from. + // If multiple cookies are specified, envoy will look for the api + // key in the order of the list. + // This field is optional, but only one of headers, params or + // cookies is supposed to be specified. + cookies?: [...string] + + // Headers is the names of the header to fetch the key from. + // If multiple headers are specified, envoy will look for the api + // key in the order of the list. + // This field is optional, but only one of headers, params or + // cookies is supposed to be specified. + headers?: [...string] + + // Params is the names of the query parameter to fetch the key + // from. + // If multiple params are specified, envoy will look for the api + // key in the order of the list. + // This field is optional, but only one of headers, params or + // cookies is supposed to be specified. + params?: [...string] + }] + } + + // Authorization defines the authorization configuration. + authorization?: { + // DefaultAction defines the default action to be taken if no + // rules match. + // If not specified, the default action is Deny. + defaultAction?: "Allow" | "Deny" + + // Rules defines a list of authorization rules. + // These rules are evaluated in order, the first matching rule + // will be applied, + // and the rest will be skipped. + // + // For example, if there are two rules: the first rule allows the + // request + // and the second rule denies it, when a request matches both + // rules, it will be allowed. + rules?: [...{ + // Action defines the action to be taken if the rule matches. + action!: "Allow" | "Deny" + + // Name is a user-friendly name for the rule. + // If not specified, Envoy Gateway will generate a unique name for + // the rule. + name?: strings.MaxRunes(253) & strings.MinRunes(1) + + // Principal specifies the client identity of a request. + // If there are multiple principal types, all principals must + // match for the rule to match. + // For example, if there are two principals: one for client IP and + // one for JWT claim, + // the rule will match only if both the client IP and the JWT + // claim match. + principal!: { + // ClientCIDRs are the IP CIDR ranges of the client. + // Valid examples are "192.168.1.0/24" or "2001:db8::/64" + // + // If multiple CIDR ranges are specified, one of the CIDR ranges + // must match + // the client IP for the rule to match. + // + // The client IP is inferred from the X-Forwarded-For header, a + // custom header, + // or the proxy protocol. + // You can use the `ClientIPDetection` or the + // `EnableProxyProtocol` field in + // the `ClientTrafficPolicy` to configure how the client IP is + // detected. + clientCIDRs?: [...=~"((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\\/([0-9]+))"] & [_, ...] + + // JWT authorize the request based on the JWT claims and scopes. + // Note: in order to use JWT claims for authorization, you must + // configure the + // JWT authentication in the same `SecurityPolicy`. + jwt?: { + // Claims are the claims in a JWT token. + // + // If multiple claims are specified, all claims must match for the + // rule to match. + // For example, if there are two claims: one for the audience and + // one for the issuer, + // the rule will match only if both the audience and the issuer + // match. + claims?: list.MaxItems(16) & [...{ + // Name is the name of the claim. + // If it is a nested claim, use a dot (.) separated string as the + // name to + // represent the full path to the claim. + // For example, if the claim is in the "department" field in the + // "organization" field, + // the name should be "organization.department". + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // ValueType is the type of the claim value. + // Only String and StringArray types are supported for now. + valueType?: "String" | "StringArray" | *"String" + + // Values are the values that the claim must match. + // If the claim is a string type, the specified value must match + // exactly. + // If the claim is a string array type, the specified value must + // match one of the values in the array. + // If multiple values are specified, one of the values must match + // for the rule to match. + values!: list.MaxItems(16) & [...string] & [_, ...] + }] & [_, ...] + + // Provider is the name of the JWT provider that used to verify + // the JWT token. + // In order to use JWT claims for authorization, you must + // configure the JWT + // authentication with the same provider in the same + // `SecurityPolicy`. + provider!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Scopes are a special type of claim in a JWT token that + // represents the permissions of the client. + // + // The value of the scopes field should be a space delimited + // string that is expected in the scope parameter, + // as defined in RFC 6749: + // https://datatracker.ietf.org/doc/html/rfc6749#page-23. + // + // If multiple scopes are specified, all scopes must match for the + // rule to match. + scopes?: list.MaxItems(16) & [...strings.MaxRunes(253) & strings.MinRunes(1)] & [_, ...] + } + } + }] + } + basicAuth?: { + // The Kubernetes secret which contains the username-password + // pairs in + // htpasswd format, used to verify user credentials in the + // "Authorization" + // header. + // + // This is an Opaque secret. The username-password pairs should be + // stored in + // the key ".htpasswd". As the key name indicates, the value needs + // to be the + // htpasswd format, for example: + // "user1:{SHA}hashed_user1_password". + // Right now, only SHA hash algorithm is supported. + // Reference to + // https://httpd.apache.org/docs/2.4/programs/htpasswd.html + // for more details. + // + // Note: The secret must be in the same namespace as the + // SecurityPolicy. + users!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + } + } + + // CORS defines the configuration for Cross-Origin Resource + // Sharing (CORS). + cors?: { + // AllowCredentials indicates whether a request can include user + // credentials + // like cookies, authentication headers, or TLS client + // certificates. + // It specifies the value in the Access-Control-Allow-Credentials + // CORS response header. + allowCredentials?: bool + + // AllowHeaders defines the headers that are allowed to be sent + // with requests. + // It specifies the allowed headers in the + // Access-Control-Allow-Headers CORS response header.. + // The value "*" allows any header to be sent. + allowHeaders?: [...string] + + // AllowMethods defines the methods that are allowed to make + // requests. + // It specifies the allowed methods in the + // Access-Control-Allow-Methods CORS response header.. + // The value "*" allows any method to be used. + allowMethods?: [...string] + + // AllowOrigins defines the origins that are allowed to make + // requests. + // It specifies the allowed origins in the + // Access-Control-Allow-Origin CORS response header. + // The value "*" allows any origin to make requests. + allowOrigins?: [...strings.MaxRunes(253) & strings.MinRunes(1) & =~"^(\\*|https?:\\/\\/(\\*|(\\*\\.)?(([\\w-]+\\.?)+)?[\\w-]+)(:\\d{1,5})?)$"] + + // ExposeHeaders defines which response headers should be made + // accessible to + // scripts running in the browser. + // It specifies the headers in the Access-Control-Expose-Headers + // CORS response header.. + // The value "*" allows any header to be exposed. + exposeHeaders?: [...string] + + // MaxAge defines how long the results of a preflight request can + // be cached. + // It specifies the value in the Access-Control-Max-Age CORS + // response header.. + maxAge?: string + } + + // ExtAuth defines the configuration for External Authorization. + extAuth?: { + bodyToExtAuth?: { + // MaxRequestBytes is the maximum size of a message body that the + // filter will hold in memory. + // Envoy will return HTTP 413 and will not initiate the + // authorization process when buffer + // reaches the number set in this field. + // Note that this setting will have precedence over failOpen mode. + maxRequestBytes!: int32 & >=1 + } + + // FailOpen is a switch used to control the behavior when a + // response from the External Authorization service cannot be + // obtained. + // If FailOpen is set to true, the system allows the traffic to + // pass through. + // Otherwise, if it is set to false or not set (defaulting to + // false), + // the system blocks the traffic and returns a HTTP 5xx error, + // reflecting a fail-closed approach. + // This setting determines whether to prioritize accessibility + // over strict security in case of authorization service failure. + failOpen?: bool | *false + + // GRPC defines the gRPC External Authorization service. + // Either GRPCService or HTTPService must be specified, + // and only one of them can be provided. + grpc?: { + // BackendRef references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // Deprecated: Use BackendRefs instead. + backendRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // BackendRefs references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + backendRefs?: list.MaxItems(16) & [...{ + // Fallback indicates whether the backend is designated as a + // fallback. + // Multiple fallback backends can be configured. + // It is highly recommended to configure active or passive health + // checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically + // readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the fallback + // backends will only start receiving traffic when + // the health of the active backends falls below 72%. + fallback?: bool + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + }] + + // BackendSettings holds configuration for managing the connection + // to the backend. + backendSettings?: { + // Circuit Breaker settings for the upstream connections and + // requests. + // If not set, circuit breakers will be enabled with the default + // thresholds + circuitBreaker?: { + // The maximum number of connections that Envoy will establish to + // the referenced backend defined within a xRoute rule. + maxConnections?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel requests that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel retries that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRetries?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of pending requests that Envoy will queue to + // the referenced backend defined within a xRoute rule. + maxPendingRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of requests that Envoy will make over a + // single connection to the referenced backend defined within a + // xRoute rule. + // Default: unlimited. + maxRequestsPerConnection?: uint32 + } + + // Connection includes backend connection settings. + connection?: { + // BufferLimit Soft limit on size of the cluster’s connections + // read and write buffers. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // If unspecified, an implementation defined default is applied + // (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is + // interpreted as bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // DNS includes dns resolution settings. + dns?: { + // DNSRefreshRate specifies the rate at which DNS records should + // be refreshed. + // Defaults to 30 seconds. + dnsRefreshRate?: string + + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) + // should be respected. + // If the value is set to true, the DNS refresh rate will be set + // to the resource record’s TTL. + // Defaults to true. + respectDnsTtl?: bool + } + + // HealthCheck allows gateway to perform active health checking on + // backends. + healthCheck?: { + // Active health check configuration + active?: { + grpc?: { + // Service to send in the health check request. + // If this is not specified, then the health check request applies + // to the entire + // server and not to a specific service. + service?: string + } + + // HealthyThreshold defines the number of healthy health checks + // required before a backend host is marked healthy. + healthyThreshold?: int32 & int & >=1 | *1 + + // HTTP defines the configuration of http health checker. + // It's required while the health checker type is HTTP. + http?: { + // ExpectedResponse defines a list of HTTP expected responses to + // match. + expectedResponse?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // ExpectedStatuses defines a list of HTTP response statuses + // considered healthy. + // Defaults to 200 only + expectedStatuses?: [...int & <600 & >=100] + + // Method defines the HTTP method used for health checking. + // Defaults to GET + method?: string + + // Path defines the HTTP path that will be requested during health + // checking. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // Interval defines the time between active health checks. + interval?: string | *"3s" + + // TCP defines the configuration of tcp health checker. + // It's required while the health checker type is TCP. + tcp?: { + // Receive defines the expected response payload. + receive?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // Send defines the request payload. + send?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + } + + // Timeout defines the time to wait for a health check response. + timeout?: string | *"1s" + + // Type defines the type of health checker. + type!: matchN(2, ["HTTP" | "TCP" | "GRPC", "HTTP" | "TCP" | "GRPC"]) + + // UnhealthyThreshold defines the number of unhealthy health + // checks required before a backend host is marked unhealthy. + unhealthyThreshold?: int32 & int & >=1 | *3 + } + + // Passive passive check configuration + passive?: { + // BaseEjectionTime defines the base duration for which a host + // will be ejected on consecutive failures. + baseEjectionTime?: string | *"30s" + + // Consecutive5xxErrors sets the number of consecutive 5xx errors + // triggering ejection. + consecutive5XxErrors?: int32 & int | *5 + + // ConsecutiveGatewayErrors sets the number of consecutive gateway + // errors triggering ejection. + consecutiveGatewayErrors?: int32 & int | *0 + + // ConsecutiveLocalOriginFailures sets the number of consecutive + // local origin failures triggering ejection. + // Parameter takes effect only when + // split_external_local_origin_errors is set to true. + consecutiveLocalOriginFailures?: int32 & int | *5 + + // Interval defines the time between passive health checks. + interval?: string | *"3s" + + // MaxEjectionPercent sets the maximum percentage of hosts in a + // cluster that can be ejected. + maxEjectionPercent?: int32 & int | *10 + + // SplitExternalLocalOriginErrors enables splitting of errors + // between external and local origin. + splitExternalLocalOriginErrors?: bool | *false + } + } + + // HTTP2 provides HTTP/2 configuration for backend connections. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // LoadBalancer policy to apply when routing traffic from the + // gateway to + // the backend endpoints. Defaults to `LeastRequest`. + loadBalancer?: { + // ConsistentHash defines the configuration when the load balancer + // type is + // set to ConsistentHash + consistentHash?: { + // Cookie configures the cookie hash policy when the consistent + // hash type is set to Cookie. + cookie?: { + // Additional Attributes to set for the generated cookie. + attributes?: close({ + [string]: string + }) + + // Name of the cookie to hash. + // If this cookie does not exist in the request, Envoy will + // generate a cookie and set + // the TTL on the response back to the client based on Layer 4 + // attributes of the backend endpoint, to ensure that these future + // requests + // go to the same backend endpoint. Make sure to set the TTL field + // for this case. + name!: string + + // TTL of the generated cookie if the cookie is not present. This + // value sets the + // Max-Age attribute value. + ttl?: string + } + header?: { + // Name of the header to hash. + name!: string + } + + // The table size for consistent hashing, must be prime number + // limited to 5000011. + tableSize?: int64 & int & <=5000011 & >=2 | *65537 + + // ConsistentHashType defines the type of input to hash on. Valid + // Type values are + // "SourceIP", + // "Header", + // "Cookie". + type!: "SourceIP" | "Header" | "Cookie" + } + slowStart?: { + // Window defines the duration of the warm up period for newly + // added host. + // During slow start window, traffic sent to the newly added hosts + // will gradually increase. + // Currently only supports linear growth of traffic. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + window!: string + } + + // Type decides the type of Load Balancer policy. + // Valid LoadBalancerType values are + // "ConsistentHash", + // "LeastRequest", + // "Random", + // "RoundRobin". + type!: "ConsistentHash" | "LeastRequest" | "Random" | "RoundRobin" + } + proxyProtocol?: { + // Version of ProxyProtol + // Valid ProxyProtocolVersion values are + // "V1" + // "V2" + version!: "V1" | "V2" + } + + // Retry provides more advanced usage, allowing users to customize + // the number of retries, retry fallback strategy, and retry + // triggering conditions. + // If not set, retry will be disabled. + retry?: { + // NumRetries is the number of retries to be attempted. Defaults + // to 2. + numRetries?: int32 & int & >=0 | *2 + + // PerRetry is the retry policy to be applied per retry attempt. + perRetry?: { + // Backoff is the backoff policy to be applied per retry attempt. + // gateway uses a fully jittered exponential + // back-off algorithm for retries. For additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + backOff?: { + // BaseInterval is the base interval between retries. + baseInterval?: string + + // MaxInterval is the maximum interval between retries. This + // parameter is optional, but must be greater than or equal to + // the base_interval if set. + // The default is 10 times the base_interval + maxInterval?: string + } + + // Timeout is the timeout per retry attempt. + timeout?: string + } + + // RetryOn specifies the retry trigger condition. + // + // If not specified, the default is to retry on + // connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + retryOn?: { + // HttpStatusCodes specifies the http status codes to be retried. + // The retriable-status-codes trigger must also be configured for + // these status codes to trigger a retry. + httpStatusCodes?: [...int & <600 & >=100] + + // Triggers specifies the retry trigger condition(Http/Grpc). + triggers?: [..."5xx" | "gateway-error" | "reset" | "connect-failure" | "retriable-4xx" | "refused-stream" | "retriable-status-codes" | "cancelled" | "deadline-exceeded" | "internal" | "resource-exhausted" | "unavailable"] + } + } + + // TcpKeepalive settings associated with the upstream client + // connection. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the backend connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // The idle timeout for an HTTP connection. Idle time is defined + // as a period in which there are no active requests in the + // connection. + // Default: 1 hour. + connectionIdleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The maximum duration of an HTTP connection. + // Default: unlimited. + maxConnectionDuration?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestTimeout is the time until which entire response is + // received from the upstream. + requestTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // The timeout for network connection establishment, including TCP + // and TLS handshakes. + // Default: 10 seconds. + connectTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + } + } + + // HeadersToExtAuth defines the client request headers that will + // be included + // in the request to the external authorization service. + // Note: If not specified, the default behavior for gRPC and HTTP + // external + // authorization services is different due to backward + // compatibility reasons. + // All headers will be included in the check request to a gRPC + // authorization server. + // Only the following headers will be included in the check + // request to an HTTP + // authorization server: Host, Method, Path, Content-Length, and + // Authorization. + // And these headers will always be included to the check request + // to an HTTP + // authorization server by default, no matter whether they are + // specified + // in HeadersToExtAuth or not. + headersToExtAuth?: [...string] + + // HTTP defines the HTTP External Authorization service. + // Either GRPCService or HTTPService must be specified, + // and only one of them can be provided. + http?: { + // BackendRef references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // Deprecated: Use BackendRefs instead. + backendRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // BackendRefs references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + backendRefs?: list.MaxItems(16) & [...{ + // Fallback indicates whether the backend is designated as a + // fallback. + // Multiple fallback backends can be configured. + // It is highly recommended to configure active or passive health + // checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically + // readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the fallback + // backends will only start receiving traffic when + // the health of the active backends falls below 72%. + fallback?: bool + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + }] + + // BackendSettings holds configuration for managing the connection + // to the backend. + backendSettings?: { + // Circuit Breaker settings for the upstream connections and + // requests. + // If not set, circuit breakers will be enabled with the default + // thresholds + circuitBreaker?: { + // The maximum number of connections that Envoy will establish to + // the referenced backend defined within a xRoute rule. + maxConnections?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel requests that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel retries that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRetries?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of pending requests that Envoy will queue to + // the referenced backend defined within a xRoute rule. + maxPendingRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of requests that Envoy will make over a + // single connection to the referenced backend defined within a + // xRoute rule. + // Default: unlimited. + maxRequestsPerConnection?: uint32 + } + + // Connection includes backend connection settings. + connection?: { + // BufferLimit Soft limit on size of the cluster’s connections + // read and write buffers. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // If unspecified, an implementation defined default is applied + // (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is + // interpreted as bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // DNS includes dns resolution settings. + dns?: { + // DNSRefreshRate specifies the rate at which DNS records should + // be refreshed. + // Defaults to 30 seconds. + dnsRefreshRate?: string + + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) + // should be respected. + // If the value is set to true, the DNS refresh rate will be set + // to the resource record’s TTL. + // Defaults to true. + respectDnsTtl?: bool + } + + // HealthCheck allows gateway to perform active health checking on + // backends. + healthCheck?: { + // Active health check configuration + active?: { + grpc?: { + // Service to send in the health check request. + // If this is not specified, then the health check request applies + // to the entire + // server and not to a specific service. + service?: string + } + + // HealthyThreshold defines the number of healthy health checks + // required before a backend host is marked healthy. + healthyThreshold?: int32 & int & >=1 | *1 + + // HTTP defines the configuration of http health checker. + // It's required while the health checker type is HTTP. + http?: { + // ExpectedResponse defines a list of HTTP expected responses to + // match. + expectedResponse?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // ExpectedStatuses defines a list of HTTP response statuses + // considered healthy. + // Defaults to 200 only + expectedStatuses?: [...int & <600 & >=100] + + // Method defines the HTTP method used for health checking. + // Defaults to GET + method?: string + + // Path defines the HTTP path that will be requested during health + // checking. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // Interval defines the time between active health checks. + interval?: string | *"3s" + + // TCP defines the configuration of tcp health checker. + // It's required while the health checker type is TCP. + tcp?: { + // Receive defines the expected response payload. + receive?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // Send defines the request payload. + send?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + } + + // Timeout defines the time to wait for a health check response. + timeout?: string | *"1s" + + // Type defines the type of health checker. + type!: matchN(2, ["HTTP" | "TCP" | "GRPC", "HTTP" | "TCP" | "GRPC"]) + + // UnhealthyThreshold defines the number of unhealthy health + // checks required before a backend host is marked unhealthy. + unhealthyThreshold?: int32 & int & >=1 | *3 + } + + // Passive passive check configuration + passive?: { + // BaseEjectionTime defines the base duration for which a host + // will be ejected on consecutive failures. + baseEjectionTime?: string | *"30s" + + // Consecutive5xxErrors sets the number of consecutive 5xx errors + // triggering ejection. + consecutive5XxErrors?: int32 & int | *5 + + // ConsecutiveGatewayErrors sets the number of consecutive gateway + // errors triggering ejection. + consecutiveGatewayErrors?: int32 & int | *0 + + // ConsecutiveLocalOriginFailures sets the number of consecutive + // local origin failures triggering ejection. + // Parameter takes effect only when + // split_external_local_origin_errors is set to true. + consecutiveLocalOriginFailures?: int32 & int | *5 + + // Interval defines the time between passive health checks. + interval?: string | *"3s" + + // MaxEjectionPercent sets the maximum percentage of hosts in a + // cluster that can be ejected. + maxEjectionPercent?: int32 & int | *10 + + // SplitExternalLocalOriginErrors enables splitting of errors + // between external and local origin. + splitExternalLocalOriginErrors?: bool | *false + } + } + + // HTTP2 provides HTTP/2 configuration for backend connections. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // LoadBalancer policy to apply when routing traffic from the + // gateway to + // the backend endpoints. Defaults to `LeastRequest`. + loadBalancer?: { + // ConsistentHash defines the configuration when the load balancer + // type is + // set to ConsistentHash + consistentHash?: { + // Cookie configures the cookie hash policy when the consistent + // hash type is set to Cookie. + cookie?: { + // Additional Attributes to set for the generated cookie. + attributes?: close({ + [string]: string + }) + + // Name of the cookie to hash. + // If this cookie does not exist in the request, Envoy will + // generate a cookie and set + // the TTL on the response back to the client based on Layer 4 + // attributes of the backend endpoint, to ensure that these future + // requests + // go to the same backend endpoint. Make sure to set the TTL field + // for this case. + name!: string + + // TTL of the generated cookie if the cookie is not present. This + // value sets the + // Max-Age attribute value. + ttl?: string + } + header?: { + // Name of the header to hash. + name!: string + } + + // The table size for consistent hashing, must be prime number + // limited to 5000011. + tableSize?: int64 & int & <=5000011 & >=2 | *65537 + + // ConsistentHashType defines the type of input to hash on. Valid + // Type values are + // "SourceIP", + // "Header", + // "Cookie". + type!: "SourceIP" | "Header" | "Cookie" + } + slowStart?: { + // Window defines the duration of the warm up period for newly + // added host. + // During slow start window, traffic sent to the newly added hosts + // will gradually increase. + // Currently only supports linear growth of traffic. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + window!: string + } + + // Type decides the type of Load Balancer policy. + // Valid LoadBalancerType values are + // "ConsistentHash", + // "LeastRequest", + // "Random", + // "RoundRobin". + type!: "ConsistentHash" | "LeastRequest" | "Random" | "RoundRobin" + } + proxyProtocol?: { + // Version of ProxyProtol + // Valid ProxyProtocolVersion values are + // "V1" + // "V2" + version!: "V1" | "V2" + } + + // Retry provides more advanced usage, allowing users to customize + // the number of retries, retry fallback strategy, and retry + // triggering conditions. + // If not set, retry will be disabled. + retry?: { + // NumRetries is the number of retries to be attempted. Defaults + // to 2. + numRetries?: int32 & int & >=0 | *2 + + // PerRetry is the retry policy to be applied per retry attempt. + perRetry?: { + // Backoff is the backoff policy to be applied per retry attempt. + // gateway uses a fully jittered exponential + // back-off algorithm for retries. For additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + backOff?: { + // BaseInterval is the base interval between retries. + baseInterval?: string + + // MaxInterval is the maximum interval between retries. This + // parameter is optional, but must be greater than or equal to + // the base_interval if set. + // The default is 10 times the base_interval + maxInterval?: string + } + + // Timeout is the timeout per retry attempt. + timeout?: string + } + + // RetryOn specifies the retry trigger condition. + // + // If not specified, the default is to retry on + // connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + retryOn?: { + // HttpStatusCodes specifies the http status codes to be retried. + // The retriable-status-codes trigger must also be configured for + // these status codes to trigger a retry. + httpStatusCodes?: [...int & <600 & >=100] + + // Triggers specifies the retry trigger condition(Http/Grpc). + triggers?: [..."5xx" | "gateway-error" | "reset" | "connect-failure" | "retriable-4xx" | "refused-stream" | "retriable-status-codes" | "cancelled" | "deadline-exceeded" | "internal" | "resource-exhausted" | "unavailable"] + } + } + + // TcpKeepalive settings associated with the upstream client + // connection. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the backend connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // The idle timeout for an HTTP connection. Idle time is defined + // as a period in which there are no active requests in the + // connection. + // Default: 1 hour. + connectionIdleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The maximum duration of an HTTP connection. + // Default: unlimited. + maxConnectionDuration?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestTimeout is the time until which entire response is + // received from the upstream. + requestTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // The timeout for network connection establishment, including TCP + // and TLS handshakes. + // Default: 10 seconds. + connectTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + } + + // HeadersToBackend are the authorization response headers that + // will be added + // to the original client request before sending it to the backend + // server. + // Note that coexisting headers will be overridden. + // If not specified, no authorization response headers will be + // added to the + // original client request. + headersToBackend?: [...string] + + // Path is the path of the HTTP External Authorization service. + // If path is specified, the authorization request will be sent to + // that path, + // or else the authorization request will be sent to the root + // path. + path?: string + } + + // RecomputeRoute clears the route cache and recalculates the + // routing decision. + // This field must be enabled if the headers added or modified by + // the ExtAuth are used for + // route matching decisions. If the recomputation selects a new + // route, features targeting + // the new matched route will be applied. + recomputeRoute?: bool + } + + // JWT defines the configuration for JSON Web Token (JWT) + // authentication. + jwt?: { + // Optional determines whether a missing JWT is acceptable, + // defaulting to false if not specified. + // Note: Even if optional is set to true, JWT authentication will + // still fail if an invalid JWT is presented. + optional?: bool + + // Providers defines the JSON Web Token (JWT) authentication + // provider type. + // When multiple JWT providers are specified, the JWT is + // considered valid if + // any of the providers successfully validate the JWT. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. + providers!: list.MaxItems(4) & [...{ + // Audiences is a list of JWT audiences allowed access. For + // additional details, see + // https://tools.ietf.org/html/rfc7519#section-4.1.3. If not + // provided, JWT audiences + // are not checked. + audiences?: list.MaxItems(8) & [...string] + + // ClaimToHeaders is a list of JWT claims that must be extracted + // into HTTP request headers + // For examples, following config: + // The claim must be of type; string, int, double, bool. Array + // type claims are not supported + claimToHeaders?: [...{ + // Claim is the JWT Claim that should be saved into the header : + // it can be a nested claim of type + // (eg. "claim.nested.key", "sub"). The nested claim name must use + // dot "." + // to separate the JSON name path. + claim!: string + + // Header defines the name of the HTTP request header that the JWT + // Claim will be saved into. + header!: string + }] + + // ExtractFrom defines different ways to extract the JWT token + // from HTTP request. + // If empty, it defaults to extract JWT token from the + // Authorization HTTP request header using Bearer schema + // or access_token from query parameters. + extractFrom?: { + // Cookies represents a list of cookie names to extract the JWT + // token from. + cookies?: [...string] + + // Headers represents a list of HTTP request headers to extract + // the JWT token from. + headers?: [...{ + // Name is the HTTP header name to retrieve the token + name!: string + + // ValuePrefix is the prefix that should be stripped before + // extracting the token. + // The format would be used by Envoy like "{ValuePrefix}". + // For example, "Authorization: Bearer ", then the + // ValuePrefix="Bearer " with a space at the end. + valuePrefix?: string + }] + + // Params represents a list of query parameters to extract the JWT + // token from. + params?: [...string] + } + + // Issuer is the principal that issued the JWT and takes the form + // of a URL or email address. + // For additional details, see + // https://tools.ietf.org/html/rfc7519#section-4.1.1 for + // URL format and https://rfc-editor.org/rfc/rfc5322.html for + // email format. If not provided, + // the JWT issuer is not checked. + issuer?: strings.MaxRunes(253) + + // Name defines a unique name for the JWT provider. A name can + // have a variety of forms, + // including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 + // labels. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // RecomputeRoute clears the route cache and recalculates the + // routing decision. + // This field must be enabled if the headers generated from the + // claim are used for + // route matching decisions. If the recomputation selects a new + // route, features targeting + // the new matched route will be applied. + recomputeRoute?: bool + + // RemoteJWKS defines how to fetch and cache JSON Web Key Sets + // (JWKS) from a remote + // HTTP/HTTPS endpoint. + remoteJWKS!: { + // BackendRef references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // Deprecated: Use BackendRefs instead. + backendRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // BackendRefs references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + backendRefs?: list.MaxItems(16) & [...{ + // Fallback indicates whether the backend is designated as a + // fallback. + // Multiple fallback backends can be configured. + // It is highly recommended to configure active or passive health + // checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically + // readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the fallback + // backends will only start receiving traffic when + // the health of the active backends falls below 72%. + fallback?: bool + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + }] + + // BackendSettings holds configuration for managing the connection + // to the backend. + backendSettings?: { + // Circuit Breaker settings for the upstream connections and + // requests. + // If not set, circuit breakers will be enabled with the default + // thresholds + circuitBreaker?: { + // The maximum number of connections that Envoy will establish to + // the referenced backend defined within a xRoute rule. + maxConnections?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel requests that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel retries that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRetries?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of pending requests that Envoy will queue to + // the referenced backend defined within a xRoute rule. + maxPendingRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of requests that Envoy will make over a + // single connection to the referenced backend defined within a + // xRoute rule. + // Default: unlimited. + maxRequestsPerConnection?: uint32 + } + + // Connection includes backend connection settings. + connection?: { + // BufferLimit Soft limit on size of the cluster’s connections + // read and write buffers. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // If unspecified, an implementation defined default is applied + // (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is + // interpreted as bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // DNS includes dns resolution settings. + dns?: { + // DNSRefreshRate specifies the rate at which DNS records should + // be refreshed. + // Defaults to 30 seconds. + dnsRefreshRate?: string + + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) + // should be respected. + // If the value is set to true, the DNS refresh rate will be set + // to the resource record’s TTL. + // Defaults to true. + respectDnsTtl?: bool + } + + // HealthCheck allows gateway to perform active health checking on + // backends. + healthCheck?: { + // Active health check configuration + active?: { + grpc?: { + // Service to send in the health check request. + // If this is not specified, then the health check request applies + // to the entire + // server and not to a specific service. + service?: string + } + + // HealthyThreshold defines the number of healthy health checks + // required before a backend host is marked healthy. + healthyThreshold?: int32 & int & >=1 | *1 + + // HTTP defines the configuration of http health checker. + // It's required while the health checker type is HTTP. + http?: { + // ExpectedResponse defines a list of HTTP expected responses to + // match. + expectedResponse?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // ExpectedStatuses defines a list of HTTP response statuses + // considered healthy. + // Defaults to 200 only + expectedStatuses?: [...int & <600 & >=100] + + // Method defines the HTTP method used for health checking. + // Defaults to GET + method?: string + + // Path defines the HTTP path that will be requested during health + // checking. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // Interval defines the time between active health checks. + interval?: string | *"3s" + + // TCP defines the configuration of tcp health checker. + // It's required while the health checker type is TCP. + tcp?: { + // Receive defines the expected response payload. + receive?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // Send defines the request payload. + send?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + } + + // Timeout defines the time to wait for a health check response. + timeout?: string | *"1s" + + // Type defines the type of health checker. + type!: matchN(2, ["HTTP" | "TCP" | "GRPC", "HTTP" | "TCP" | "GRPC"]) + + // UnhealthyThreshold defines the number of unhealthy health + // checks required before a backend host is marked unhealthy. + unhealthyThreshold?: int32 & int & >=1 | *3 + } + + // Passive passive check configuration + passive?: { + // BaseEjectionTime defines the base duration for which a host + // will be ejected on consecutive failures. + baseEjectionTime?: string | *"30s" + + // Consecutive5xxErrors sets the number of consecutive 5xx errors + // triggering ejection. + consecutive5XxErrors?: int32 & int | *5 + + // ConsecutiveGatewayErrors sets the number of consecutive gateway + // errors triggering ejection. + consecutiveGatewayErrors?: int32 & int | *0 + + // ConsecutiveLocalOriginFailures sets the number of consecutive + // local origin failures triggering ejection. + // Parameter takes effect only when + // split_external_local_origin_errors is set to true. + consecutiveLocalOriginFailures?: int32 & int | *5 + + // Interval defines the time between passive health checks. + interval?: string | *"3s" + + // MaxEjectionPercent sets the maximum percentage of hosts in a + // cluster that can be ejected. + maxEjectionPercent?: int32 & int | *10 + + // SplitExternalLocalOriginErrors enables splitting of errors + // between external and local origin. + splitExternalLocalOriginErrors?: bool | *false + } + } + + // HTTP2 provides HTTP/2 configuration for backend connections. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // LoadBalancer policy to apply when routing traffic from the + // gateway to + // the backend endpoints. Defaults to `LeastRequest`. + loadBalancer?: { + // ConsistentHash defines the configuration when the load balancer + // type is + // set to ConsistentHash + consistentHash?: { + // Cookie configures the cookie hash policy when the consistent + // hash type is set to Cookie. + cookie?: { + // Additional Attributes to set for the generated cookie. + attributes?: close({ + [string]: string + }) + + // Name of the cookie to hash. + // If this cookie does not exist in the request, Envoy will + // generate a cookie and set + // the TTL on the response back to the client based on Layer 4 + // attributes of the backend endpoint, to ensure that these future + // requests + // go to the same backend endpoint. Make sure to set the TTL field + // for this case. + name!: string + + // TTL of the generated cookie if the cookie is not present. This + // value sets the + // Max-Age attribute value. + ttl?: string + } + header?: { + // Name of the header to hash. + name!: string + } + + // The table size for consistent hashing, must be prime number + // limited to 5000011. + tableSize?: int64 & int & <=5000011 & >=2 | *65537 + + // ConsistentHashType defines the type of input to hash on. Valid + // Type values are + // "SourceIP", + // "Header", + // "Cookie". + type!: "SourceIP" | "Header" | "Cookie" + } + slowStart?: { + // Window defines the duration of the warm up period for newly + // added host. + // During slow start window, traffic sent to the newly added hosts + // will gradually increase. + // Currently only supports linear growth of traffic. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + window!: string + } + + // Type decides the type of Load Balancer policy. + // Valid LoadBalancerType values are + // "ConsistentHash", + // "LeastRequest", + // "Random", + // "RoundRobin". + type!: "ConsistentHash" | "LeastRequest" | "Random" | "RoundRobin" + } + proxyProtocol?: { + // Version of ProxyProtol + // Valid ProxyProtocolVersion values are + // "V1" + // "V2" + version!: "V1" | "V2" + } + + // Retry provides more advanced usage, allowing users to customize + // the number of retries, retry fallback strategy, and retry + // triggering conditions. + // If not set, retry will be disabled. + retry?: { + // NumRetries is the number of retries to be attempted. Defaults + // to 2. + numRetries?: int32 & int & >=0 | *2 + + // PerRetry is the retry policy to be applied per retry attempt. + perRetry?: { + // Backoff is the backoff policy to be applied per retry attempt. + // gateway uses a fully jittered exponential + // back-off algorithm for retries. For additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + backOff?: { + // BaseInterval is the base interval between retries. + baseInterval?: string + + // MaxInterval is the maximum interval between retries. This + // parameter is optional, but must be greater than or equal to + // the base_interval if set. + // The default is 10 times the base_interval + maxInterval?: string + } + + // Timeout is the timeout per retry attempt. + timeout?: string + } + + // RetryOn specifies the retry trigger condition. + // + // If not specified, the default is to retry on + // connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + retryOn?: { + // HttpStatusCodes specifies the http status codes to be retried. + // The retriable-status-codes trigger must also be configured for + // these status codes to trigger a retry. + httpStatusCodes?: [...int & <600 & >=100] + + // Triggers specifies the retry trigger condition(Http/Grpc). + triggers?: [..."5xx" | "gateway-error" | "reset" | "connect-failure" | "retriable-4xx" | "refused-stream" | "retriable-status-codes" | "cancelled" | "deadline-exceeded" | "internal" | "resource-exhausted" | "unavailable"] + } + } + + // TcpKeepalive settings associated with the upstream client + // connection. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the backend connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // The idle timeout for an HTTP connection. Idle time is defined + // as a period in which there are no active requests in the + // connection. + // Default: 1 hour. + connectionIdleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The maximum duration of an HTTP connection. + // Default: unlimited. + maxConnectionDuration?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestTimeout is the time until which entire response is + // received from the upstream. + requestTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // The timeout for network connection establishment, including TCP + // and TLS handshakes. + // Default: 10 seconds. + connectTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + } + + // URI is the HTTPS URI to fetch the JWKS. Envoy's system trust + // bundle is used to validate the server certificate. + // If a custom trust bundle is needed, it can be specified in a + // BackendTLSConfig resource and target the BackendRefs. + uri!: strings.MaxRunes(253) & strings.MinRunes(1) + } + }] & [_, ...] + } + + // OIDC defines the configuration for the OpenID Connect (OIDC) + // authentication. + oidc?: { + // The client ID to be used in the OIDC + // [Authentication + // Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + clientID!: strings.MinRunes(1) + + // The Kubernetes secret which contains the OIDC client secret to + // be used in the + // [Authentication + // Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + // + // This is an Opaque secret. The client secret should be stored in + // the key + // "client-secret". + clientSecret!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + } + + // The optional domain to set the access and ID token cookies on. + // If not set, the cookies will default to the host of the + // request, not including the subdomains. + // If set, the cookies will be set on the specified domain and all + // subdomains. + // This means that requests to any subdomain will not require + // reauthentication after users log in to the parent domain. + cookieDomain?: =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$" + + // The optional cookie name overrides to be used for Bearer and + // IdToken cookies in the + // [Authentication + // Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + // If not specified, uses a randomly generated suffix + cookieNames?: { + // The name of the cookie used to store the AccessToken in the + // [Authentication + // Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + // If not specified, defaults to "AccessToken-(randomly generated + // uid)" + accessToken?: string + + // The name of the cookie used to store the IdToken in the + // [Authentication + // Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + // If not specified, defaults to "IdToken-(randomly generated + // uid)" + idToken?: string + } + + // DefaultRefreshTokenTTL is the default lifetime of the refresh + // token. + // This field is only used when the exp (expiration time) claim is + // omitted in + // the refresh token or the refresh token is not JWT. + // + // If not specified, defaults to 604800s (one week). + // Note: this field is only applicable when the "refreshToken" + // field is set to true. + defaultRefreshTokenTTL?: string + + // DefaultTokenTTL is the default lifetime of the id token and + // access token. + // Please note that Envoy will always use the expiry time from the + // response + // of the authorization server if it is provided. This field is + // only used when + // the expiry time is not provided by the authorization. + // + // If not specified, defaults to 0. In this case, the "expires_in" + // field in + // the authorization response must be set by the authorization + // server, or the + // OAuth flow will fail. + defaultTokenTTL?: string + + // ForwardAccessToken indicates whether the Envoy should forward + // the access token + // via the Authorization header Bearer scheme to the upstream. + // If not specified, defaults to false. + forwardAccessToken?: bool + + // The path to log a user out, clearing their credential cookies. + // + // If not specified, uses a default logout path "/logout" + logoutPath?: string + + // The OIDC Provider configuration. + provider!: { + // The OIDC Provider's [authorization + // endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint). + // If not provided, EG will try to discover it from the provider's + // [Well-Known Configuration + // Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). + authorizationEndpoint?: string + + // BackendRef references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // Deprecated: Use BackendRefs instead. + backendRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // BackendRefs references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + backendRefs?: list.MaxItems(16) & [...{ + // Fallback indicates whether the backend is designated as a + // fallback. + // Multiple fallback backends can be configured. + // It is highly recommended to configure active or passive health + // checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically + // readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the fallback + // backends will only start receiving traffic when + // the health of the active backends falls below 72%. + fallback?: bool + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + }] + + // BackendSettings holds configuration for managing the connection + // to the backend. + backendSettings?: { + // Circuit Breaker settings for the upstream connections and + // requests. + // If not set, circuit breakers will be enabled with the default + // thresholds + circuitBreaker?: { + // The maximum number of connections that Envoy will establish to + // the referenced backend defined within a xRoute rule. + maxConnections?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel requests that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of parallel retries that Envoy will make to + // the referenced backend defined within a xRoute rule. + maxParallelRetries?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of pending requests that Envoy will queue to + // the referenced backend defined within a xRoute rule. + maxPendingRequests?: int64 & int & <=4294967295 & >=0 | *1024 + + // The maximum number of requests that Envoy will make over a + // single connection to the referenced backend defined within a + // xRoute rule. + // Default: unlimited. + maxRequestsPerConnection?: uint32 + } + + // Connection includes backend connection settings. + connection?: { + // BufferLimit Soft limit on size of the cluster’s connections + // read and write buffers. + // BufferLimit applies to connection streaming (maybe + // non-streaming) channel between processes, it's in user space. + // If unspecified, an implementation defined default is applied + // (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is + // interpreted as bytes. + bufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // SocketBufferLimit provides configuration for the maximum buffer + // size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between + // TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is + // interpreted as bytes. + socketBufferLimit?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + } + + // DNS includes dns resolution settings. + dns?: { + // DNSRefreshRate specifies the rate at which DNS records should + // be refreshed. + // Defaults to 30 seconds. + dnsRefreshRate?: string + + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) + // should be respected. + // If the value is set to true, the DNS refresh rate will be set + // to the resource record’s TTL. + // Defaults to true. + respectDnsTtl?: bool + } + + // HealthCheck allows gateway to perform active health checking on + // backends. + healthCheck?: { + // Active health check configuration + active?: { + grpc?: { + // Service to send in the health check request. + // If this is not specified, then the health check request applies + // to the entire + // server and not to a specific service. + service?: string + } + + // HealthyThreshold defines the number of healthy health checks + // required before a backend host is marked healthy. + healthyThreshold?: int32 & int & >=1 | *1 + + // HTTP defines the configuration of http health checker. + // It's required while the health checker type is HTTP. + http?: { + // ExpectedResponse defines a list of HTTP expected responses to + // match. + expectedResponse?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // ExpectedStatuses defines a list of HTTP response statuses + // considered healthy. + // Defaults to 200 only + expectedStatuses?: [...int & <600 & >=100] + + // Method defines the HTTP method used for health checking. + // Defaults to GET + method?: string + + // Path defines the HTTP path that will be requested during health + // checking. + path!: strings.MaxRunes(1024) & strings.MinRunes(1) + } + + // Interval defines the time between active health checks. + interval?: string | *"3s" + + // TCP defines the configuration of tcp health checker. + // It's required while the health checker type is TCP. + tcp?: { + // Receive defines the expected response payload. + receive?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + + // Send defines the request payload. + send?: { + // Binary payload base64 encoded. + binary?: string + + // Text payload in plain text. + text?: string + + // Type defines the type of the payload. + type!: matchN(2, ["Text" | "Binary", "Text" | "Binary"]) + } + } + + // Timeout defines the time to wait for a health check response. + timeout?: string | *"1s" + + // Type defines the type of health checker. + type!: matchN(2, ["HTTP" | "TCP" | "GRPC", "HTTP" | "TCP" | "GRPC"]) + + // UnhealthyThreshold defines the number of unhealthy health + // checks required before a backend host is marked unhealthy. + unhealthyThreshold?: int32 & int & >=1 | *3 + } + + // Passive passive check configuration + passive?: { + // BaseEjectionTime defines the base duration for which a host + // will be ejected on consecutive failures. + baseEjectionTime?: string | *"30s" + + // Consecutive5xxErrors sets the number of consecutive 5xx errors + // triggering ejection. + consecutive5XxErrors?: int32 & int | *5 + + // ConsecutiveGatewayErrors sets the number of consecutive gateway + // errors triggering ejection. + consecutiveGatewayErrors?: int32 & int | *0 + + // ConsecutiveLocalOriginFailures sets the number of consecutive + // local origin failures triggering ejection. + // Parameter takes effect only when + // split_external_local_origin_errors is set to true. + consecutiveLocalOriginFailures?: int32 & int | *5 + + // Interval defines the time between passive health checks. + interval?: string | *"3s" + + // MaxEjectionPercent sets the maximum percentage of hosts in a + // cluster that can be ejected. + maxEjectionPercent?: int32 & int | *10 + + // SplitExternalLocalOriginErrors enables splitting of errors + // between external and local origin. + splitExternalLocalOriginErrors?: bool | *false + } + } + + // HTTP2 provides HTTP/2 configuration for backend connections. + http2?: { + // InitialConnectionWindowSize sets the initial window size for + // HTTP/2 connections. + // If not set, the default value is 1 MiB. + initialConnectionWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // InitialStreamWindowSize sets the initial window size for HTTP/2 + // streams. + // If not set, the default value is 64 KiB(64*1024). + initialStreamWindowSize?: matchN(2, [null | bool | number | =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" | [...] | {}, null | bool | number | =~"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" | [...] | {}]) & matchN(>=1, [int, string]) + + // MaxConcurrentStreams sets the maximum number of concurrent + // streams allowed per connection. + // If not set, the default value is 100. + maxConcurrentStreams?: int32 & >=1 + + // OnInvalidMessage determines if Envoy will terminate the + // connection or just the offending stream in the event of HTTP + // messaging error + // It's recommended for L2 Envoy deployments to set this value to + // TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + onInvalidMessage?: string + } + + // LoadBalancer policy to apply when routing traffic from the + // gateway to + // the backend endpoints. Defaults to `LeastRequest`. + loadBalancer?: { + // ConsistentHash defines the configuration when the load balancer + // type is + // set to ConsistentHash + consistentHash?: { + // Cookie configures the cookie hash policy when the consistent + // hash type is set to Cookie. + cookie?: { + // Additional Attributes to set for the generated cookie. + attributes?: close({ + [string]: string + }) + + // Name of the cookie to hash. + // If this cookie does not exist in the request, Envoy will + // generate a cookie and set + // the TTL on the response back to the client based on Layer 4 + // attributes of the backend endpoint, to ensure that these future + // requests + // go to the same backend endpoint. Make sure to set the TTL field + // for this case. + name!: string + + // TTL of the generated cookie if the cookie is not present. This + // value sets the + // Max-Age attribute value. + ttl?: string + } + header?: { + // Name of the header to hash. + name!: string + } + + // The table size for consistent hashing, must be prime number + // limited to 5000011. + tableSize?: int64 & int & <=5000011 & >=2 | *65537 + + // ConsistentHashType defines the type of input to hash on. Valid + // Type values are + // "SourceIP", + // "Header", + // "Cookie". + type!: "SourceIP" | "Header" | "Cookie" + } + slowStart?: { + // Window defines the duration of the warm up period for newly + // added host. + // During slow start window, traffic sent to the newly added hosts + // will gradually increase. + // Currently only supports linear growth of traffic. For + // additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + window!: string + } + + // Type decides the type of Load Balancer policy. + // Valid LoadBalancerType values are + // "ConsistentHash", + // "LeastRequest", + // "Random", + // "RoundRobin". + type!: "ConsistentHash" | "LeastRequest" | "Random" | "RoundRobin" + } + proxyProtocol?: { + // Version of ProxyProtol + // Valid ProxyProtocolVersion values are + // "V1" + // "V2" + version!: "V1" | "V2" + } + + // Retry provides more advanced usage, allowing users to customize + // the number of retries, retry fallback strategy, and retry + // triggering conditions. + // If not set, retry will be disabled. + retry?: { + // NumRetries is the number of retries to be attempted. Defaults + // to 2. + numRetries?: int32 & int & >=0 | *2 + + // PerRetry is the retry policy to be applied per retry attempt. + perRetry?: { + // Backoff is the backoff policy to be applied per retry attempt. + // gateway uses a fully jittered exponential + // back-off algorithm for retries. For additional details, + // see + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + backOff?: { + // BaseInterval is the base interval between retries. + baseInterval?: string + + // MaxInterval is the maximum interval between retries. This + // parameter is optional, but must be greater than or equal to + // the base_interval if set. + // The default is 10 times the base_interval + maxInterval?: string + } + + // Timeout is the timeout per retry attempt. + timeout?: string + } + + // RetryOn specifies the retry trigger condition. + // + // If not specified, the default is to retry on + // connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + retryOn?: { + // HttpStatusCodes specifies the http status codes to be retried. + // The retriable-status-codes trigger must also be configured for + // these status codes to trigger a retry. + httpStatusCodes?: [...int & <600 & >=100] + + // Triggers specifies the retry trigger condition(Http/Grpc). + triggers?: [..."5xx" | "gateway-error" | "reset" | "connect-failure" | "retriable-4xx" | "refused-stream" | "retriable-status-codes" | "cancelled" | "deadline-exceeded" | "internal" | "resource-exhausted" | "unavailable"] + } + } + + // TcpKeepalive settings associated with the upstream client + // connection. + // Disabled by default. + tcpKeepalive?: { + // The duration a connection needs to be idle before keep-alive + // probes start being sent. + // The duration format is + // Defaults to `7200s`. + idleTime?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The duration between keep-alive probes. + // Defaults to `75s`. + interval?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The total number of unacknowledged probes to send before + // deciding + // the connection is dead. + // Defaults to 9. + probes?: int32 + } + + // Timeout settings for the backend connections. + timeout?: { + // Timeout settings for HTTP. + http?: { + // The idle timeout for an HTTP connection. Idle time is defined + // as a period in which there are no active requests in the + // connection. + // Default: 1 hour. + connectionIdleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // The maximum duration of an HTTP connection. + // Default: unlimited. + maxConnectionDuration?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // RequestTimeout is the time until which entire response is + // received from the upstream. + requestTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + tcp?: { + // The timeout for network connection establishment, including TCP + // and TLS handshakes. + // Default: 10 seconds. + connectTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + } + } + + // The OIDC Provider's [issuer + // identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery). + // Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component + // that MUST + // be https, a host component, and optionally, port and path + // components and + // no query or fragment components. + issuer!: strings.MinRunes(1) + + // The OIDC Provider's [token + // endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). + // If not provided, EG will try to discover it from the provider's + // [Well-Known Configuration + // Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). + tokenEndpoint?: string + } + + // The redirect URL to be used in the OIDC + // [Authentication + // Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + // If not specified, uses the default redirect URI + // "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" + redirectURL?: string + + // RefreshToken indicates whether the Envoy should automatically + // refresh the + // id token and access token when they expire. + // When set to true, the Envoy will use the refresh token to get a + // new id token + // and access token when they expire. + // + // If not specified, defaults to false. + refreshToken?: bool + + // The OIDC resources to be used in the + // [Authentication + // Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + resources?: [...string] + + // The OIDC scopes to be used in the + // [Authentication + // Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + // The "openid" scope is always added to the list of scopes if not + // already + // specified. + scopes?: [...string] + } + + // TargetRef is the name of the resource this policy is being + // attached to. + // This policy and the TargetRef MUST be in the same namespace for + // this + // Policy to have effect + // + // Deprecated: use targetRefs/targetSelectors instead + targetRef?: { + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // SectionName is the name of a section within the target + // resource. When + // unspecified, this targetRef targets the entire resource. In the + // following + // resources, SectionName is interpreted as the following: + // + // * Gateway: Listener name + // * HTTPRoute: HTTPRouteRule name + // * Service: Port name + // + // If a SectionName is specified, but does not exist on the + // targeted object, + // the Policy must fail to attach, and the policy implementation + // should record + // a `ResolvedRefs` or similar Condition in the Policy's status. + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + } + + // TargetRefs are the names of the Gateway resources this policy + // is being attached to. + targetRefs?: [...{ + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // SectionName is the name of a section within the target + // resource. When + // unspecified, this targetRef targets the entire resource. In the + // following + // resources, SectionName is interpreted as the following: + // + // * Gateway: Listener name + // * HTTPRoute: HTTPRouteRule name + // * Service: Port name + // + // If a SectionName is specified, but does not exist on the + // targeted object, + // the Policy must fail to attach, and the policy implementation + // should record + // a `ResolvedRefs` or similar Condition in the Policy's status. + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // TargetSelectors allow targeting resources for this policy based + // on labels + targetSelectors?: [...{ + // Group is the group that this selector targets. Defaults to + // gateway.networking.k8s.io + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is the resource kind that this selector targets. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // MatchLabels are the set of label selectors for identifying the + // targeted resource + matchLabels!: close({ + [string]: string + }) + }] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/backendlbpolicy/v1alpha2/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/backendlbpolicy/v1alpha2/types_gen.cue new file mode 100644 index 000000000..074732815 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/backendlbpolicy/v1alpha2/types_gen.cue @@ -0,0 +1,129 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha2 + +import ( + "strings" + "list" +) + +// BackendLBPolicy provides a way to define load balancing rules +// for a backend. +#BackendLBPolicy: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1alpha2" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "BackendLBPolicy" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of BackendLBPolicy. + spec!: #BackendLBPolicySpec +} + +// Spec defines the desired state of BackendLBPolicy. +#BackendLBPolicySpec: { + // SessionPersistence defines and configures session persistence + // for the backend. + // + // Support: Extended + sessionPersistence?: { + // AbsoluteTimeout defines the absolute timeout of the persistent + // session. Once the AbsoluteTimeout duration has elapsed, the + // session becomes invalid. + // + // Support: Extended + absoluteTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + cookieConfig?: { + // LifetimeType specifies whether the cookie has a permanent or + // session-based lifetime. A permanent cookie persists until its + // specified expiry time, defined by the Expires or Max-Age cookie + // attributes, while a session cookie is deleted when the current + // session ends. + // + // When set to "Permanent", AbsoluteTimeout indicates the + // cookie's lifetime via the Expires or Max-Age cookie attributes + // and is required. + // + // When set to "Session", AbsoluteTimeout indicates the + // absolute lifetime of the cookie tracked by the gateway and + // is optional. + // + // Support: Core for "Session" type + // + // Support: Extended for "Permanent" type + lifetimeType?: "Permanent" | "Session" | *"Session" + } + + // IdleTimeout defines the idle timeout of the persistent session. + // Once the session has been idle for more than the specified + // IdleTimeout duration, the session becomes invalid. + // + // Support: Extended + idleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // SessionName defines the name of the persistent session token + // which may be reflected in the cookie or the header. Users + // should avoid reusing session names to prevent unintended + // consequences, such as rejection or unpredictable behavior. + // + // Support: Implementation-specific + sessionName?: strings.MaxRunes(128) + + // Type defines the type of session persistence such as through + // the use a header or cookie. Defaults to cookie based session + // persistence. + // + // Support: Core for "Cookie" type + // + // Support: Extended for "Header" type + type?: "Cookie" | "Header" | *"Cookie" + } + + // TargetRef identifies an API object to apply policy to. + // Currently, Backends (i.e. Service, ServiceImport, or any + // implementation-specific backendRef) are the only valid API + // target references. + targetRefs!: list.MaxItems(16) & [...{ + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + }] & [_, ...] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/backendtlspolicy/v1alpha3/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/backendtlspolicy/v1alpha3/types_gen.cue new file mode 100644 index 000000000..a4e48efb3 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/backendtlspolicy/v1alpha3/types_gen.cue @@ -0,0 +1,244 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha3 + +import ( + "strings" + "struct" + "list" +) + +// BackendTLSPolicy provides a way to configure how a Gateway +// connects to a Backend via TLS. +#BackendTLSPolicy: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1alpha3" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "BackendTLSPolicy" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of BackendTLSPolicy. + spec!: #BackendTLSPolicySpec +} + +// Spec defines the desired state of BackendTLSPolicy. +#BackendTLSPolicySpec: { + // Options are a list of key/value pairs to enable extended TLS + // configuration for each implementation. For example, configuring + // the + // minimum TLS version or supported cipher suites. + // + // A set of common keys MAY be defined by the API in the future. + // To avoid + // any ambiguity, implementation-specific definitions MUST use + // domain-prefixed names, such as `example.com/my-custom-option`. + // Un-prefixed names are reserved for key names defined by Gateway + // API. + // + // Support: Implementation-specific + options?: close({ + [string]: strings.MaxRunes(4096) & strings.MinRunes(0) + }) & struct.MaxFields(16) + + // TargetRefs identifies an API object to apply the policy to. + // Only Services have Extended support. Implementations MAY + // support + // additional objects, with Implementation Specific support. + // Note that this config applies to the entire referenced resource + // by default, but this default may change in the future to + // provide + // a more granular application of the policy. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + targetRefs!: list.MaxItems(16) & [...{ + // Group is the group of the target resource. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the target resource. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the target resource. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // SectionName is the name of a section within the target + // resource. When + // unspecified, this targetRef targets the entire resource. In the + // following + // resources, SectionName is interpreted as the following: + // + // * Gateway: Listener name + // * HTTPRoute: HTTPRouteRule name + // * Service: Port name + // + // If a SectionName is specified, but does not exist on the + // targeted object, + // the Policy must fail to attach, and the policy implementation + // should record + // a `ResolvedRefs` or similar Condition in the Policy's status. + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] & [_, ...] + + // Validation contains backend TLS validation configuration. + validation!: { + // CACertificateRefs contains one or more references to Kubernetes + // objects that + // contain a PEM-encoded TLS CA certificate bundle, which is used + // to + // validate a TLS handshake between the Gateway and backend Pod. + // + // If CACertificateRefs is empty or unspecified, then + // WellKnownCACertificates must be + // specified. Only one of CACertificateRefs or + // WellKnownCACertificates may be specified, + // not both. If CACertifcateRefs is empty or unspecified, the + // configuration for + // WellKnownCACertificates MUST be honored instead if supported by + // the implementation. + // + // References to a resource in a different namespace are invalid + // for the + // moment, although we will revisit this in the future. + // + // A single CACertificateRef to a Kubernetes ConfigMap kind has + // "Core" support. + // Implementations MAY choose to support attaching multiple + // certificates to + // a backend, but this behavior is implementation-specific. + // + // Support: Core - An optional single reference to a Kubernetes + // ConfigMap, + // with the CA certificate in a key named `ca.crt`. + // + // Support: Implementation-specific (More than one reference, or + // other kinds + // of resources). + caCertificateRefs?: list.MaxItems(8) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + }] + + // Hostname is used for two purposes in the connection between + // Gateways and + // backends: + // + // 1. Hostname MUST be used as the SNI to connect to the backend + // (RFC 6066). + // 2. If SubjectAltNames is not specified, Hostname MUST be used + // for + // authentication and MUST match the certificate served by the + // matching + // backend. + // + // Support: Core + hostname!: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // SubjectAltNames contains one or more Subject Alternative Names. + // When specified, the certificate served from the backend MUST + // have at least one + // Subject Alternate Name matching one of the specified + // SubjectAltNames. + // + // Support: Core + subjectAltNames?: list.MaxItems(5) & [...{ + // Hostname contains Subject Alternative Name specified in DNS + // name format. + // Required when Type is set to Hostname, ignored otherwise. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Type determines the format of the Subject Alternative Name. + // Always required. + // + // Support: Core + type!: "Hostname" | "URI" + + // URI contains Subject Alternative Name specified in a full URI + // format. + // It MUST include both a scheme (e.g., "http" or "ftp") and a + // scheme-specific-part. + // Common values include SPIFFE IDs like + // "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + // Required when Type is set to URI, ignored otherwise. + // + // Support: Core + uri?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\\?([^#]*))?(#(.*))?" + } + }] + + // WellKnownCACertificates specifies whether system CA + // certificates may be used in + // the TLS handshake between the gateway and backend pod. + // + // If WellKnownCACertificates is unspecified or empty (""), then + // CACertificateRefs + // must be specified with at least one entry for a valid + // configuration. Only one of + // CACertificateRefs or WellKnownCACertificates may be specified, + // not both. If an + // implementation does not support the WellKnownCACertificates + // field or the value + // supplied is not supported, the Status Conditions on the Policy + // MUST be + // updated to include an Accepted: False Condition with Reason: + // Invalid. + // + // Support: Implementation-specific + wellKnownCACertificates?: "System" + } +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gateway/v1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gateway/v1/types_gen.cue new file mode 100644 index 000000000..d128f3f58 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gateway/v1/types_gen.cue @@ -0,0 +1,794 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1 + +import ( + "strings" + "list" + "struct" +) + +// Gateway represents an instance of a service-traffic handling +// infrastructure +// by binding Listeners to a set of IP addresses. +#Gateway: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Gateway" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of Gateway. + spec!: #GatewaySpec +} + +// Spec defines the desired state of Gateway. +#GatewaySpec: { + // Addresses requested for this Gateway. This is optional and + // behavior can + // depend on the implementation. If a value is set in the spec and + // the + // requested address is invalid or unavailable, the implementation + // MUST + // indicate this in the associated entry in + // GatewayStatus.Addresses. + // + // The Addresses field represents a request for the address(es) on + // the + // "outside of the Gateway", that traffic bound for this Gateway + // will use. + // This could be the IP address or hostname of an external load + // balancer or + // other networking infrastructure, or some other address that + // traffic will + // be sent to. + // + // If no Addresses are specified, the implementation MAY schedule + // the + // Gateway in an implementation-specific manner, assigning an + // appropriate + // set of Addresses. + // + // The implementation MUST bind all Listeners to every + // GatewayAddress that + // it assigns to the Gateway and add a corresponding entry in + // GatewayStatus.Addresses. + // + // Support: Extended + addresses?: list.MaxItems(16) & [...matchN(1, [{ + type?: "IPAddress" + value?: matchN(>=1, [_, _]) + }, { + type?: matchN(0, ["IPAddress"]) + }]) & { + // Type of the address. + type?: strings.MaxRunes(253) & strings.MinRunes(1) & =~"^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$" | *"IPAddress" + + // Value of the address. The validity of the values will depend + // on the type and support by the controller. + // + // Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + value!: strings.MaxRunes(253) & strings.MinRunes(1) + }] + backendTLS?: { + // ClientCertificateRef is a reference to an object that contains + // a Client + // Certificate and the associated private key. + // + // References to a resource in different namespace are invalid + // UNLESS there + // is a ReferenceGrant in the target namespace that allows the + // certificate + // to be attached. If a ReferenceGrant does not allow this + // reference, the + // "ResolvedRefs" condition MUST be set to False for this listener + // with the + // "RefNotPermitted" reason. + // + // ClientCertificateRef can reference to standard Kubernetes + // resources, i.e. + // Secret, or implementation-specific custom resources. + // + // This setting can be overridden on the service level by use of + // BackendTLSPolicy. + // + // Support: Core + clientCertificateRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + } + } + + // GatewayClassName used for this Gateway. This is the name of a + // GatewayClass resource. + gatewayClassName!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Infrastructure defines infrastructure level attributes about + // this Gateway instance. + // + // Support: Extended + infrastructure?: { + // Annotations that SHOULD be applied to any resources created in + // response to this Gateway. + // + // For implementations creating other Kubernetes objects, this + // should be the `metadata.annotations` field on resources. + // For other implementations, this refers to any relevant + // (implementation specific) "annotations" concepts. + // + // An implementation may chose to add additional + // implementation-specific annotations as they see fit. + // + // Support: Extended + annotations?: close({ + [string]: strings.MaxRunes(4096) & strings.MinRunes(0) + }) & struct.MaxFields(8) + + // Labels that SHOULD be applied to any resources created in + // response to this Gateway. + // + // For implementations creating other Kubernetes objects, this + // should be the `metadata.labels` field on resources. + // For other implementations, this refers to any relevant + // (implementation specific) "labels" concepts. + // + // An implementation may chose to add additional + // implementation-specific labels as they see fit. + // + // If an implementation maps these labels to Pods, or any other + // resource that would need to be recreated when labels + // change, it SHOULD clearly warn about this behavior in + // documentation. + // + // Support: Extended + labels?: close({ + [string]: strings.MaxRunes(63) & strings.MinRunes(0) & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + }) & struct.MaxFields(8) + + // ParametersRef is a reference to a resource that contains the + // configuration + // parameters corresponding to the Gateway. This is optional if + // the + // controller does not require any additional configuration. + // + // This follows the same semantics as GatewayClass's + // `parametersRef`, but on a per-Gateway basis + // + // The Gateway's GatewayClass may provide its own `parametersRef`. + // When both are specified, + // the merging behavior is implementation specific. + // It is generally recommended that GatewayClass provides defaults + // that can be overridden by a Gateway. + // + // Support: Implementation-specific + parametersRef?: { + // Group is the group of the referent. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + } + + // Listeners associated with this Gateway. Listeners define + // logical endpoints that are bound on this Gateway's addresses. + // At least one Listener MUST be specified. + // + // Each Listener in a set of Listeners (for example, in a single + // Gateway) + // MUST be _distinct_, in that a traffic flow MUST be able to be + // assigned to + // exactly one listener. (This section uses "set of Listeners" + // rather than + // "Listeners in a single Gateway" because implementations MAY + // merge configuration + // from multiple Gateways onto a single data plane, and these + // rules _also_ + // apply in that case). + // + // Practically, this means that each listener in a set MUST have a + // unique + // combination of Port, Protocol, and, if supported by the + // protocol, Hostname. + // + // Some combinations of port, protocol, and TLS settings are + // considered + // Core support and MUST be supported by implementations based on + // their + // targeted conformance profile: + // + // HTTP Profile + // + // 1. HTTPRoute, Port: 80, Protocol: HTTP + // 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, + // TLS keypair provided + // + // TLS Profile + // + // 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + // + // "Distinct" Listeners have the following property: + // + // The implementation can match inbound requests to a single + // distinct + // Listener. When multiple Listeners share values for fields (for + // example, two Listeners with the same Port value), the + // implementation + // can match requests to only one of the Listeners using other + // Listener fields. + // + // For example, the following Listener scenarios are distinct: + // + // 1. Multiple Listeners with the same Port that all use the + // "HTTP" + // Protocol that all have unique Hostname values. + // 2. Multiple Listeners with the same Port that use either the + // "HTTPS" or + // "TLS" Protocol that all have unique Hostname values. + // 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no + // Listener + // with the same Protocol has the same Port value. + // + // Some fields in the Listener struct have possible values that + // affect + // whether the Listener is distinct. Hostname is particularly + // relevant + // for HTTP or HTTPS protocols. + // + // When using the Hostname value to select between same-Port, + // same-Protocol + // Listeners, the Hostname value must be different on each + // Listener for the + // Listener to be distinct. + // + // When the Listeners are distinct based on Hostname, inbound + // request + // hostnames MUST match from the most specific to least specific + // Hostname + // values to choose the correct Listener and its associated set of + // Routes. + // + // Exact matches must be processed before wildcard matches, and + // wildcard + // matches must be processed before fallback (empty Hostname + // value) + // matches. For example, `"foo.example.com"` takes precedence over + // `"*.example.com"`, and `"*.example.com"` takes precedence over + // `""`. + // + // Additionally, if there are multiple wildcard entries, more + // specific + // wildcard entries must be processed before less specific + // wildcard entries. + // For example, `"*.foo.example.com"` takes precedence over + // `"*.example.com"`. + // The precise definition here is that the higher the number of + // dots in the + // hostname to the right of the wildcard character, the higher the + // precedence. + // + // The wildcard character will match any number of characters _and + // dots_ to + // the left, however, so `"*.example.com"` will match both + // `"foo.bar.example.com"` _and_ `"bar.example.com"`. + // + // If a set of Listeners contains Listeners that are not distinct, + // then those + // Listeners are Conflicted, and the implementation MUST set the + // "Conflicted" + // condition in the Listener Status to "True". + // + // Implementations MAY choose to accept a Gateway with some + // Conflicted + // Listeners only if they only accept the partial Listener set + // that contains + // no Conflicted Listeners. To put this another way, + // implementations may + // accept a partial Listener set only if they throw out *all* the + // conflicting + // Listeners. No picking one of the conflicting listeners as the + // winner. + // This also means that the Gateway must have at least one + // non-conflicting + // Listener in this case, otherwise it violates the requirement + // that at + // least one Listener must be present. + // + // The implementation MUST set a "ListenersNotValid" condition on + // the + // Gateway Status when the Gateway contains Conflicted Listeners + // whether or + // not they accept the Gateway. That Condition SHOULD clearly + // indicate in the Message which Listeners are conflicted, and + // which are + // Accepted. Additionally, the Listener status for those listeners + // SHOULD + // indicate which Listeners are conflicted and not Accepted. + // + // A Gateway's Listeners are considered "compatible" if: + // + // 1. They are distinct. + // 2. The implementation can serve them in compliance with the + // Addresses + // requirement that all Listeners are available on all assigned + // addresses. + // + // Compatible combinations in Extended support are expected to + // vary across + // implementations. A combination that is compatible for one + // implementation + // may not be compatible for another. + // + // For example, an implementation that cannot serve both TCP and + // UDP listeners + // on the same address, or cannot mix HTTPS and generic TLS + // listens on the same port + // would not consider those cases compatible, even though they are + // distinct. + // + // Note that requests SHOULD match at most one Listener. For + // example, if + // Listeners are defined for "foo.example.com" and + // "*.example.com", a + // request to "foo.example.com" SHOULD only be routed using routes + // attached + // to the "foo.example.com" Listener (and not the "*.example.com" + // Listener). + // This concept is known as "Listener Isolation". Implementations + // that do + // not support Listener Isolation MUST clearly document this. + // + // Implementations MAY merge separate Gateways onto a single set + // of + // Addresses if all Listeners across all Gateways are compatible. + // + // Support: Core + listeners!: list.MaxItems(64) & [...{ + // AllowedRoutes defines the types of routes that MAY be attached + // to a + // Listener and the trusted namespaces where those Route resources + // MAY be + // present. + // + // Although a client request may match multiple route rules, only + // one rule + // may ultimately receive the request. Matching precedence MUST be + // determined in order of the following criteria: + // + // * The most specific match as defined by the Route type. + // * The oldest Route based on creation timestamp. For example, a + // Route with + // a creation timestamp of "2020-09-08 01:02:03" is given + // precedence over + // a Route with a creation timestamp of "2020-09-08 01:02:04". + // * If everything else is equivalent, the Route appearing first + // in + // alphabetical order (namespace/name) should be given precedence. + // For + // example, foo/bar is given precedence over foo/baz. + // + // All valid rules within a Route attached to this Listener should + // be + // implemented. Invalid Route rules can be ignored (sometimes that + // will mean + // the full Route). If a Route rule transitions from valid to + // invalid, + // support for that Route rule should be dropped to ensure + // consistency. For + // example, even if a filter specified by a Route rule is invalid, + // the rest + // of the rules within that Route should still be supported. + // + // Support: Core + allowedRoutes?: { + // Kinds specifies the groups and kinds of Routes that are allowed + // to bind + // to this Gateway Listener. When unspecified or empty, the kinds + // of Routes + // selected are determined using the Listener protocol. + // + // A RouteGroupKind MUST correspond to kinds of Routes that are + // compatible + // with the application protocol specified in the Listener's + // Protocol field. + // If an implementation does not support or recognize this + // resource type, it + // MUST set the "ResolvedRefs" condition to False for this + // Listener with the + // "InvalidRouteKinds" reason. + // + // Support: Core + kinds?: list.MaxItems(8) & [...{ + // Group is the group of the Route. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is the kind of the Route. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + }] + + // Namespaces indicates namespaces from which Routes may be + // attached to this + // Listener. This is restricted to the namespace of this Gateway + // by default. + // + // Support: Core + namespaces?: { + // From indicates where Routes will be selected for this Gateway. + // Possible + // values are: + // + // * All: Routes in all namespaces may be used by this Gateway. + // * Selector: Routes in namespaces selected by the selector may + // be used by + // this Gateway. + // * Same: Only Routes in the same namespace may be used by this + // Gateway. + // + // Support: Core + from?: "All" | "Selector" | "Same" | *"Same" + + // Selector must be specified when From is set to "Selector". In + // that case, + // only Routes in Namespaces matching this Selector will be + // selected by this + // Gateway. This field is ignored for other values of "From". + // + // Support: Core + selector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + } | *{ + from: "Same" + } + } | *{ + namespaces: { + from: "Same" + } + } + + // Hostname specifies the virtual hostname to match for protocol + // types that + // define this concept. When unspecified, all hostnames are + // matched. This + // field is ignored for protocols that don't require hostname + // based + // matching. + // + // Implementations MUST apply Hostname matching appropriately for + // each of + // the following protocols: + // + // * TLS: The Listener Hostname MUST match the SNI. + // * HTTP: The Listener Hostname MUST match the Host header of the + // request. + // * HTTPS: The Listener Hostname SHOULD match at both the TLS and + // HTTP + // protocol layers as described above. If an implementation does + // not + // ensure that both the SNI and Host header match the Listener + // hostname, + // it MUST clearly document that. + // + // For HTTPRoute and TLSRoute resources, there is an interaction + // with the + // `spec.hostnames` array. When both listener and route specify + // hostnames, + // there MUST be an intersection between the values for a Route to + // be + // accepted. For more information, refer to the Route specific + // Hostnames + // documentation. + // + // Hostnames that are prefixed with a wildcard label (`*.`) are + // interpreted + // as a suffix match. That means that a match for `*.example.com` + // would match + // both `test.example.com`, and `foo.test.example.com`, but not + // `example.com`. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Name is the name of the Listener. This name MUST be unique + // within a + // Gateway. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Port is the network port. Multiple listeners may use the + // same port, subject to the Listener compatibility rules. + // + // Support: Core + port!: uint16 & >=1 + + // Protocol specifies the network protocol this listener expects + // to receive. + // + // Support: Core + protocol!: strings.MaxRunes(255) & strings.MinRunes(1) & { + =~"^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9]+$" + } + + // TLS is the TLS configuration for the Listener. This field is + // required if + // the Protocol field is "HTTPS" or "TLS". It is invalid to set + // this field + // if the Protocol field is "HTTP", "TCP", or "UDP". + // + // The association of SNIs to Certificate defined in + // GatewayTLSConfig is + // defined based on the Hostname field for this listener. + // + // The GatewayClass MUST use the longest matching SNI out of all + // available certificates for any TLS handshake. + // + // Support: Core + tls?: { + // CertificateRefs contains a series of references to Kubernetes + // objects that + // contains TLS certificates and private keys. These certificates + // are used to + // establish a TLS handshake for requests that match the hostname + // of the + // associated listener. + // + // A single CertificateRef to a Kubernetes Secret has "Core" + // support. + // Implementations MAY choose to support attaching multiple + // certificates to + // a Listener, but this behavior is implementation-specific. + // + // References to a resource in different namespace are invalid + // UNLESS there + // is a ReferenceGrant in the target namespace that allows the + // certificate + // to be attached. If a ReferenceGrant does not allow this + // reference, the + // "ResolvedRefs" condition MUST be set to False for this listener + // with the + // "RefNotPermitted" reason. + // + // This field is required to have at least one element when the + // mode is set + // to "Terminate" (default) and is optional otherwise. + // + // CertificateRefs can reference to standard Kubernetes resources, + // i.e. + // Secret, or implementation-specific custom resources. + // + // Support: Core - A single reference to a Kubernetes Secret of + // type kubernetes.io/tls + // + // Support: Implementation-specific (More than one reference or + // other resource types) + certificateRefs?: list.MaxItems(64) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + }] + frontendValidation?: { + // CACertificateRefs contains one or more references to + // Kubernetes objects that contain TLS certificates of + // the Certificate Authorities that can be used + // as a trust anchor to validate the certificates presented by the + // client. + // + // A single CA certificate reference to a Kubernetes ConfigMap + // has "Core" support. + // Implementations MAY choose to support attaching multiple CA + // certificates to + // a Listener, but this behavior is implementation-specific. + // + // Support: Core - A single reference to a Kubernetes ConfigMap + // with the CA certificate in a key named `ca.crt`. + // + // Support: Implementation-specific (More than one reference, or + // other kinds + // of resources). + // + // References to a resource in a different namespace are invalid + // UNLESS there + // is a ReferenceGrant in the target namespace that allows the + // certificate + // to be attached. If a ReferenceGrant does not allow this + // reference, the + // "ResolvedRefs" condition MUST be set to False for this listener + // with the + // "RefNotPermitted" reason. + caCertificateRefs?: list.MaxItems(8) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "ConfigMap" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + }] & [_, ...] + } + + // Mode defines the TLS behavior for the TLS session initiated by + // the client. + // There are two possible modes: + // + // - Terminate: The TLS session between the downstream client and + // the + // Gateway is terminated at the Gateway. This mode requires + // certificates + // to be specified in some way, such as populating the + // certificateRefs + // field. + // - Passthrough: The TLS session is NOT terminated by the + // Gateway. This + // implies that the Gateway can't decipher the TLS stream except + // for + // the ClientHello message of the TLS protocol. The + // certificateRefs field + // is ignored in this mode. + // + // Support: Core + mode?: "Terminate" | "Passthrough" | *"Terminate" + + // Options are a list of key/value pairs to enable extended TLS + // configuration for each implementation. For example, configuring + // the + // minimum TLS version or supported cipher suites. + // + // A set of common keys MAY be defined by the API in the future. + // To avoid + // any ambiguity, implementation-specific definitions MUST use + // domain-prefixed names, such as `example.com/my-custom-option`. + // Un-prefixed names are reserved for key names defined by Gateway + // API. + // + // Support: Implementation-specific + options?: close({ + [string]: strings.MaxRunes(4096) & strings.MinRunes(0) + }) & struct.MaxFields(16) + } + }] & [_, ...] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gateway/v1beta1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gateway/v1beta1/types_gen.cue new file mode 100644 index 000000000..5326dbdc9 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gateway/v1beta1/types_gen.cue @@ -0,0 +1,794 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1beta1 + +import ( + "strings" + "list" + "struct" +) + +// Gateway represents an instance of a service-traffic handling +// infrastructure +// by binding Listeners to a set of IP addresses. +#Gateway: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1beta1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Gateway" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of Gateway. + spec!: #GatewaySpec +} + +// Spec defines the desired state of Gateway. +#GatewaySpec: { + // Addresses requested for this Gateway. This is optional and + // behavior can + // depend on the implementation. If a value is set in the spec and + // the + // requested address is invalid or unavailable, the implementation + // MUST + // indicate this in the associated entry in + // GatewayStatus.Addresses. + // + // The Addresses field represents a request for the address(es) on + // the + // "outside of the Gateway", that traffic bound for this Gateway + // will use. + // This could be the IP address or hostname of an external load + // balancer or + // other networking infrastructure, or some other address that + // traffic will + // be sent to. + // + // If no Addresses are specified, the implementation MAY schedule + // the + // Gateway in an implementation-specific manner, assigning an + // appropriate + // set of Addresses. + // + // The implementation MUST bind all Listeners to every + // GatewayAddress that + // it assigns to the Gateway and add a corresponding entry in + // GatewayStatus.Addresses. + // + // Support: Extended + addresses?: list.MaxItems(16) & [...matchN(1, [{ + type?: "IPAddress" + value?: matchN(>=1, [_, _]) + }, { + type?: matchN(0, ["IPAddress"]) + }]) & { + // Type of the address. + type?: strings.MaxRunes(253) & strings.MinRunes(1) & =~"^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$" | *"IPAddress" + + // Value of the address. The validity of the values will depend + // on the type and support by the controller. + // + // Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + value!: strings.MaxRunes(253) & strings.MinRunes(1) + }] + backendTLS?: { + // ClientCertificateRef is a reference to an object that contains + // a Client + // Certificate and the associated private key. + // + // References to a resource in different namespace are invalid + // UNLESS there + // is a ReferenceGrant in the target namespace that allows the + // certificate + // to be attached. If a ReferenceGrant does not allow this + // reference, the + // "ResolvedRefs" condition MUST be set to False for this listener + // with the + // "RefNotPermitted" reason. + // + // ClientCertificateRef can reference to standard Kubernetes + // resources, i.e. + // Secret, or implementation-specific custom resources. + // + // This setting can be overridden on the service level by use of + // BackendTLSPolicy. + // + // Support: Core + clientCertificateRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + } + } + + // GatewayClassName used for this Gateway. This is the name of a + // GatewayClass resource. + gatewayClassName!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Infrastructure defines infrastructure level attributes about + // this Gateway instance. + // + // Support: Extended + infrastructure?: { + // Annotations that SHOULD be applied to any resources created in + // response to this Gateway. + // + // For implementations creating other Kubernetes objects, this + // should be the `metadata.annotations` field on resources. + // For other implementations, this refers to any relevant + // (implementation specific) "annotations" concepts. + // + // An implementation may chose to add additional + // implementation-specific annotations as they see fit. + // + // Support: Extended + annotations?: close({ + [string]: strings.MaxRunes(4096) & strings.MinRunes(0) + }) & struct.MaxFields(8) + + // Labels that SHOULD be applied to any resources created in + // response to this Gateway. + // + // For implementations creating other Kubernetes objects, this + // should be the `metadata.labels` field on resources. + // For other implementations, this refers to any relevant + // (implementation specific) "labels" concepts. + // + // An implementation may chose to add additional + // implementation-specific labels as they see fit. + // + // If an implementation maps these labels to Pods, or any other + // resource that would need to be recreated when labels + // change, it SHOULD clearly warn about this behavior in + // documentation. + // + // Support: Extended + labels?: close({ + [string]: strings.MaxRunes(63) & strings.MinRunes(0) & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + }) & struct.MaxFields(8) + + // ParametersRef is a reference to a resource that contains the + // configuration + // parameters corresponding to the Gateway. This is optional if + // the + // controller does not require any additional configuration. + // + // This follows the same semantics as GatewayClass's + // `parametersRef`, but on a per-Gateway basis + // + // The Gateway's GatewayClass may provide its own `parametersRef`. + // When both are specified, + // the merging behavior is implementation specific. + // It is generally recommended that GatewayClass provides defaults + // that can be overridden by a Gateway. + // + // Support: Implementation-specific + parametersRef?: { + // Group is the group of the referent. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + } + + // Listeners associated with this Gateway. Listeners define + // logical endpoints that are bound on this Gateway's addresses. + // At least one Listener MUST be specified. + // + // Each Listener in a set of Listeners (for example, in a single + // Gateway) + // MUST be _distinct_, in that a traffic flow MUST be able to be + // assigned to + // exactly one listener. (This section uses "set of Listeners" + // rather than + // "Listeners in a single Gateway" because implementations MAY + // merge configuration + // from multiple Gateways onto a single data plane, and these + // rules _also_ + // apply in that case). + // + // Practically, this means that each listener in a set MUST have a + // unique + // combination of Port, Protocol, and, if supported by the + // protocol, Hostname. + // + // Some combinations of port, protocol, and TLS settings are + // considered + // Core support and MUST be supported by implementations based on + // their + // targeted conformance profile: + // + // HTTP Profile + // + // 1. HTTPRoute, Port: 80, Protocol: HTTP + // 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, + // TLS keypair provided + // + // TLS Profile + // + // 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + // + // "Distinct" Listeners have the following property: + // + // The implementation can match inbound requests to a single + // distinct + // Listener. When multiple Listeners share values for fields (for + // example, two Listeners with the same Port value), the + // implementation + // can match requests to only one of the Listeners using other + // Listener fields. + // + // For example, the following Listener scenarios are distinct: + // + // 1. Multiple Listeners with the same Port that all use the + // "HTTP" + // Protocol that all have unique Hostname values. + // 2. Multiple Listeners with the same Port that use either the + // "HTTPS" or + // "TLS" Protocol that all have unique Hostname values. + // 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no + // Listener + // with the same Protocol has the same Port value. + // + // Some fields in the Listener struct have possible values that + // affect + // whether the Listener is distinct. Hostname is particularly + // relevant + // for HTTP or HTTPS protocols. + // + // When using the Hostname value to select between same-Port, + // same-Protocol + // Listeners, the Hostname value must be different on each + // Listener for the + // Listener to be distinct. + // + // When the Listeners are distinct based on Hostname, inbound + // request + // hostnames MUST match from the most specific to least specific + // Hostname + // values to choose the correct Listener and its associated set of + // Routes. + // + // Exact matches must be processed before wildcard matches, and + // wildcard + // matches must be processed before fallback (empty Hostname + // value) + // matches. For example, `"foo.example.com"` takes precedence over + // `"*.example.com"`, and `"*.example.com"` takes precedence over + // `""`. + // + // Additionally, if there are multiple wildcard entries, more + // specific + // wildcard entries must be processed before less specific + // wildcard entries. + // For example, `"*.foo.example.com"` takes precedence over + // `"*.example.com"`. + // The precise definition here is that the higher the number of + // dots in the + // hostname to the right of the wildcard character, the higher the + // precedence. + // + // The wildcard character will match any number of characters _and + // dots_ to + // the left, however, so `"*.example.com"` will match both + // `"foo.bar.example.com"` _and_ `"bar.example.com"`. + // + // If a set of Listeners contains Listeners that are not distinct, + // then those + // Listeners are Conflicted, and the implementation MUST set the + // "Conflicted" + // condition in the Listener Status to "True". + // + // Implementations MAY choose to accept a Gateway with some + // Conflicted + // Listeners only if they only accept the partial Listener set + // that contains + // no Conflicted Listeners. To put this another way, + // implementations may + // accept a partial Listener set only if they throw out *all* the + // conflicting + // Listeners. No picking one of the conflicting listeners as the + // winner. + // This also means that the Gateway must have at least one + // non-conflicting + // Listener in this case, otherwise it violates the requirement + // that at + // least one Listener must be present. + // + // The implementation MUST set a "ListenersNotValid" condition on + // the + // Gateway Status when the Gateway contains Conflicted Listeners + // whether or + // not they accept the Gateway. That Condition SHOULD clearly + // indicate in the Message which Listeners are conflicted, and + // which are + // Accepted. Additionally, the Listener status for those listeners + // SHOULD + // indicate which Listeners are conflicted and not Accepted. + // + // A Gateway's Listeners are considered "compatible" if: + // + // 1. They are distinct. + // 2. The implementation can serve them in compliance with the + // Addresses + // requirement that all Listeners are available on all assigned + // addresses. + // + // Compatible combinations in Extended support are expected to + // vary across + // implementations. A combination that is compatible for one + // implementation + // may not be compatible for another. + // + // For example, an implementation that cannot serve both TCP and + // UDP listeners + // on the same address, or cannot mix HTTPS and generic TLS + // listens on the same port + // would not consider those cases compatible, even though they are + // distinct. + // + // Note that requests SHOULD match at most one Listener. For + // example, if + // Listeners are defined for "foo.example.com" and + // "*.example.com", a + // request to "foo.example.com" SHOULD only be routed using routes + // attached + // to the "foo.example.com" Listener (and not the "*.example.com" + // Listener). + // This concept is known as "Listener Isolation". Implementations + // that do + // not support Listener Isolation MUST clearly document this. + // + // Implementations MAY merge separate Gateways onto a single set + // of + // Addresses if all Listeners across all Gateways are compatible. + // + // Support: Core + listeners!: list.MaxItems(64) & [...{ + // AllowedRoutes defines the types of routes that MAY be attached + // to a + // Listener and the trusted namespaces where those Route resources + // MAY be + // present. + // + // Although a client request may match multiple route rules, only + // one rule + // may ultimately receive the request. Matching precedence MUST be + // determined in order of the following criteria: + // + // * The most specific match as defined by the Route type. + // * The oldest Route based on creation timestamp. For example, a + // Route with + // a creation timestamp of "2020-09-08 01:02:03" is given + // precedence over + // a Route with a creation timestamp of "2020-09-08 01:02:04". + // * If everything else is equivalent, the Route appearing first + // in + // alphabetical order (namespace/name) should be given precedence. + // For + // example, foo/bar is given precedence over foo/baz. + // + // All valid rules within a Route attached to this Listener should + // be + // implemented. Invalid Route rules can be ignored (sometimes that + // will mean + // the full Route). If a Route rule transitions from valid to + // invalid, + // support for that Route rule should be dropped to ensure + // consistency. For + // example, even if a filter specified by a Route rule is invalid, + // the rest + // of the rules within that Route should still be supported. + // + // Support: Core + allowedRoutes?: { + // Kinds specifies the groups and kinds of Routes that are allowed + // to bind + // to this Gateway Listener. When unspecified or empty, the kinds + // of Routes + // selected are determined using the Listener protocol. + // + // A RouteGroupKind MUST correspond to kinds of Routes that are + // compatible + // with the application protocol specified in the Listener's + // Protocol field. + // If an implementation does not support or recognize this + // resource type, it + // MUST set the "ResolvedRefs" condition to False for this + // Listener with the + // "InvalidRouteKinds" reason. + // + // Support: Core + kinds?: list.MaxItems(8) & [...{ + // Group is the group of the Route. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is the kind of the Route. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + }] + + // Namespaces indicates namespaces from which Routes may be + // attached to this + // Listener. This is restricted to the namespace of this Gateway + // by default. + // + // Support: Core + namespaces?: { + // From indicates where Routes will be selected for this Gateway. + // Possible + // values are: + // + // * All: Routes in all namespaces may be used by this Gateway. + // * Selector: Routes in namespaces selected by the selector may + // be used by + // this Gateway. + // * Same: Only Routes in the same namespace may be used by this + // Gateway. + // + // Support: Core + from?: "All" | "Selector" | "Same" | *"Same" + + // Selector must be specified when From is set to "Selector". In + // that case, + // only Routes in Namespaces matching this Selector will be + // selected by this + // Gateway. This field is ignored for other values of "From". + // + // Support: Core + selector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + } | *{ + from: "Same" + } + } | *{ + namespaces: { + from: "Same" + } + } + + // Hostname specifies the virtual hostname to match for protocol + // types that + // define this concept. When unspecified, all hostnames are + // matched. This + // field is ignored for protocols that don't require hostname + // based + // matching. + // + // Implementations MUST apply Hostname matching appropriately for + // each of + // the following protocols: + // + // * TLS: The Listener Hostname MUST match the SNI. + // * HTTP: The Listener Hostname MUST match the Host header of the + // request. + // * HTTPS: The Listener Hostname SHOULD match at both the TLS and + // HTTP + // protocol layers as described above. If an implementation does + // not + // ensure that both the SNI and Host header match the Listener + // hostname, + // it MUST clearly document that. + // + // For HTTPRoute and TLSRoute resources, there is an interaction + // with the + // `spec.hostnames` array. When both listener and route specify + // hostnames, + // there MUST be an intersection between the values for a Route to + // be + // accepted. For more information, refer to the Route specific + // Hostnames + // documentation. + // + // Hostnames that are prefixed with a wildcard label (`*.`) are + // interpreted + // as a suffix match. That means that a match for `*.example.com` + // would match + // both `test.example.com`, and `foo.test.example.com`, but not + // `example.com`. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Name is the name of the Listener. This name MUST be unique + // within a + // Gateway. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Port is the network port. Multiple listeners may use the + // same port, subject to the Listener compatibility rules. + // + // Support: Core + port!: uint16 & >=1 + + // Protocol specifies the network protocol this listener expects + // to receive. + // + // Support: Core + protocol!: strings.MaxRunes(255) & strings.MinRunes(1) & { + =~"^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9]+$" + } + + // TLS is the TLS configuration for the Listener. This field is + // required if + // the Protocol field is "HTTPS" or "TLS". It is invalid to set + // this field + // if the Protocol field is "HTTP", "TCP", or "UDP". + // + // The association of SNIs to Certificate defined in + // GatewayTLSConfig is + // defined based on the Hostname field for this listener. + // + // The GatewayClass MUST use the longest matching SNI out of all + // available certificates for any TLS handshake. + // + // Support: Core + tls?: { + // CertificateRefs contains a series of references to Kubernetes + // objects that + // contains TLS certificates and private keys. These certificates + // are used to + // establish a TLS handshake for requests that match the hostname + // of the + // associated listener. + // + // A single CertificateRef to a Kubernetes Secret has "Core" + // support. + // Implementations MAY choose to support attaching multiple + // certificates to + // a Listener, but this behavior is implementation-specific. + // + // References to a resource in different namespace are invalid + // UNLESS there + // is a ReferenceGrant in the target namespace that allows the + // certificate + // to be attached. If a ReferenceGrant does not allow this + // reference, the + // "ResolvedRefs" condition MUST be set to False for this listener + // with the + // "RefNotPermitted" reason. + // + // This field is required to have at least one element when the + // mode is set + // to "Terminate" (default) and is optional otherwise. + // + // CertificateRefs can reference to standard Kubernetes resources, + // i.e. + // Secret, or implementation-specific custom resources. + // + // Support: Core - A single reference to a Kubernetes Secret of + // type kubernetes.io/tls + // + // Support: Implementation-specific (More than one reference or + // other resource types) + certificateRefs?: list.MaxItems(64) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is kind of the referent. For example "Secret". + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + }] + frontendValidation?: { + // CACertificateRefs contains one or more references to + // Kubernetes objects that contain TLS certificates of + // the Certificate Authorities that can be used + // as a trust anchor to validate the certificates presented by the + // client. + // + // A single CA certificate reference to a Kubernetes ConfigMap + // has "Core" support. + // Implementations MAY choose to support attaching multiple CA + // certificates to + // a Listener, but this behavior is implementation-specific. + // + // Support: Core - A single reference to a Kubernetes ConfigMap + // with the CA certificate in a key named `ca.crt`. + // + // Support: Implementation-specific (More than one reference, or + // other kinds + // of resources). + // + // References to a resource in a different namespace are invalid + // UNLESS there + // is a ReferenceGrant in the target namespace that allows the + // certificate + // to be attached. If a ReferenceGrant does not allow this + // reference, the + // "ResolvedRefs" condition MUST be set to False for this listener + // with the + // "RefNotPermitted" reason. + caCertificateRefs?: list.MaxItems(8) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "ConfigMap" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referenced object. When + // unspecified, the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + }] & [_, ...] + } + + // Mode defines the TLS behavior for the TLS session initiated by + // the client. + // There are two possible modes: + // + // - Terminate: The TLS session between the downstream client and + // the + // Gateway is terminated at the Gateway. This mode requires + // certificates + // to be specified in some way, such as populating the + // certificateRefs + // field. + // - Passthrough: The TLS session is NOT terminated by the + // Gateway. This + // implies that the Gateway can't decipher the TLS stream except + // for + // the ClientHello message of the TLS protocol. The + // certificateRefs field + // is ignored in this mode. + // + // Support: Core + mode?: "Terminate" | "Passthrough" | *"Terminate" + + // Options are a list of key/value pairs to enable extended TLS + // configuration for each implementation. For example, configuring + // the + // minimum TLS version or supported cipher suites. + // + // A set of common keys MAY be defined by the API in the future. + // To avoid + // any ambiguity, implementation-specific definitions MUST use + // domain-prefixed names, such as `example.com/my-custom-option`. + // Un-prefixed names are reserved for key names defined by Gateway + // API. + // + // Support: Implementation-specific + options?: close({ + [string]: strings.MaxRunes(4096) & strings.MinRunes(0) + }) & struct.MaxFields(16) + } + }] & [_, ...] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1/types_gen.cue new file mode 100644 index 000000000..538d41efb --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1/types_gen.cue @@ -0,0 +1,143 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1 + +import "strings" + +// GatewayClass describes a class of Gateways available to the +// user for creating +// Gateway resources. +// +// It is recommended that this resource be used as a template for +// Gateways. This +// means that a Gateway is based on the state of the GatewayClass +// at the time it +// was created and changes to the GatewayClass or associated +// parameters are not +// propagated down to existing Gateways. This recommendation is +// intended to +// limit the blast radius of changes to GatewayClass or associated +// parameters. +// If implementations choose to propagate GatewayClass changes to +// existing +// Gateways, that MUST be clearly documented by the +// implementation. +// +// Whenever one or more Gateways are using a GatewayClass, +// implementations SHOULD +// add the `gateway-exists-finalizer.gateway.networking.k8s.io` +// finalizer on the +// associated GatewayClass. This ensures that a GatewayClass +// associated with a +// Gateway is not deleted while in use. +// +// GatewayClass is a Cluster level resource. +#GatewayClass: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "GatewayClass" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of GatewayClass. + spec!: #GatewayClassSpec +} + +// Spec defines the desired state of GatewayClass. +#GatewayClassSpec: { + // ControllerName is the name of the controller that is managing + // Gateways of + // this class. The value of this field MUST be a domain prefixed + // path. + // + // Example: "example.net/gateway-controller". + // + // This field is not mutable and cannot be empty. + // + // Support: Core + controllerName!: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$" + } + + // Description helps describe a GatewayClass with more details. + description?: strings.MaxRunes(64) + + // ParametersRef is a reference to a resource that contains the + // configuration + // parameters corresponding to the GatewayClass. This is optional + // if the + // controller does not require any additional configuration. + // + // ParametersRef can reference a standard Kubernetes resource, + // i.e. ConfigMap, + // or an implementation-specific custom resource. The resource can + // be + // cluster-scoped or namespace-scoped. + // + // If the referent cannot be found, refers to an unsupported kind, + // or when + // the data within that resource is malformed, the GatewayClass + // SHOULD be + // rejected with the "Accepted" status condition set to "False" + // and an + // "InvalidParameters" reason. + // + // A Gateway for this GatewayClass may provide its own + // `parametersRef`. When both are specified, + // the merging behavior is implementation specific. + // It is generally recommended that GatewayClass provides defaults + // that can be overridden by a Gateway. + // + // Support: Implementation-specific + parametersRef?: { + // Group is the group of the referent. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. + // This field is required when referring to a Namespace-scoped + // resource and + // MUST be unset when referring to a Cluster-scoped resource. + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + } +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1beta1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1beta1/types_gen.cue new file mode 100644 index 000000000..dcbb65f84 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1beta1/types_gen.cue @@ -0,0 +1,143 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1beta1 + +import "strings" + +// GatewayClass describes a class of Gateways available to the +// user for creating +// Gateway resources. +// +// It is recommended that this resource be used as a template for +// Gateways. This +// means that a Gateway is based on the state of the GatewayClass +// at the time it +// was created and changes to the GatewayClass or associated +// parameters are not +// propagated down to existing Gateways. This recommendation is +// intended to +// limit the blast radius of changes to GatewayClass or associated +// parameters. +// If implementations choose to propagate GatewayClass changes to +// existing +// Gateways, that MUST be clearly documented by the +// implementation. +// +// Whenever one or more Gateways are using a GatewayClass, +// implementations SHOULD +// add the `gateway-exists-finalizer.gateway.networking.k8s.io` +// finalizer on the +// associated GatewayClass. This ensures that a GatewayClass +// associated with a +// Gateway is not deleted while in use. +// +// GatewayClass is a Cluster level resource. +#GatewayClass: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1beta1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "GatewayClass" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of GatewayClass. + spec!: #GatewayClassSpec +} + +// Spec defines the desired state of GatewayClass. +#GatewayClassSpec: { + // ControllerName is the name of the controller that is managing + // Gateways of + // this class. The value of this field MUST be a domain prefixed + // path. + // + // Example: "example.net/gateway-controller". + // + // This field is not mutable and cannot be empty. + // + // Support: Core + controllerName!: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$" + } + + // Description helps describe a GatewayClass with more details. + description?: strings.MaxRunes(64) + + // ParametersRef is a reference to a resource that contains the + // configuration + // parameters corresponding to the GatewayClass. This is optional + // if the + // controller does not require any additional configuration. + // + // ParametersRef can reference a standard Kubernetes resource, + // i.e. ConfigMap, + // or an implementation-specific custom resource. The resource can + // be + // cluster-scoped or namespace-scoped. + // + // If the referent cannot be found, refers to an unsupported kind, + // or when + // the data within that resource is malformed, the GatewayClass + // SHOULD be + // rejected with the "Accepted" status condition set to "False" + // and an + // "InvalidParameters" reason. + // + // A Gateway for this GatewayClass may provide its own + // `parametersRef`. When both are specified, + // the merging behavior is implementation specific. + // It is generally recommended that GatewayClass provides defaults + // that can be overridden by a Gateway. + // + // Support: Implementation-specific + parametersRef?: { + // Group is the group of the referent. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. + // This field is required when referring to a Namespace-scoped + // resource and + // MUST be unset when referring to a Cluster-scoped resource. + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + } +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/grpcroute/v1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/grpcroute/v1/types_gen.cue new file mode 100644 index 000000000..dbd621a4e --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/grpcroute/v1/types_gen.cue @@ -0,0 +1,1583 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1 + +import ( + "strings" + "list" +) + +// GRPCRoute provides a way to route gRPC requests. This includes +// the capability +// to match requests by hostname, gRPC service, gRPC method, or +// HTTP/2 header. +// Filters can be used to specify additional processing steps. +// Backends specify +// where matching requests will be routed. +// +// GRPCRoute falls under extended support within the Gateway API. +// Within the +// following specification, the word "MUST" indicates that an +// implementation +// supporting GRPCRoute must conform to the indicated requirement, +// but an +// implementation not supporting this route type need not follow +// the requirement +// unless explicitly indicated. +// +// Implementations supporting `GRPCRoute` with the `HTTPS` +// `ProtocolType` MUST +// accept HTTP/2 connections without an initial upgrade from +// HTTP/1.1, i.e. via +// ALPN. If the implementation does not support this, then it MUST +// set the +// "Accepted" condition to "False" for the affected listener with +// a reason of +// "UnsupportedProtocol". Implementations MAY also accept HTTP/2 +// connections +// with an upgrade from HTTP/1. +// +// Implementations supporting `GRPCRoute` with the `HTTP` +// `ProtocolType` MUST +// support HTTP/2 over cleartext TCP (h2c, +// https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an +// initial +// upgrade from HTTP/1.1, i.e. with prior knowledge +// (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the +// implementation +// does not support this, then it MUST set the "Accepted" +// condition to "False" +// for the affected listener with a reason of +// "UnsupportedProtocol". +// Implementations MAY also accept HTTP/2 connections with an +// upgrade from +// HTTP/1, i.e. without prior knowledge. +#GRPCRoute: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "GRPCRoute" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of GRPCRoute. + spec!: #GRPCRouteSpec +} + +// Spec defines the desired state of GRPCRoute. +#GRPCRouteSpec: { + // Hostnames defines a set of hostnames to match against the GRPC + // Host header to select a GRPCRoute to process the request. This + // matches + // the RFC 1123 definition of a hostname with 2 notable + // exceptions: + // + // 1. IPs are not allowed. + // 2. A hostname may be prefixed with a wildcard label (`*.`). The + // wildcard + // label MUST appear by itself as the first label. + // + // If a hostname is specified by both the Listener and GRPCRoute, + // there + // MUST be at least one intersecting hostname for the GRPCRoute to + // be + // attached to the Listener. For example: + // + // * A Listener with `test.example.com` as the hostname matches + // GRPCRoutes + // that have either not specified any hostnames, or have specified + // at + // least one of `test.example.com` or `*.example.com`. + // * A Listener with `*.example.com` as the hostname matches + // GRPCRoutes + // that have either not specified any hostnames or have specified + // at least + // one hostname that matches the Listener hostname. For example, + // `test.example.com` and `*.example.com` would both match. On the + // other + // hand, `example.com` and `test.example.net` would not match. + // + // Hostnames that are prefixed with a wildcard label (`*.`) are + // interpreted + // as a suffix match. That means that a match for `*.example.com` + // would match + // both `test.example.com`, and `foo.test.example.com`, but not + // `example.com`. + // + // If both the Listener and GRPCRoute have specified hostnames, + // any + // GRPCRoute hostnames that do not match the Listener hostname + // MUST be + // ignored. For example, if a Listener specified `*.example.com`, + // and the + // GRPCRoute specified `test.example.com` and `test.example.net`, + // `test.example.net` MUST NOT be considered for a match. + // + // If both the Listener and GRPCRoute have specified hostnames, + // and none + // match with the criteria above, then the GRPCRoute MUST NOT be + // accepted by + // the implementation. The implementation MUST raise an 'Accepted' + // Condition + // with a status of `False` in the corresponding + // RouteParentStatus. + // + // If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + // Listener and that listener already has another Route (B) of the + // other + // type attached and the intersection of the hostnames of A and B + // is + // non-empty, then the implementation MUST accept exactly one of + // these two + // routes, determined by the following criteria, in order: + // + // * The oldest Route based on creation timestamp. + // * The Route appearing first in alphabetical order by + // "{namespace}/{name}". + // + // The rejected Route MUST raise an 'Accepted' condition with a + // status of + // 'False' in the corresponding RouteParentStatus. + // + // Support: Core + hostnames?: list.MaxItems(16) & [...strings.MaxRunes(253) & strings.MinRunes(1) & =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"] + + // ParentRefs references the resources (usually Gateways) that a + // Route wants + // to be attached to. Note that the referenced parent resource + // needs to + // allow this for the attachment to be complete. For Gateways, + // that means + // the Gateway needs to allow attachment from Routes of this kind + // and + // namespace. For Services, that means the Service must either be + // in the same + // namespace for a "producer" route, or the mesh implementation + // must support + // and allow "consumer" routes for the referenced Service. + // ReferenceGrant is + // not applicable for governing ParentRefs to Services - it is not + // possible to + // create a "producer" route for a Service in a different + // namespace from the + // Route. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // This API may be extended in the future to support additional + // kinds of parent + // resources. + // + // ParentRefs must be _distinct_. This means either that: + // + // * They select different objects. If this is the case, then + // parentRef + // entries are distinct. In terms of fields, this means that the + // multi-part key defined by `group`, `kind`, `namespace`, and + // `name` must + // be unique across all parentRef entries in the Route. + // * They do not select different objects, but for each optional + // field used, + // each ParentRef that selects the same object must set the same + // set of + // optional fields to different values. If one ParentRef sets a + // combination of optional fields, all must set the same + // combination. + // + // Some examples: + // + // * If one ParentRef sets `sectionName`, all ParentRefs + // referencing the + // same object must also set `sectionName`. + // * If one ParentRef sets `port`, all ParentRefs referencing the + // same + // object must also set `port`. + // * If one ParentRef sets `sectionName` and `port`, all + // ParentRefs + // referencing the same object must also set `sectionName` and + // `port`. + // + // It is possible to separately reference multiple distinct + // objects that may + // be collapsed by an implementation. For example, some + // implementations may + // choose to merge compatible Gateway Listeners together. If that + // is the + // case, the list of routes attached to those resources should + // also be + // merged. + // + // Note that for ParentRefs that cross namespace boundaries, there + // are specific + // rules. Cross-namespace references are only valid if they are + // explicitly + // allowed by something in the namespace they are referring to. + // For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable other kinds of cross-namespace reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + parentRefs?: list.MaxItems(32) & [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // When the parent resource is a Service, this targets a specific + // port in the + // Service spec. When both Port (experimental) and SectionName are + // specified, + // the name and port of the selected port must match both + // specified values. + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Rules are a list of GRPC matchers, filters and actions. + rules?: list.MaxItems(16) & [...{ + // BackendRefs defines the backend(s) where matching requests + // should be + // sent. + // + // Failure behavior here depends on how many BackendRefs are + // specified and + // how many are invalid. + // + // If *all* entries in BackendRefs are invalid, and there are also + // no filters + // specified in this route rule, *all* traffic which matches this + // rule MUST + // receive an `UNAVAILABLE` status. + // + // See the GRPCBackendRef definition for the rules about what + // makes a single + // GRPCBackendRef invalid. + // + // When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST + // be returned for + // requests that would have otherwise been routed to an invalid + // backend. If + // multiple backends are specified, and some are invalid, the + // proportion of + // requests that would otherwise have been routed to an invalid + // backend + // MUST receive an `UNAVAILABLE` status. + // + // For example, if two backends are specified with equal weights, + // and one is + // invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` + // status. + // Implementations may choose how that 50 percent is determined. + // + // Support: Core for Kubernetes Service + // + // Support: Implementation-specific for any other resource + // + // Support for weight: Core + backendRefs?: list.MaxItems(16) & [...{ + // Filters defined at this level MUST be executed if and only if + // the + // request is being forwarded to the backend defined here. + // + // Support: Implementation-specific (For broader support of + // filters, use the + // Filters field in GRPCRouteRule.) + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // Support: Implementation-specific + // + // This filter can be used multiple times within the same rule. + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // RequestMirror defines a schema for a filter that mirrors + // requests. + // Requests are sent to the specified destination, but responses + // from + // that destination are ignored. + // + // This filter can be used multiple times within the same rule. + // Note that + // not all implementations will be able to support mirroring to + // multiple + // backends. + // + // Support: Extended + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // Fraction represents the fraction of requests that should be + // mirrored to BackendRef. + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + fraction?: { + denominator?: int32 & int & >=1 | *100 + numerator!: int32 & >=0 + } + + // Percent represents the percentage of requests that should be + // mirrored to BackendRef. Its minimum value is 0 (indicating 0% + // of + // requests) and its maximum value is 100 (indicating 100% of + // requests). + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + percent?: uint & <=100 + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations supporting GRPCRoute MUST support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` MUST be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + type!: "ResponseHeaderModifier" | "RequestHeaderModifier" | "RequestMirror" | "ExtensionRef" + }] + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + + // Weight specifies the proportion of requests forwarded to the + // referenced + // backend. This is computed as weight/(sum of all weights in this + // BackendRefs list). For non-zero values, there may be some + // epsilon from + // the exact proportion defined here depending on the precision an + // implementation supports. Weight is not a percentage and the sum + // of + // weights does not need to equal 100. + // + // If only one backend is specified and it has a weight greater + // than 0, 100% + // of the traffic is forwarded to that backend. If weight is set + // to 0, no + // traffic should be forwarded for this entry. If unspecified, + // weight + // defaults to 1. + // + // Support for this field varies based on the context where used. + weight?: int32 & int & <=1000000 & >=0 | *1 + }] + + // Filters define the filters that are applied to requests that + // match + // this rule. + // + // The effects of ordering of multiple behaviors are currently + // unspecified. + // This can change in the future based on feedback during the + // alpha stage. + // + // Conformance-levels at this level are defined based on the type + // of filter: + // + // - ALL core filters MUST be supported by all implementations + // that support + // GRPCRoute. + // - Implementers are encouraged to support extended filters. + // - Implementation-specific custom filters have no API guarantees + // across + // implementations. + // + // Specifying the same filter multiple times is not supported + // unless explicitly + // indicated in the filter. + // + // If an implementation can not support a combination of filters, + // it must clearly + // document that limitation. In cases where incompatible or + // unsupported + // filters are specified and cause the `Accepted` condition to be + // set to status + // `False`, implementations may use the `IncompatibleFilters` + // reason to specify + // this configuration error. + // + // Support: Core + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // Support: Implementation-specific + // + // This filter can be used multiple times within the same rule. + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // RequestMirror defines a schema for a filter that mirrors + // requests. + // Requests are sent to the specified destination, but responses + // from + // that destination are ignored. + // + // This filter can be used multiple times within the same rule. + // Note that + // not all implementations will be able to support mirroring to + // multiple + // backends. + // + // Support: Extended + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // Fraction represents the fraction of requests that should be + // mirrored to BackendRef. + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + fraction?: { + denominator?: int32 & int & >=1 | *100 + numerator!: int32 & >=0 + } + + // Percent represents the percentage of requests that should be + // mirrored to BackendRef. Its minimum value is 0 (indicating 0% + // of + // requests) and its maximum value is 100 (indicating 100% of + // requests). + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + percent?: uint & <=100 + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations supporting GRPCRoute MUST support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` MUST be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + type!: "ResponseHeaderModifier" | "RequestHeaderModifier" | "RequestMirror" | "ExtensionRef" + }] + + // Matches define conditions used for matching the rule against + // incoming + // gRPC requests. Each match is independent, i.e. this rule will + // be matched + // if **any** one of the matches is satisfied. + // + // For example, take the following matches configuration: + // + // ``` + // matches: + // - method: + // service: foo.bar + // headers: + // values: + // version: 2 + // - method: + // service: foo.bar.v2 + // ``` + // + // For a request to match against this rule, it MUST satisfy + // EITHER of the two conditions: + // + // - service of foo.bar AND contains the header `version: 2` + // - service of foo.bar.v2 + // + // See the documentation for GRPCRouteMatch on how to specify + // multiple + // match conditions to be ANDed together. + // + // If no matches are specified, the implementation MUST match + // every gRPC request. + // + // Proxy or Load Balancer routing configuration generated from + // GRPCRoutes + // MUST prioritize rules based on the following criteria, + // continuing on + // ties. Merging MUST not be done between GRPCRoutes and + // HTTPRoutes. + // Precedence MUST be given to the rule with the largest number + // of: + // + // * Characters in a matching non-wildcard hostname. + // * Characters in a matching hostname. + // * Characters in a matching service. + // * Characters in a matching method. + // * Header matches. + // + // If ties still exist across multiple Routes, matching precedence + // MUST be + // determined in order of the following criteria, continuing on + // ties: + // + // * The oldest Route based on creation timestamp. + // * The Route appearing first in alphabetical order by + // "{namespace}/{name}". + // + // If ties still exist within the Route that has been given + // precedence, + // matching precedence MUST be granted to the first matching rule + // meeting + // the above criteria. + matches?: list.MaxItems(8) & [...{ + // Headers specifies gRPC request header matchers. Multiple match + // values are + // ANDed together, meaning, a request MUST match all the specified + // headers + // to select the route. + headers?: list.MaxItems(16) & [...{ + // Name is the name of the gRPC Header to be matched. + // + // If multiple entries specify equivalent header names, only the + // first + // entry with an equivalent name MUST be considered for a match. + // Subsequent + // entries with an equivalent header name MUST be ignored. Due to + // the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Type specifies how to match against the value of the header. + type?: "Exact" | "RegularExpression" | *"Exact" + + // Value is the value of the gRPC Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Method specifies a gRPC request service/method matcher. If this + // field is + // not specified, all services and methods will match. + method?: { + // Value of the method to match against. If left empty or omitted, + // will + // match all services. + // + // At least one of Service and Method MUST be a non-empty string. + method?: strings.MaxRunes(1024) + + // Value of the service to match against. If left empty or + // omitted, will + // match any service. + // + // At least one of Service and Method MUST be a non-empty string. + service?: strings.MaxRunes(1024) + + // Type specifies how to match against the service and/or method. + // Support: Core (Exact with service and method specified) + // + // Support: Implementation-specific (Exact with method specified + // but no service specified) + // + // Support: Implementation-specific (RegularExpression) + type?: "Exact" | "RegularExpression" | *"Exact" + } + }] + + // Name is the name of the route rule. This name MUST be unique + // within a Route if it is set. + // + // Support: Extended + name?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // SessionPersistence defines and configures session persistence + // for the route rule. + // + // Support: Extended + sessionPersistence?: { + // AbsoluteTimeout defines the absolute timeout of the persistent + // session. Once the AbsoluteTimeout duration has elapsed, the + // session becomes invalid. + // + // Support: Extended + absoluteTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + cookieConfig?: { + // LifetimeType specifies whether the cookie has a permanent or + // session-based lifetime. A permanent cookie persists until its + // specified expiry time, defined by the Expires or Max-Age cookie + // attributes, while a session cookie is deleted when the current + // session ends. + // + // When set to "Permanent", AbsoluteTimeout indicates the + // cookie's lifetime via the Expires or Max-Age cookie attributes + // and is required. + // + // When set to "Session", AbsoluteTimeout indicates the + // absolute lifetime of the cookie tracked by the gateway and + // is optional. + // + // Support: Core for "Session" type + // + // Support: Extended for "Permanent" type + lifetimeType?: "Permanent" | "Session" | *"Session" + } + + // IdleTimeout defines the idle timeout of the persistent session. + // Once the session has been idle for more than the specified + // IdleTimeout duration, the session becomes invalid. + // + // Support: Extended + idleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // SessionName defines the name of the persistent session token + // which may be reflected in the cookie or the header. Users + // should avoid reusing session names to prevent unintended + // consequences, such as rejection or unpredictable behavior. + // + // Support: Implementation-specific + sessionName?: strings.MaxRunes(128) + + // Type defines the type of session persistence such as through + // the use a header or cookie. Defaults to cookie based session + // persistence. + // + // Support: Core for "Cookie" type + // + // Support: Extended for "Header" type + type?: "Cookie" | "Header" | *"Cookie" + } + }] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/httproute/v1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/httproute/v1/types_gen.cue new file mode 100644 index 000000000..a1e538f0a --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/httproute/v1/types_gen.cue @@ -0,0 +1,2266 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1 + +import ( + "strings" + "list" +) + +// HTTPRoute provides a way to route HTTP requests. This includes +// the capability +// to match requests by hostname, path, header, or query param. +// Filters can be +// used to specify additional processing steps. Backends specify +// where matching +// requests should be routed. +#HTTPRoute: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "HTTPRoute" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of HTTPRoute. + spec!: #HTTPRouteSpec +} + +// Spec defines the desired state of HTTPRoute. +#HTTPRouteSpec: { + // Hostnames defines a set of hostnames that should match against + // the HTTP Host + // header to select a HTTPRoute used to process the request. + // Implementations + // MUST ignore any port value specified in the HTTP Host header + // while + // performing a match and (absent of any applicable header + // modification + // configuration) MUST forward this header unmodified to the + // backend. + // + // Valid values for Hostnames are determined by RFC 1123 + // definition of a + // hostname with 2 notable exceptions: + // + // 1. IPs are not allowed. + // 2. A hostname may be prefixed with a wildcard label (`*.`). The + // wildcard + // label must appear by itself as the first label. + // + // If a hostname is specified by both the Listener and HTTPRoute, + // there + // must be at least one intersecting hostname for the HTTPRoute to + // be + // attached to the Listener. For example: + // + // * A Listener with `test.example.com` as the hostname matches + // HTTPRoutes + // that have either not specified any hostnames, or have specified + // at + // least one of `test.example.com` or `*.example.com`. + // * A Listener with `*.example.com` as the hostname matches + // HTTPRoutes + // that have either not specified any hostnames or have specified + // at least + // one hostname that matches the Listener hostname. For example, + // `*.example.com`, `test.example.com`, and `foo.test.example.com` + // would + // all match. On the other hand, `example.com` and + // `test.example.net` would + // not match. + // + // Hostnames that are prefixed with a wildcard label (`*.`) are + // interpreted + // as a suffix match. That means that a match for `*.example.com` + // would match + // both `test.example.com`, and `foo.test.example.com`, but not + // `example.com`. + // + // If both the Listener and HTTPRoute have specified hostnames, + // any + // HTTPRoute hostnames that do not match the Listener hostname + // MUST be + // ignored. For example, if a Listener specified `*.example.com`, + // and the + // HTTPRoute specified `test.example.com` and `test.example.net`, + // `test.example.net` must not be considered for a match. + // + // If both the Listener and HTTPRoute have specified hostnames, + // and none + // match with the criteria above, then the HTTPRoute is not + // accepted. The + // implementation must raise an 'Accepted' Condition with a status + // of + // `False` in the corresponding RouteParentStatus. + // + // In the event that multiple HTTPRoutes specify intersecting + // hostnames (e.g. + // overlapping wildcard matching and exact matching hostnames), + // precedence must + // be given to rules from the HTTPRoute with the largest number + // of: + // + // * Characters in a matching non-wildcard hostname. + // * Characters in a matching hostname. + // + // If ties exist across multiple Routes, the matching precedence + // rules for + // HTTPRouteMatches takes over. + // + // Support: Core + hostnames?: list.MaxItems(16) & [...strings.MaxRunes(253) & strings.MinRunes(1) & =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"] + + // ParentRefs references the resources (usually Gateways) that a + // Route wants + // to be attached to. Note that the referenced parent resource + // needs to + // allow this for the attachment to be complete. For Gateways, + // that means + // the Gateway needs to allow attachment from Routes of this kind + // and + // namespace. For Services, that means the Service must either be + // in the same + // namespace for a "producer" route, or the mesh implementation + // must support + // and allow "consumer" routes for the referenced Service. + // ReferenceGrant is + // not applicable for governing ParentRefs to Services - it is not + // possible to + // create a "producer" route for a Service in a different + // namespace from the + // Route. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // This API may be extended in the future to support additional + // kinds of parent + // resources. + // + // ParentRefs must be _distinct_. This means either that: + // + // * They select different objects. If this is the case, then + // parentRef + // entries are distinct. In terms of fields, this means that the + // multi-part key defined by `group`, `kind`, `namespace`, and + // `name` must + // be unique across all parentRef entries in the Route. + // * They do not select different objects, but for each optional + // field used, + // each ParentRef that selects the same object must set the same + // set of + // optional fields to different values. If one ParentRef sets a + // combination of optional fields, all must set the same + // combination. + // + // Some examples: + // + // * If one ParentRef sets `sectionName`, all ParentRefs + // referencing the + // same object must also set `sectionName`. + // * If one ParentRef sets `port`, all ParentRefs referencing the + // same + // object must also set `port`. + // * If one ParentRef sets `sectionName` and `port`, all + // ParentRefs + // referencing the same object must also set `sectionName` and + // `port`. + // + // It is possible to separately reference multiple distinct + // objects that may + // be collapsed by an implementation. For example, some + // implementations may + // choose to merge compatible Gateway Listeners together. If that + // is the + // case, the list of routes attached to those resources should + // also be + // merged. + // + // Note that for ParentRefs that cross namespace boundaries, there + // are specific + // rules. Cross-namespace references are only valid if they are + // explicitly + // allowed by something in the namespace they are referring to. + // For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable other kinds of cross-namespace reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + parentRefs?: list.MaxItems(32) & [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // When the parent resource is a Service, this targets a specific + // port in the + // Service spec. When both Port (experimental) and SectionName are + // specified, + // the name and port of the selected port must match both + // specified values. + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Rules are a list of HTTP matchers, filters and actions. + rules?: list.MaxItems(16) & [...{ + // BackendRefs defines the backend(s) where matching requests + // should be + // sent. + // + // Failure behavior here depends on how many BackendRefs are + // specified and + // how many are invalid. + // + // If *all* entries in BackendRefs are invalid, and there are also + // no filters + // specified in this route rule, *all* traffic which matches this + // rule MUST + // receive a 500 status code. + // + // See the HTTPBackendRef definition for the rules about what + // makes a single + // HTTPBackendRef invalid. + // + // When a HTTPBackendRef is invalid, 500 status codes MUST be + // returned for + // requests that would have otherwise been routed to an invalid + // backend. If + // multiple backends are specified, and some are invalid, the + // proportion of + // requests that would otherwise have been routed to an invalid + // backend + // MUST receive a 500 status code. + // + // For example, if two backends are specified with equal weights, + // and one is + // invalid, 50 percent of traffic must receive a 500. + // Implementations may + // choose how that 50 percent is determined. + // + // When a HTTPBackendRef refers to a Service that has no ready + // endpoints, + // implementations SHOULD return a 503 for requests to that + // backend instead. + // If an implementation chooses to do this, all of the above rules + // for 500 responses + // MUST also apply for responses that return a 503. + // + // Support: Core for Kubernetes Service + // + // Support: Extended for Kubernetes ServiceImport + // + // Support: Implementation-specific for any other resource + // + // Support for weight: Core + backendRefs?: list.MaxItems(16) & [...{ + // Filters defined at this level should be executed if and only if + // the + // request is being forwarded to the backend defined here. + // + // Support: Implementation-specific (For broader support of + // filters, use the + // Filters field in HTTPRouteRule.) + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // This filter can be used multiple times within the same rule. + // + // Support: Implementation-specific + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // RequestMirror defines a schema for a filter that mirrors + // requests. + // Requests are sent to the specified destination, but responses + // from + // that destination are ignored. + // + // This filter can be used multiple times within the same rule. + // Note that + // not all implementations will be able to support mirroring to + // multiple + // backends. + // + // Support: Extended + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // Fraction represents the fraction of requests that should be + // mirrored to BackendRef. + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + fraction?: { + denominator?: int32 & int & >=1 | *100 + numerator!: int32 & >=0 + } + + // Percent represents the percentage of requests that should be + // mirrored to BackendRef. Its minimum value is 0 (indicating 0% + // of + // requests) and its maximum value is 100 (indicating 100% of + // requests). + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + percent?: uint & <=100 + } + + // RequestRedirect defines a schema for a filter that responds to + // the + // request with an HTTP redirection. + // + // Support: Core + requestRedirect?: { + // Hostname is the hostname to be used in the value of the + // `Location` + // header in the response. + // When empty, the hostname in the `Host` header of the request is + // used. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines parameters used to modify the path of the incoming + // request. + // The modified path is then used to construct the `Location` + // header. When + // empty, the request path is used as-is. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + + // Port is the port to be used in the value of the `Location` + // header in the response. + // + // If no port is specified, the redirect port MUST be derived + // using the + // following rules: + // + // * If redirect scheme is not-empty, the redirect port MUST be + // the well-known + // port associated with the redirect scheme. Specifically "http" + // to port 80 + // and "https" to port 443. If the redirect scheme does not have a + // well-known port, the listener port of the Gateway SHOULD be + // used. + // * If redirect scheme is empty, the redirect port MUST be the + // Gateway + // Listener port. + // + // Implementations SHOULD NOT add the port number in the + // 'Location' + // header in the following cases: + // + // * A Location header that will use HTTP (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 80. + // * A Location header that will use HTTPS (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 443. + // + // Support: Extended + port?: uint16 & >=1 + + // Scheme is the scheme to be used in the value of the `Location` + // header in + // the response. When empty, the scheme of the request is used. + // + // Scheme redirects can affect the port of the redirect, for more + // information, + // refer to the documentation for the port field of this filter. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Extended + scheme?: "http" | "https" + + // StatusCode is the HTTP status code to be used in response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Core + statusCode?: (301 | 302) & int | *302 + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations must support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by + // specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` should be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "RequestHeaderModifier" | "ResponseHeaderModifier" | "RequestMirror" | "RequestRedirect" | "URLRewrite" | "ExtensionRef" + + // URLRewrite defines a schema for a filter that modifies a + // request during forwarding. + // + // Support: Extended + urlRewrite?: { + // Hostname is the value to be used to replace the Host header + // value during + // forwarding. + // + // Support: Extended + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines a path rewrite. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + } + }] + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + + // Weight specifies the proportion of requests forwarded to the + // referenced + // backend. This is computed as weight/(sum of all weights in this + // BackendRefs list). For non-zero values, there may be some + // epsilon from + // the exact proportion defined here depending on the precision an + // implementation supports. Weight is not a percentage and the sum + // of + // weights does not need to equal 100. + // + // If only one backend is specified and it has a weight greater + // than 0, 100% + // of the traffic is forwarded to that backend. If weight is set + // to 0, no + // traffic should be forwarded for this entry. If unspecified, + // weight + // defaults to 1. + // + // Support for this field varies based on the context where used. + weight?: int32 & int & <=1000000 & >=0 | *1 + }] + + // Filters define the filters that are applied to requests that + // match + // this rule. + // + // Wherever possible, implementations SHOULD implement filters in + // the order + // they are specified. + // + // Implementations MAY choose to implement this ordering strictly, + // rejecting + // any combination or order of filters that can not be supported. + // If implementations + // choose a strict interpretation of filter ordering, they MUST + // clearly document + // that behavior. + // + // To reject an invalid combination or order of filters, + // implementations SHOULD + // consider the Route Rules with this configuration invalid. If + // all Route Rules + // in a Route are invalid, the entire Route would be considered + // invalid. If only + // a portion of Route Rules are invalid, implementations MUST set + // the + // "PartiallyInvalid" condition for the Route. + // + // Conformance-levels at this level are defined based on the type + // of filter: + // + // - ALL core filters MUST be supported by all implementations. + // - Implementers are encouraged to support extended filters. + // - Implementation-specific custom filters have no API guarantees + // across + // implementations. + // + // Specifying the same filter multiple times is not supported + // unless explicitly + // indicated in the filter. + // + // All filters are expected to be compatible with each other + // except for the + // URLRewrite and RequestRedirect filters, which may not be + // combined. If an + // implementation can not support other combinations of filters, + // they must clearly + // document that limitation. In cases where incompatible or + // unsupported + // filters are specified and cause the `Accepted` condition to be + // set to status + // `False`, implementations may use the `IncompatibleFilters` + // reason to specify + // this configuration error. + // + // Support: Core + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // This filter can be used multiple times within the same rule. + // + // Support: Implementation-specific + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // RequestMirror defines a schema for a filter that mirrors + // requests. + // Requests are sent to the specified destination, but responses + // from + // that destination are ignored. + // + // This filter can be used multiple times within the same rule. + // Note that + // not all implementations will be able to support mirroring to + // multiple + // backends. + // + // Support: Extended + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // Fraction represents the fraction of requests that should be + // mirrored to BackendRef. + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + fraction?: { + denominator?: int32 & int & >=1 | *100 + numerator!: int32 & >=0 + } + + // Percent represents the percentage of requests that should be + // mirrored to BackendRef. Its minimum value is 0 (indicating 0% + // of + // requests) and its maximum value is 100 (indicating 100% of + // requests). + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + percent?: uint & <=100 + } + + // RequestRedirect defines a schema for a filter that responds to + // the + // request with an HTTP redirection. + // + // Support: Core + requestRedirect?: { + // Hostname is the hostname to be used in the value of the + // `Location` + // header in the response. + // When empty, the hostname in the `Host` header of the request is + // used. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines parameters used to modify the path of the incoming + // request. + // The modified path is then used to construct the `Location` + // header. When + // empty, the request path is used as-is. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + + // Port is the port to be used in the value of the `Location` + // header in the response. + // + // If no port is specified, the redirect port MUST be derived + // using the + // following rules: + // + // * If redirect scheme is not-empty, the redirect port MUST be + // the well-known + // port associated with the redirect scheme. Specifically "http" + // to port 80 + // and "https" to port 443. If the redirect scheme does not have a + // well-known port, the listener port of the Gateway SHOULD be + // used. + // * If redirect scheme is empty, the redirect port MUST be the + // Gateway + // Listener port. + // + // Implementations SHOULD NOT add the port number in the + // 'Location' + // header in the following cases: + // + // * A Location header that will use HTTP (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 80. + // * A Location header that will use HTTPS (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 443. + // + // Support: Extended + port?: uint16 & >=1 + + // Scheme is the scheme to be used in the value of the `Location` + // header in + // the response. When empty, the scheme of the request is used. + // + // Scheme redirects can affect the port of the redirect, for more + // information, + // refer to the documentation for the port field of this filter. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Extended + scheme?: "http" | "https" + + // StatusCode is the HTTP status code to be used in response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Core + statusCode?: (301 | 302) & int | *302 + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations must support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by + // specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` should be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "RequestHeaderModifier" | "ResponseHeaderModifier" | "RequestMirror" | "RequestRedirect" | "URLRewrite" | "ExtensionRef" + + // URLRewrite defines a schema for a filter that modifies a + // request during forwarding. + // + // Support: Extended + urlRewrite?: { + // Hostname is the value to be used to replace the Host header + // value during + // forwarding. + // + // Support: Extended + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines a path rewrite. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + } + }] + + // Matches define conditions used for matching the rule against + // incoming + // HTTP requests. Each match is independent, i.e. this rule will + // be matched + // if **any** one of the matches is satisfied. + // + // For example, take the following matches configuration: + // + // ``` + // matches: + // - path: + // value: "/foo" + // headers: + // - name: "version" + // value: "v2" + // - path: + // value: "/v2/foo" + // ``` + // + // For a request to match against this rule, a request must + // satisfy + // EITHER of the two conditions: + // + // - path prefixed with `/foo` AND contains the header `version: + // v2` + // - path prefix of `/v2/foo` + // + // See the documentation for HTTPRouteMatch on how to specify + // multiple + // match conditions that should be ANDed together. + // + // If no matches are specified, the default is a prefix + // path match on "/", which has the effect of matching every + // HTTP request. + // + // Proxy or Load Balancer routing configuration generated from + // HTTPRoutes + // MUST prioritize matches based on the following criteria, + // continuing on + // ties. Across all rules specified on applicable Routes, + // precedence must be + // given to the match having: + // + // * "Exact" path match. + // * "Prefix" path match with largest number of characters. + // * Method match. + // * Largest number of header matches. + // * Largest number of query param matches. + // + // Note: The precedence of RegularExpression path matches are + // implementation-specific. + // + // If ties still exist across multiple Routes, matching precedence + // MUST be + // determined in order of the following criteria, continuing on + // ties: + // + // * The oldest Route based on creation timestamp. + // * The Route appearing first in alphabetical order by + // "{namespace}/{name}". + // + // If ties still exist within an HTTPRoute, matching precedence + // MUST be granted + // to the FIRST matching rule (in list order) with a match meeting + // the above + // criteria. + // + // When no rules matching a request have been successfully + // attached to the + // parent a request is coming from, a HTTP 404 status code MUST be + // returned. + matches?: list.MaxItems(64) & [...{ + // Headers specifies HTTP request header matchers. Multiple match + // values are + // ANDed together, meaning, a request must match all the specified + // headers + // to select the route. + headers?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, only the + // first + // entry with an equivalent name MUST be considered for a match. + // Subsequent + // entries with an equivalent header name MUST be ignored. Due to + // the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + // + // When a header is repeated in an HTTP request, it is + // implementation-specific behavior as to how this is represented. + // Generally, proxies should follow the guidance from the RFC: + // https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + // regarding + // processing a repeated header, with special handling for + // "Set-Cookie". + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Type specifies how to match against the value of the header. + // + // Support: Core (Exact) + // + // Support: Implementation-specific (RegularExpression) + // + // Since RegularExpression HeaderMatchType has + // implementation-specific + // conformance, implementations can support POSIX, PCRE or any + // other dialects + // of regular expressions. Please read the implementation's + // documentation to + // determine the supported dialect. + type?: "Exact" | "RegularExpression" | *"Exact" + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Method specifies HTTP method matcher. + // When specified, this route will be matched only if the request + // has the + // specified method. + // + // Support: Extended + method?: "GET" | "HEAD" | "POST" | "PUT" | "DELETE" | "CONNECT" | "OPTIONS" | "TRACE" | "PATCH" + + // Path specifies a HTTP request path matcher. If this field is + // not + // specified, a default prefix match on the "/" path is provided. + path?: { + // Type specifies how to match against the path Value. + // + // Support: Core (Exact, PathPrefix) + // + // Support: Implementation-specific (RegularExpression) + type?: "Exact" | "PathPrefix" | "RegularExpression" | *"PathPrefix" + + // Value of the HTTP path to match against. + value?: strings.MaxRunes(1024) | *"/" + } | *{ + type: "PathPrefix" + value: "/" + } + + // QueryParams specifies HTTP query parameter matchers. Multiple + // match + // values are ANDed together, meaning, a request must match all + // the + // specified query parameters to select the route. + // + // Support: Extended + queryParams?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP query param to be matched. This + // must be an + // exact string match. (See + // https://tools.ietf.org/html/rfc7230#section-2.7.3). + // + // If multiple entries specify equivalent query param names, only + // the first + // entry with an equivalent name MUST be considered for a match. + // Subsequent + // entries with an equivalent query param name MUST be ignored. + // + // If a query param is repeated in an HTTP request, the behavior + // is + // purposely left undefined, since different data planes have + // different + // capabilities. However, it is *recommended* that implementations + // should + // match against the first value of the param if the data plane + // supports it, + // as this behavior is expected in other load balancing contexts + // outside of + // the Gateway API. + // + // Users SHOULD NOT route traffic based on repeated query params + // to guard + // themselves against potential differences in the + // implementations. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Type specifies how to match against the value of the query + // parameter. + // + // Support: Extended (Exact) + // + // Support: Implementation-specific (RegularExpression) + // + // Since RegularExpression QueryParamMatchType has + // Implementation-specific + // conformance, implementations can support POSIX, PCRE or any + // other + // dialects of regular expressions. Please read the + // implementation's + // documentation to determine the supported dialect. + type?: "Exact" | "RegularExpression" | *"Exact" + + // Value is the value of HTTP query param to be matched. + value!: strings.MaxRunes(1024) & strings.MinRunes(1) + }] + }] | *[{ + path: { + type: "PathPrefix" + value: "/" + } + }] + + // Name is the name of the route rule. This name MUST be unique + // within a Route if it is set. + // + // Support: Extended + name?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Retry defines the configuration for when to retry an HTTP + // request. + // + // Support: Extended + retry?: { + // Attempts specifies the maxmimum number of times an individual + // request + // from the gateway to a backend should be retried. + // + // If the maximum number of retries has been attempted without a + // successful + // response from the backend, the Gateway MUST return an error. + // + // When this field is unspecified, the number of times to attempt + // to retry + // a backend request is implementation-specific. + // + // Support: Extended + attempts?: int + + // Backoff specifies the minimum duration a Gateway should wait + // between + // retry attempts and is represented in Gateway API Duration + // formatting. + // + // For example, setting the `rules[].retry.backoff` field to the + // value + // `100ms` will cause a backend request to first be retried + // approximately + // 100 milliseconds after timing out or receiving a response code + // configured + // to be retryable. + // + // An implementation MAY use an exponential or alternative backoff + // strategy + // for subsequent retry attempts, MAY cap the maximum backoff + // duration to + // some amount greater than the specified minimum, and MAY add + // arbitrary + // jitter to stagger requests, as long as unsuccessful backend + // requests are + // not retried before the configured minimum duration. + // + // If a Request timeout (`rules[].timeouts.request`) is configured + // on the + // route, the entire duration of the initial request and any retry + // attempts + // MUST not exceed the Request timeout duration. If any retry + // attempts are + // still in progress when the Request timeout duration has been + // reached, + // these SHOULD be canceled if possible and the Gateway MUST + // immediately + // return a timeout error. + // + // If a BackendRequest timeout (`rules[].timeouts.backendRequest`) + // is + // configured on the route, any retry attempts which reach the + // configured + // BackendRequest timeout duration without a response SHOULD be + // canceled if + // possible and the Gateway should wait for at least the specified + // backoff + // duration before attempting to retry the backend request again. + // + // If a BackendRequest timeout is _not_ configured on the route, + // retry + // attempts MAY time out after an implementation default duration, + // or MAY + // remain pending until a configured Request timeout or + // implementation + // default duration for total request time is reached. + // + // When this field is unspecified, the time to wait between retry + // attempts + // is implementation-specific. + // + // Support: Extended + backoff?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // Codes defines the HTTP response status codes for which a + // backend request + // should be retried. + // + // Support: Extended + codes?: [...int & <=599 & >=400] + } + + // SessionPersistence defines and configures session persistence + // for the route rule. + // + // Support: Extended + sessionPersistence?: { + // AbsoluteTimeout defines the absolute timeout of the persistent + // session. Once the AbsoluteTimeout duration has elapsed, the + // session becomes invalid. + // + // Support: Extended + absoluteTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + cookieConfig?: { + // LifetimeType specifies whether the cookie has a permanent or + // session-based lifetime. A permanent cookie persists until its + // specified expiry time, defined by the Expires or Max-Age cookie + // attributes, while a session cookie is deleted when the current + // session ends. + // + // When set to "Permanent", AbsoluteTimeout indicates the + // cookie's lifetime via the Expires or Max-Age cookie attributes + // and is required. + // + // When set to "Session", AbsoluteTimeout indicates the + // absolute lifetime of the cookie tracked by the gateway and + // is optional. + // + // Support: Core for "Session" type + // + // Support: Extended for "Permanent" type + lifetimeType?: "Permanent" | "Session" | *"Session" + } + + // IdleTimeout defines the idle timeout of the persistent session. + // Once the session has been idle for more than the specified + // IdleTimeout duration, the session becomes invalid. + // + // Support: Extended + idleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // SessionName defines the name of the persistent session token + // which may be reflected in the cookie or the header. Users + // should avoid reusing session names to prevent unintended + // consequences, such as rejection or unpredictable behavior. + // + // Support: Implementation-specific + sessionName?: strings.MaxRunes(128) + + // Type defines the type of session persistence such as through + // the use a header or cookie. Defaults to cookie based session + // persistence. + // + // Support: Core for "Cookie" type + // + // Support: Extended for "Header" type + type?: "Cookie" | "Header" | *"Cookie" + } + + // Timeouts defines the timeouts that can be configured for an + // HTTP request. + // + // Support: Extended + timeouts?: { + // BackendRequest specifies a timeout for an individual request + // from the gateway + // to a backend. This covers the time from when the request first + // starts being + // sent from the gateway to when the full response has been + // received from the backend. + // + // Setting a timeout to the zero duration (e.g. "0s") SHOULD + // disable the timeout + // completely. Implementations that cannot completely disable the + // timeout MUST + // instead interpret the zero duration as the longest possible + // value to which + // the timeout can be set. + // + // An entire client HTTP transaction with a gateway, covered by + // the Request timeout, + // may result in more than one call from the gateway to the + // destination backend, + // for example, if automatic retries are supported. + // + // The value of BackendRequest must be a Gateway API Duration + // string as defined by + // GEP-2257. When this field is unspecified, its behavior is + // implementation-specific; + // when specified, the value of BackendRequest must be no more + // than the value of the + // Request timeout (since the Request timeout encompasses the + // BackendRequest timeout). + // + // Support: Extended + backendRequest?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // Request specifies the maximum duration for a gateway to respond + // to an HTTP request. + // If the gateway has not been able to respond before this + // deadline is met, the gateway + // MUST return a timeout error. + // + // For example, setting the `rules.timeouts.request` field to the + // value `10s` in an + // `HTTPRoute` will cause a timeout if a client request is taking + // longer than 10 seconds + // to complete. + // + // Setting a timeout to the zero duration (e.g. "0s") SHOULD + // disable the timeout + // completely. Implementations that cannot completely disable the + // timeout MUST + // instead interpret the zero duration as the longest possible + // value to which + // the timeout can be set. + // + // This timeout is intended to cover as close to the whole + // request-response transaction + // as possible although an implementation MAY choose to start the + // timeout after the entire + // request stream has been received instead of immediately after + // the transaction is + // initiated by the client. + // + // The value of Request is a Gateway API Duration string as + // defined by GEP-2257. When this + // field is unspecified, request timeout behavior is + // implementation-specific. + // + // Support: Extended + request?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + }] | *[{ + matches: [{ + path: { + type: "PathPrefix" + value: "/" + } + }] + }] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/httproute/v1beta1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/httproute/v1beta1/types_gen.cue new file mode 100644 index 000000000..1c002eea4 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/httproute/v1beta1/types_gen.cue @@ -0,0 +1,2266 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1beta1 + +import ( + "strings" + "list" +) + +// HTTPRoute provides a way to route HTTP requests. This includes +// the capability +// to match requests by hostname, path, header, or query param. +// Filters can be +// used to specify additional processing steps. Backends specify +// where matching +// requests should be routed. +#HTTPRoute: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1beta1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "HTTPRoute" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of HTTPRoute. + spec!: #HTTPRouteSpec +} + +// Spec defines the desired state of HTTPRoute. +#HTTPRouteSpec: { + // Hostnames defines a set of hostnames that should match against + // the HTTP Host + // header to select a HTTPRoute used to process the request. + // Implementations + // MUST ignore any port value specified in the HTTP Host header + // while + // performing a match and (absent of any applicable header + // modification + // configuration) MUST forward this header unmodified to the + // backend. + // + // Valid values for Hostnames are determined by RFC 1123 + // definition of a + // hostname with 2 notable exceptions: + // + // 1. IPs are not allowed. + // 2. A hostname may be prefixed with a wildcard label (`*.`). The + // wildcard + // label must appear by itself as the first label. + // + // If a hostname is specified by both the Listener and HTTPRoute, + // there + // must be at least one intersecting hostname for the HTTPRoute to + // be + // attached to the Listener. For example: + // + // * A Listener with `test.example.com` as the hostname matches + // HTTPRoutes + // that have either not specified any hostnames, or have specified + // at + // least one of `test.example.com` or `*.example.com`. + // * A Listener with `*.example.com` as the hostname matches + // HTTPRoutes + // that have either not specified any hostnames or have specified + // at least + // one hostname that matches the Listener hostname. For example, + // `*.example.com`, `test.example.com`, and `foo.test.example.com` + // would + // all match. On the other hand, `example.com` and + // `test.example.net` would + // not match. + // + // Hostnames that are prefixed with a wildcard label (`*.`) are + // interpreted + // as a suffix match. That means that a match for `*.example.com` + // would match + // both `test.example.com`, and `foo.test.example.com`, but not + // `example.com`. + // + // If both the Listener and HTTPRoute have specified hostnames, + // any + // HTTPRoute hostnames that do not match the Listener hostname + // MUST be + // ignored. For example, if a Listener specified `*.example.com`, + // and the + // HTTPRoute specified `test.example.com` and `test.example.net`, + // `test.example.net` must not be considered for a match. + // + // If both the Listener and HTTPRoute have specified hostnames, + // and none + // match with the criteria above, then the HTTPRoute is not + // accepted. The + // implementation must raise an 'Accepted' Condition with a status + // of + // `False` in the corresponding RouteParentStatus. + // + // In the event that multiple HTTPRoutes specify intersecting + // hostnames (e.g. + // overlapping wildcard matching and exact matching hostnames), + // precedence must + // be given to rules from the HTTPRoute with the largest number + // of: + // + // * Characters in a matching non-wildcard hostname. + // * Characters in a matching hostname. + // + // If ties exist across multiple Routes, the matching precedence + // rules for + // HTTPRouteMatches takes over. + // + // Support: Core + hostnames?: list.MaxItems(16) & [...strings.MaxRunes(253) & strings.MinRunes(1) & =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"] + + // ParentRefs references the resources (usually Gateways) that a + // Route wants + // to be attached to. Note that the referenced parent resource + // needs to + // allow this for the attachment to be complete. For Gateways, + // that means + // the Gateway needs to allow attachment from Routes of this kind + // and + // namespace. For Services, that means the Service must either be + // in the same + // namespace for a "producer" route, or the mesh implementation + // must support + // and allow "consumer" routes for the referenced Service. + // ReferenceGrant is + // not applicable for governing ParentRefs to Services - it is not + // possible to + // create a "producer" route for a Service in a different + // namespace from the + // Route. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // This API may be extended in the future to support additional + // kinds of parent + // resources. + // + // ParentRefs must be _distinct_. This means either that: + // + // * They select different objects. If this is the case, then + // parentRef + // entries are distinct. In terms of fields, this means that the + // multi-part key defined by `group`, `kind`, `namespace`, and + // `name` must + // be unique across all parentRef entries in the Route. + // * They do not select different objects, but for each optional + // field used, + // each ParentRef that selects the same object must set the same + // set of + // optional fields to different values. If one ParentRef sets a + // combination of optional fields, all must set the same + // combination. + // + // Some examples: + // + // * If one ParentRef sets `sectionName`, all ParentRefs + // referencing the + // same object must also set `sectionName`. + // * If one ParentRef sets `port`, all ParentRefs referencing the + // same + // object must also set `port`. + // * If one ParentRef sets `sectionName` and `port`, all + // ParentRefs + // referencing the same object must also set `sectionName` and + // `port`. + // + // It is possible to separately reference multiple distinct + // objects that may + // be collapsed by an implementation. For example, some + // implementations may + // choose to merge compatible Gateway Listeners together. If that + // is the + // case, the list of routes attached to those resources should + // also be + // merged. + // + // Note that for ParentRefs that cross namespace boundaries, there + // are specific + // rules. Cross-namespace references are only valid if they are + // explicitly + // allowed by something in the namespace they are referring to. + // For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable other kinds of cross-namespace reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + parentRefs?: list.MaxItems(32) & [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // When the parent resource is a Service, this targets a specific + // port in the + // Service spec. When both Port (experimental) and SectionName are + // specified, + // the name and port of the selected port must match both + // specified values. + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Rules are a list of HTTP matchers, filters and actions. + rules?: list.MaxItems(16) & [...{ + // BackendRefs defines the backend(s) where matching requests + // should be + // sent. + // + // Failure behavior here depends on how many BackendRefs are + // specified and + // how many are invalid. + // + // If *all* entries in BackendRefs are invalid, and there are also + // no filters + // specified in this route rule, *all* traffic which matches this + // rule MUST + // receive a 500 status code. + // + // See the HTTPBackendRef definition for the rules about what + // makes a single + // HTTPBackendRef invalid. + // + // When a HTTPBackendRef is invalid, 500 status codes MUST be + // returned for + // requests that would have otherwise been routed to an invalid + // backend. If + // multiple backends are specified, and some are invalid, the + // proportion of + // requests that would otherwise have been routed to an invalid + // backend + // MUST receive a 500 status code. + // + // For example, if two backends are specified with equal weights, + // and one is + // invalid, 50 percent of traffic must receive a 500. + // Implementations may + // choose how that 50 percent is determined. + // + // When a HTTPBackendRef refers to a Service that has no ready + // endpoints, + // implementations SHOULD return a 503 for requests to that + // backend instead. + // If an implementation chooses to do this, all of the above rules + // for 500 responses + // MUST also apply for responses that return a 503. + // + // Support: Core for Kubernetes Service + // + // Support: Extended for Kubernetes ServiceImport + // + // Support: Implementation-specific for any other resource + // + // Support for weight: Core + backendRefs?: list.MaxItems(16) & [...{ + // Filters defined at this level should be executed if and only if + // the + // request is being forwarded to the backend defined here. + // + // Support: Implementation-specific (For broader support of + // filters, use the + // Filters field in HTTPRouteRule.) + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // This filter can be used multiple times within the same rule. + // + // Support: Implementation-specific + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // RequestMirror defines a schema for a filter that mirrors + // requests. + // Requests are sent to the specified destination, but responses + // from + // that destination are ignored. + // + // This filter can be used multiple times within the same rule. + // Note that + // not all implementations will be able to support mirroring to + // multiple + // backends. + // + // Support: Extended + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // Fraction represents the fraction of requests that should be + // mirrored to BackendRef. + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + fraction?: { + denominator?: int32 & int & >=1 | *100 + numerator!: int32 & >=0 + } + + // Percent represents the percentage of requests that should be + // mirrored to BackendRef. Its minimum value is 0 (indicating 0% + // of + // requests) and its maximum value is 100 (indicating 100% of + // requests). + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + percent?: uint & <=100 + } + + // RequestRedirect defines a schema for a filter that responds to + // the + // request with an HTTP redirection. + // + // Support: Core + requestRedirect?: { + // Hostname is the hostname to be used in the value of the + // `Location` + // header in the response. + // When empty, the hostname in the `Host` header of the request is + // used. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines parameters used to modify the path of the incoming + // request. + // The modified path is then used to construct the `Location` + // header. When + // empty, the request path is used as-is. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + + // Port is the port to be used in the value of the `Location` + // header in the response. + // + // If no port is specified, the redirect port MUST be derived + // using the + // following rules: + // + // * If redirect scheme is not-empty, the redirect port MUST be + // the well-known + // port associated with the redirect scheme. Specifically "http" + // to port 80 + // and "https" to port 443. If the redirect scheme does not have a + // well-known port, the listener port of the Gateway SHOULD be + // used. + // * If redirect scheme is empty, the redirect port MUST be the + // Gateway + // Listener port. + // + // Implementations SHOULD NOT add the port number in the + // 'Location' + // header in the following cases: + // + // * A Location header that will use HTTP (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 80. + // * A Location header that will use HTTPS (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 443. + // + // Support: Extended + port?: uint16 & >=1 + + // Scheme is the scheme to be used in the value of the `Location` + // header in + // the response. When empty, the scheme of the request is used. + // + // Scheme redirects can affect the port of the redirect, for more + // information, + // refer to the documentation for the port field of this filter. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Extended + scheme?: "http" | "https" + + // StatusCode is the HTTP status code to be used in response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Core + statusCode?: (301 | 302) & int | *302 + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations must support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by + // specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` should be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "RequestHeaderModifier" | "ResponseHeaderModifier" | "RequestMirror" | "RequestRedirect" | "URLRewrite" | "ExtensionRef" + + // URLRewrite defines a schema for a filter that modifies a + // request during forwarding. + // + // Support: Extended + urlRewrite?: { + // Hostname is the value to be used to replace the Host header + // value during + // forwarding. + // + // Support: Extended + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines a path rewrite. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + } + }] + + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + + // Weight specifies the proportion of requests forwarded to the + // referenced + // backend. This is computed as weight/(sum of all weights in this + // BackendRefs list). For non-zero values, there may be some + // epsilon from + // the exact proportion defined here depending on the precision an + // implementation supports. Weight is not a percentage and the sum + // of + // weights does not need to equal 100. + // + // If only one backend is specified and it has a weight greater + // than 0, 100% + // of the traffic is forwarded to that backend. If weight is set + // to 0, no + // traffic should be forwarded for this entry. If unspecified, + // weight + // defaults to 1. + // + // Support for this field varies based on the context where used. + weight?: int32 & int & <=1000000 & >=0 | *1 + }] + + // Filters define the filters that are applied to requests that + // match + // this rule. + // + // Wherever possible, implementations SHOULD implement filters in + // the order + // they are specified. + // + // Implementations MAY choose to implement this ordering strictly, + // rejecting + // any combination or order of filters that can not be supported. + // If implementations + // choose a strict interpretation of filter ordering, they MUST + // clearly document + // that behavior. + // + // To reject an invalid combination or order of filters, + // implementations SHOULD + // consider the Route Rules with this configuration invalid. If + // all Route Rules + // in a Route are invalid, the entire Route would be considered + // invalid. If only + // a portion of Route Rules are invalid, implementations MUST set + // the + // "PartiallyInvalid" condition for the Route. + // + // Conformance-levels at this level are defined based on the type + // of filter: + // + // - ALL core filters MUST be supported by all implementations. + // - Implementers are encouraged to support extended filters. + // - Implementation-specific custom filters have no API guarantees + // across + // implementations. + // + // Specifying the same filter multiple times is not supported + // unless explicitly + // indicated in the filter. + // + // All filters are expected to be compatible with each other + // except for the + // URLRewrite and RequestRedirect filters, which may not be + // combined. If an + // implementation can not support other combinations of filters, + // they must clearly + // document that limitation. In cases where incompatible or + // unsupported + // filters are specified and cause the `Accepted` condition to be + // set to status + // `False`, implementations may use the `IncompatibleFilters` + // reason to specify + // this configuration error. + // + // Support: Core + filters?: list.MaxItems(16) & [...{ + // ExtensionRef is an optional, implementation-specific extension + // to the + // "filter" behavior. For example, resource "myroutefilter" in + // group + // "networking.example.net"). ExtensionRef MUST NOT be used for + // core and + // extended filters. + // + // This filter can be used multiple times within the same rule. + // + // Support: Implementation-specific + extensionRef?: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is kind of the referent. For example "HTTPRoute" or + // "Service". + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + } + + // RequestHeaderModifier defines a schema for a filter that + // modifies request + // headers. + // + // Support: Core + requestHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // RequestMirror defines a schema for a filter that mirrors + // requests. + // Requests are sent to the specified destination, but responses + // from + // that destination are ignored. + // + // This filter can be used multiple times within the same rule. + // Note that + // not all implementations will be able to support mirroring to + // multiple + // backends. + // + // Support: Extended + requestMirror?: { + // BackendRef references a resource where mirrored requests are + // sent. + // + // Mirrored requests must be sent only to a single destination + // endpoint + // within this BackendRef, irrespective of how many endpoints are + // present + // within this BackendRef. + // + // If the referent cannot be found, this BackendRef is invalid and + // must be + // dropped from the Gateway. The controller must ensure the + // "ResolvedRefs" + // condition on the Route status is set to `status: False` and not + // configure + // this backend in the underlying implementation. + // + // If there is a cross-namespace reference to an *existing* object + // that is not allowed by a ReferenceGrant, the controller must + // ensure the + // "ResolvedRefs" condition on the Route is set to `status: + // False`, + // with the "RefNotPermitted" reason and not configure this + // backend in the + // underlying implementation. + // + // In either error case, the Message of the `ResolvedRefs` + // Condition + // should be used to provide more detail about the problem. + // + // Support: Extended for Kubernetes Service + // + // Support: Implementation-specific for any other resource + backendRef!: { + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + } + + // Fraction represents the fraction of requests that should be + // mirrored to BackendRef. + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + fraction?: { + denominator?: int32 & int & >=1 | *100 + numerator!: int32 & >=0 + } + + // Percent represents the percentage of requests that should be + // mirrored to BackendRef. Its minimum value is 0 (indicating 0% + // of + // requests) and its maximum value is 100 (indicating 100% of + // requests). + // + // Only one of Fraction or Percent may be specified. If neither + // field + // is specified, 100% of requests will be mirrored. + percent?: uint & <=100 + } + + // RequestRedirect defines a schema for a filter that responds to + // the + // request with an HTTP redirection. + // + // Support: Core + requestRedirect?: { + // Hostname is the hostname to be used in the value of the + // `Location` + // header in the response. + // When empty, the hostname in the `Host` header of the request is + // used. + // + // Support: Core + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines parameters used to modify the path of the incoming + // request. + // The modified path is then used to construct the `Location` + // header. When + // empty, the request path is used as-is. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + + // Port is the port to be used in the value of the `Location` + // header in the response. + // + // If no port is specified, the redirect port MUST be derived + // using the + // following rules: + // + // * If redirect scheme is not-empty, the redirect port MUST be + // the well-known + // port associated with the redirect scheme. Specifically "http" + // to port 80 + // and "https" to port 443. If the redirect scheme does not have a + // well-known port, the listener port of the Gateway SHOULD be + // used. + // * If redirect scheme is empty, the redirect port MUST be the + // Gateway + // Listener port. + // + // Implementations SHOULD NOT add the port number in the + // 'Location' + // header in the following cases: + // + // * A Location header that will use HTTP (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 80. + // * A Location header that will use HTTPS (whether that is + // determined via + // the Listener protocol or the Scheme field) _and_ use port 443. + // + // Support: Extended + port?: uint16 & >=1 + + // Scheme is the scheme to be used in the value of the `Location` + // header in + // the response. When empty, the scheme of the request is used. + // + // Scheme redirects can affect the port of the redirect, for more + // information, + // refer to the documentation for the port field of this filter. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Extended + scheme?: "http" | "https" + + // StatusCode is the HTTP status code to be used in response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + // + // Support: Core + statusCode?: (301 | 302) & int | *302 + } + + // ResponseHeaderModifier defines a schema for a filter that + // modifies response + // headers. + // + // Support: Extended + responseHeaderModifier?: { + // Add adds the given header(s) (name, value) to the request + // before the action. It appends to any existing values associated + // with the header name. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // add: + // - name: "my-header" + // value: "bar,baz" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: foo,bar,baz + add?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Remove the given header(s) from the HTTP request before the + // action. The + // value of Remove is a list of HTTP header names. Note that the + // header + // names are case-insensitive (see + // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + // + // Input: + // GET /foo HTTP/1.1 + // my-header1: foo + // my-header2: bar + // my-header3: baz + // + // Config: + // remove: ["my-header1", "my-header3"] + // + // Output: + // GET /foo HTTP/1.1 + // my-header2: bar + remove?: list.MaxItems(16) & [...string] + + // Set overwrites the request with the given header (name, value) + // before the action. + // + // Input: + // GET /foo HTTP/1.1 + // my-header: foo + // + // Config: + // set: + // - name: "my-header" + // value: "bar" + // + // Output: + // GET /foo HTTP/1.1 + // my-header: bar + set?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, the first + // entry with + // an equivalent name MUST be considered for a match. Subsequent + // entries + // with an equivalent header name MUST be ignored. Due to the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + } + + // Type identifies the type of filter to apply. As with other API + // fields, + // types are classified into three conformance levels: + // + // - Core: Filter types and their corresponding configuration + // defined by + // "Support: Core" in this package, e.g. "RequestHeaderModifier". + // All + // implementations must support core filters. + // + // - Extended: Filter types and their corresponding configuration + // defined by + // "Support: Extended" in this package, e.g. "RequestMirror". + // Implementers + // are encouraged to support extended filters. + // + // - Implementation-specific: Filters that are defined and + // supported by + // specific vendors. + // In the future, filters showing convergence in behavior across + // multiple + // implementations will be considered for inclusion in extended or + // core + // conformance levels. Filter-specific configuration for such + // filters + // is specified using the ExtensionRef field. `Type` should be set + // to + // "ExtensionRef" for custom filters. + // + // Implementers are encouraged to define custom implementation + // types to + // extend the core API with implementation-specific behavior. + // + // If a reference to a custom filter type cannot be resolved, the + // filter + // MUST NOT be skipped. Instead, requests that would have been + // processed by + // that filter MUST receive a HTTP error response. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "RequestHeaderModifier" | "ResponseHeaderModifier" | "RequestMirror" | "RequestRedirect" | "URLRewrite" | "ExtensionRef" + + // URLRewrite defines a schema for a filter that modifies a + // request during forwarding. + // + // Support: Extended + urlRewrite?: { + // Hostname is the value to be used to replace the Host header + // value during + // forwarding. + // + // Support: Extended + hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Path defines a path rewrite. + // + // Support: Extended + path?: { + // ReplaceFullPath specifies the value with which to replace the + // full path + // of a request during a rewrite or redirect. + replaceFullPath?: strings.MaxRunes(1024) + + // ReplacePrefixMatch specifies the value with which to replace + // the prefix + // match of a request during a rewrite or redirect. For example, a + // request + // to "/foo/bar" with a prefix match of "/foo" and a + // ReplacePrefixMatch + // of "/xyz" would be modified to "/xyz/bar". + // + // Note that this matches the behavior of the PathPrefix match + // type. This + // matches full path elements. A path element refers to the list + // of labels + // in the path split by the `/` separator. When specified, a + // trailing `/` is + // ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` + // would all + // match the prefix `/abc`, but the path `/abcd` would not. + // + // ReplacePrefixMatch is only compatible with a `PathPrefix` + // HTTPRouteMatch. + // Using any other HTTPRouteMatch type on the same HTTPRouteRule + // will result in + // the implementation setting the Accepted Condition for the Route + // to `status: False`. + // + // Request Path | Prefix Match | Replace Prefix | Modified Path + replacePrefixMatch?: strings.MaxRunes(1024) + + // Type defines the type of path modifier. Additional types may be + // added in a future release of the API. + // + // Note that values may be added to this enum, implementations + // must ensure that unknown values will not cause a crash. + // + // Unknown values here must result in the implementation setting + // the + // Accepted Condition for the Route to `status: False`, with a + // Reason of `UnsupportedValue`. + type!: "ReplaceFullPath" | "ReplacePrefixMatch" + } + } + }] + + // Matches define conditions used for matching the rule against + // incoming + // HTTP requests. Each match is independent, i.e. this rule will + // be matched + // if **any** one of the matches is satisfied. + // + // For example, take the following matches configuration: + // + // ``` + // matches: + // - path: + // value: "/foo" + // headers: + // - name: "version" + // value: "v2" + // - path: + // value: "/v2/foo" + // ``` + // + // For a request to match against this rule, a request must + // satisfy + // EITHER of the two conditions: + // + // - path prefixed with `/foo` AND contains the header `version: + // v2` + // - path prefix of `/v2/foo` + // + // See the documentation for HTTPRouteMatch on how to specify + // multiple + // match conditions that should be ANDed together. + // + // If no matches are specified, the default is a prefix + // path match on "/", which has the effect of matching every + // HTTP request. + // + // Proxy or Load Balancer routing configuration generated from + // HTTPRoutes + // MUST prioritize matches based on the following criteria, + // continuing on + // ties. Across all rules specified on applicable Routes, + // precedence must be + // given to the match having: + // + // * "Exact" path match. + // * "Prefix" path match with largest number of characters. + // * Method match. + // * Largest number of header matches. + // * Largest number of query param matches. + // + // Note: The precedence of RegularExpression path matches are + // implementation-specific. + // + // If ties still exist across multiple Routes, matching precedence + // MUST be + // determined in order of the following criteria, continuing on + // ties: + // + // * The oldest Route based on creation timestamp. + // * The Route appearing first in alphabetical order by + // "{namespace}/{name}". + // + // If ties still exist within an HTTPRoute, matching precedence + // MUST be granted + // to the FIRST matching rule (in list order) with a match meeting + // the above + // criteria. + // + // When no rules matching a request have been successfully + // attached to the + // parent a request is coming from, a HTTP 404 status code MUST be + // returned. + matches?: list.MaxItems(64) & [...{ + // Headers specifies HTTP request header matchers. Multiple match + // values are + // ANDed together, meaning, a request must match all the specified + // headers + // to select the route. + headers?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP Header to be matched. Name + // matching MUST be + // case insensitive. (See + // https://tools.ietf.org/html/rfc7230#section-3.2). + // + // If multiple entries specify equivalent header names, only the + // first + // entry with an equivalent name MUST be considered for a match. + // Subsequent + // entries with an equivalent header name MUST be ignored. Due to + // the + // case-insensitivity of header names, "foo" and "Foo" are + // considered + // equivalent. + // + // When a header is repeated in an HTTP request, it is + // implementation-specific behavior as to how this is represented. + // Generally, proxies should follow the guidance from the RFC: + // https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + // regarding + // processing a repeated header, with special handling for + // "Set-Cookie". + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Type specifies how to match against the value of the header. + // + // Support: Core (Exact) + // + // Support: Implementation-specific (RegularExpression) + // + // Since RegularExpression HeaderMatchType has + // implementation-specific + // conformance, implementations can support POSIX, PCRE or any + // other dialects + // of regular expressions. Please read the implementation's + // documentation to + // determine the supported dialect. + type?: "Exact" | "RegularExpression" | *"Exact" + + // Value is the value of HTTP Header to be matched. + value!: strings.MaxRunes(4096) & strings.MinRunes(1) + }] + + // Method specifies HTTP method matcher. + // When specified, this route will be matched only if the request + // has the + // specified method. + // + // Support: Extended + method?: "GET" | "HEAD" | "POST" | "PUT" | "DELETE" | "CONNECT" | "OPTIONS" | "TRACE" | "PATCH" + + // Path specifies a HTTP request path matcher. If this field is + // not + // specified, a default prefix match on the "/" path is provided. + path?: { + // Type specifies how to match against the path Value. + // + // Support: Core (Exact, PathPrefix) + // + // Support: Implementation-specific (RegularExpression) + type?: "Exact" | "PathPrefix" | "RegularExpression" | *"PathPrefix" + + // Value of the HTTP path to match against. + value?: strings.MaxRunes(1024) | *"/" + } | *{ + type: "PathPrefix" + value: "/" + } + + // QueryParams specifies HTTP query parameter matchers. Multiple + // match + // values are ANDed together, meaning, a request must match all + // the + // specified query parameters to select the route. + // + // Support: Extended + queryParams?: list.MaxItems(16) & [...{ + // Name is the name of the HTTP query param to be matched. This + // must be an + // exact string match. (See + // https://tools.ietf.org/html/rfc7230#section-2.7.3). + // + // If multiple entries specify equivalent query param names, only + // the first + // entry with an equivalent name MUST be considered for a match. + // Subsequent + // entries with an equivalent query param name MUST be ignored. + // + // If a query param is repeated in an HTTP request, the behavior + // is + // purposely left undefined, since different data planes have + // different + // capabilities. However, it is *recommended* that implementations + // should + // match against the first value of the param if the data plane + // supports it, + // as this behavior is expected in other load balancing contexts + // outside of + // the Gateway API. + // + // Users SHOULD NOT route traffic based on repeated query params + // to guard + // themselves against potential differences in the + // implementations. + name!: strings.MaxRunes(256) & strings.MinRunes(1) & { + =~"^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$" + } + + // Type specifies how to match against the value of the query + // parameter. + // + // Support: Extended (Exact) + // + // Support: Implementation-specific (RegularExpression) + // + // Since RegularExpression QueryParamMatchType has + // Implementation-specific + // conformance, implementations can support POSIX, PCRE or any + // other + // dialects of regular expressions. Please read the + // implementation's + // documentation to determine the supported dialect. + type?: "Exact" | "RegularExpression" | *"Exact" + + // Value is the value of HTTP query param to be matched. + value!: strings.MaxRunes(1024) & strings.MinRunes(1) + }] + }] | *[{ + path: { + type: "PathPrefix" + value: "/" + } + }] + + // Name is the name of the route rule. This name MUST be unique + // within a Route if it is set. + // + // Support: Extended + name?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Retry defines the configuration for when to retry an HTTP + // request. + // + // Support: Extended + retry?: { + // Attempts specifies the maxmimum number of times an individual + // request + // from the gateway to a backend should be retried. + // + // If the maximum number of retries has been attempted without a + // successful + // response from the backend, the Gateway MUST return an error. + // + // When this field is unspecified, the number of times to attempt + // to retry + // a backend request is implementation-specific. + // + // Support: Extended + attempts?: int + + // Backoff specifies the minimum duration a Gateway should wait + // between + // retry attempts and is represented in Gateway API Duration + // formatting. + // + // For example, setting the `rules[].retry.backoff` field to the + // value + // `100ms` will cause a backend request to first be retried + // approximately + // 100 milliseconds after timing out or receiving a response code + // configured + // to be retryable. + // + // An implementation MAY use an exponential or alternative backoff + // strategy + // for subsequent retry attempts, MAY cap the maximum backoff + // duration to + // some amount greater than the specified minimum, and MAY add + // arbitrary + // jitter to stagger requests, as long as unsuccessful backend + // requests are + // not retried before the configured minimum duration. + // + // If a Request timeout (`rules[].timeouts.request`) is configured + // on the + // route, the entire duration of the initial request and any retry + // attempts + // MUST not exceed the Request timeout duration. If any retry + // attempts are + // still in progress when the Request timeout duration has been + // reached, + // these SHOULD be canceled if possible and the Gateway MUST + // immediately + // return a timeout error. + // + // If a BackendRequest timeout (`rules[].timeouts.backendRequest`) + // is + // configured on the route, any retry attempts which reach the + // configured + // BackendRequest timeout duration without a response SHOULD be + // canceled if + // possible and the Gateway should wait for at least the specified + // backoff + // duration before attempting to retry the backend request again. + // + // If a BackendRequest timeout is _not_ configured on the route, + // retry + // attempts MAY time out after an implementation default duration, + // or MAY + // remain pending until a configured Request timeout or + // implementation + // default duration for total request time is reached. + // + // When this field is unspecified, the time to wait between retry + // attempts + // is implementation-specific. + // + // Support: Extended + backoff?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // Codes defines the HTTP response status codes for which a + // backend request + // should be retried. + // + // Support: Extended + codes?: [...int & <=599 & >=400] + } + + // SessionPersistence defines and configures session persistence + // for the route rule. + // + // Support: Extended + sessionPersistence?: { + // AbsoluteTimeout defines the absolute timeout of the persistent + // session. Once the AbsoluteTimeout duration has elapsed, the + // session becomes invalid. + // + // Support: Extended + absoluteTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + cookieConfig?: { + // LifetimeType specifies whether the cookie has a permanent or + // session-based lifetime. A permanent cookie persists until its + // specified expiry time, defined by the Expires or Max-Age cookie + // attributes, while a session cookie is deleted when the current + // session ends. + // + // When set to "Permanent", AbsoluteTimeout indicates the + // cookie's lifetime via the Expires or Max-Age cookie attributes + // and is required. + // + // When set to "Session", AbsoluteTimeout indicates the + // absolute lifetime of the cookie tracked by the gateway and + // is optional. + // + // Support: Core for "Session" type + // + // Support: Extended for "Permanent" type + lifetimeType?: "Permanent" | "Session" | *"Session" + } + + // IdleTimeout defines the idle timeout of the persistent session. + // Once the session has been idle for more than the specified + // IdleTimeout duration, the session becomes invalid. + // + // Support: Extended + idleTimeout?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // SessionName defines the name of the persistent session token + // which may be reflected in the cookie or the header. Users + // should avoid reusing session names to prevent unintended + // consequences, such as rejection or unpredictable behavior. + // + // Support: Implementation-specific + sessionName?: strings.MaxRunes(128) + + // Type defines the type of session persistence such as through + // the use a header or cookie. Defaults to cookie based session + // persistence. + // + // Support: Core for "Cookie" type + // + // Support: Extended for "Header" type + type?: "Cookie" | "Header" | *"Cookie" + } + + // Timeouts defines the timeouts that can be configured for an + // HTTP request. + // + // Support: Extended + timeouts?: { + // BackendRequest specifies a timeout for an individual request + // from the gateway + // to a backend. This covers the time from when the request first + // starts being + // sent from the gateway to when the full response has been + // received from the backend. + // + // Setting a timeout to the zero duration (e.g. "0s") SHOULD + // disable the timeout + // completely. Implementations that cannot completely disable the + // timeout MUST + // instead interpret the zero duration as the longest possible + // value to which + // the timeout can be set. + // + // An entire client HTTP transaction with a gateway, covered by + // the Request timeout, + // may result in more than one call from the gateway to the + // destination backend, + // for example, if automatic retries are supported. + // + // The value of BackendRequest must be a Gateway API Duration + // string as defined by + // GEP-2257. When this field is unspecified, its behavior is + // implementation-specific; + // when specified, the value of BackendRequest must be no more + // than the value of the + // Request timeout (since the Request timeout encompasses the + // BackendRequest timeout). + // + // Support: Extended + backendRequest?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + + // Request specifies the maximum duration for a gateway to respond + // to an HTTP request. + // If the gateway has not been able to respond before this + // deadline is met, the gateway + // MUST return a timeout error. + // + // For example, setting the `rules.timeouts.request` field to the + // value `10s` in an + // `HTTPRoute` will cause a timeout if a client request is taking + // longer than 10 seconds + // to complete. + // + // Setting a timeout to the zero duration (e.g. "0s") SHOULD + // disable the timeout + // completely. Implementations that cannot completely disable the + // timeout MUST + // instead interpret the zero duration as the longest possible + // value to which + // the timeout can be set. + // + // This timeout is intended to cover as close to the whole + // request-response transaction + // as possible although an implementation MAY choose to start the + // timeout after the entire + // request stream has been received instead of immediately after + // the transaction is + // initiated by the client. + // + // The value of Request is a Gateway API Duration string as + // defined by GEP-2257. When this + // field is unspecified, request timeout behavior is + // implementation-specific. + // + // Support: Extended + request?: =~"^([0-9]{1,5}(h|m|s|ms)){1,4}$" + } + }] | *[{ + matches: [{ + path: { + type: "PathPrefix" + value: "/" + } + }] + }] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/referencegrant/v1beta1/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/referencegrant/v1beta1/types_gen.cue new file mode 100644 index 000000000..07eba126a --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/referencegrant/v1beta1/types_gen.cue @@ -0,0 +1,161 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1beta1 + +import ( + "strings" + "list" +) + +// ReferenceGrant identifies kinds of resources in other +// namespaces that are +// trusted to reference the specified kinds of resources in the +// same namespace +// as the policy. +// +// Each ReferenceGrant can be used to represent a unique trust +// relationship. +// Additional Reference Grants can be used to add to the set of +// trusted +// sources of inbound references for the namespace they are +// defined within. +// +// All cross-namespace references in Gateway API (with the +// exception of cross-namespace +// Gateway-route attachment) require a ReferenceGrant. +// +// ReferenceGrant is a form of runtime verification allowing users +// to assert +// which cross-namespace object references are permitted. +// Implementations that +// support ReferenceGrant MUST NOT permit cross-namespace +// references which have +// no grant, and MUST respond to the removal of a grant by +// revoking the access +// that the grant allowed. +#ReferenceGrant: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1beta1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "ReferenceGrant" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of ReferenceGrant. + spec!: #ReferenceGrantSpec +} + +// Spec defines the desired state of ReferenceGrant. +#ReferenceGrantSpec: { + // From describes the trusted namespaces and kinds that can + // reference the + // resources described in "To". Each entry in this list MUST be + // considered + // to be an additional place that references can be valid from, or + // to put + // this another way, entries MUST be combined using OR. + // + // Support: Core + from!: list.MaxItems(16) & [...{ + // Group is the group of the referent. + // When empty, the Kubernetes core API group is inferred. + // + // Support: Core + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is the kind of the referent. Although implementations may + // support + // additional resources, the following types are part of the + // "Core" + // support level for this field. + // + // When used to permit a SecretObjectReference: + // + // * Gateway + // + // When used to permit a BackendObjectReference: + // + // * GRPCRoute + // * HTTPRoute + // * TCPRoute + // * TLSRoute + // * UDPRoute + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Namespace is the namespace of the referent. + // + // Support: Core + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + }] & [_, ...] + + // To describes the resources that may be referenced by the + // resources + // described in "From". Each entry in this list MUST be considered + // to be an + // additional place that references can be valid to, or to put + // this another + // way, entries MUST be combined using OR. + // + // Support: Core + to!: list.MaxItems(16) & [...{ + // Group is the group of the referent. + // When empty, the Kubernetes core API group is inferred. + // + // Support: Core + group!: strings.MaxRunes(253) & { + =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + + // Kind is the kind of the referent. Although implementations may + // support + // additional resources, the following types are part of the + // "Core" + // support level for this field: + // + // * Secret when used to permit a SecretObjectReference + // * Service when used to permit a BackendObjectReference + kind!: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" + } + + // Name is the name of the referent. When unspecified, this policy + // refers to all resources of the specified Group and Kind in the + // local + // namespace. + name?: strings.MaxRunes(253) & strings.MinRunes(1) + }] & [_, ...] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/tcproute/v1alpha2/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/tcproute/v1alpha2/types_gen.cue new file mode 100644 index 000000000..5239f0d98 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/tcproute/v1alpha2/types_gen.cue @@ -0,0 +1,417 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha2 + +import ( + "strings" + "list" +) + +// TCPRoute provides a way to route TCP requests. When combined +// with a Gateway +// listener, it can be used to forward connections on the port +// specified by the +// listener to a set of backends specified by the TCPRoute. +#TCPRoute: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1alpha2" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "TCPRoute" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of TCPRoute. + spec!: #TCPRouteSpec +} + +// Spec defines the desired state of TCPRoute. +#TCPRouteSpec: { + // ParentRefs references the resources (usually Gateways) that a + // Route wants + // to be attached to. Note that the referenced parent resource + // needs to + // allow this for the attachment to be complete. For Gateways, + // that means + // the Gateway needs to allow attachment from Routes of this kind + // and + // namespace. For Services, that means the Service must either be + // in the same + // namespace for a "producer" route, or the mesh implementation + // must support + // and allow "consumer" routes for the referenced Service. + // ReferenceGrant is + // not applicable for governing ParentRefs to Services - it is not + // possible to + // create a "producer" route for a Service in a different + // namespace from the + // Route. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // This API may be extended in the future to support additional + // kinds of parent + // resources. + // + // ParentRefs must be _distinct_. This means either that: + // + // * They select different objects. If this is the case, then + // parentRef + // entries are distinct. In terms of fields, this means that the + // multi-part key defined by `group`, `kind`, `namespace`, and + // `name` must + // be unique across all parentRef entries in the Route. + // * They do not select different objects, but for each optional + // field used, + // each ParentRef that selects the same object must set the same + // set of + // optional fields to different values. If one ParentRef sets a + // combination of optional fields, all must set the same + // combination. + // + // Some examples: + // + // * If one ParentRef sets `sectionName`, all ParentRefs + // referencing the + // same object must also set `sectionName`. + // * If one ParentRef sets `port`, all ParentRefs referencing the + // same + // object must also set `port`. + // * If one ParentRef sets `sectionName` and `port`, all + // ParentRefs + // referencing the same object must also set `sectionName` and + // `port`. + // + // It is possible to separately reference multiple distinct + // objects that may + // be collapsed by an implementation. For example, some + // implementations may + // choose to merge compatible Gateway Listeners together. If that + // is the + // case, the list of routes attached to those resources should + // also be + // merged. + // + // Note that for ParentRefs that cross namespace boundaries, there + // are specific + // rules. Cross-namespace references are only valid if they are + // explicitly + // allowed by something in the namespace they are referring to. + // For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable other kinds of cross-namespace reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + parentRefs?: list.MaxItems(32) & [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // When the parent resource is a Service, this targets a specific + // port in the + // Service spec. When both Port (experimental) and SectionName are + // specified, + // the name and port of the selected port must match both + // specified values. + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Rules are a list of TCP matchers and actions. + rules!: list.MaxItems(16) & [...{ + // BackendRefs defines the backend(s) where matching requests + // should be + // sent. If unspecified or invalid (refers to a non-existent + // resource or a + // Service with no endpoints), the underlying implementation MUST + // actively + // reject connection attempts to this backend. Connection + // rejections must + // respect weight; if an invalid backend is requested to have 80% + // of + // connections, then 80% of connections must be rejected instead. + // + // Support: Core for Kubernetes Service + // + // Support: Extended for Kubernetes ServiceImport + // + // Support: Implementation-specific for any other resource + // + // Support for weight: Extended + backendRefs?: list.MaxItems(16) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + + // Weight specifies the proportion of requests forwarded to the + // referenced + // backend. This is computed as weight/(sum of all weights in this + // BackendRefs list). For non-zero values, there may be some + // epsilon from + // the exact proportion defined here depending on the precision an + // implementation supports. Weight is not a percentage and the sum + // of + // weights does not need to equal 100. + // + // If only one backend is specified and it has a weight greater + // than 0, 100% + // of the traffic is forwarded to that backend. If weight is set + // to 0, no + // traffic should be forwarded for this entry. If unspecified, + // weight + // defaults to 1. + // + // Support for this field varies based on the context where used. + weight?: int32 & int & <=1000000 & >=0 | *1 + }] & [_, ...] + + // Name is the name of the route rule. This name MUST be unique + // within a Route if it is set. + // + // Support: Extended + name?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] & [_, ...] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/tlsroute/v1alpha2/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/tlsroute/v1alpha2/types_gen.cue new file mode 100644 index 000000000..1c28678c5 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/tlsroute/v1alpha2/types_gen.cue @@ -0,0 +1,478 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha2 + +import ( + "strings" + "list" +) + +// The TLSRoute resource is similar to TCPRoute, but can be +// configured +// to match against TLS-specific metadata. This allows more +// flexibility +// in matching streams for a given TLS listener. +// +// If you need to forward traffic to a single target for a TLS +// listener, you +// could choose to use a TCPRoute with a TLS listener. +#TLSRoute: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1alpha2" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "TLSRoute" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of TLSRoute. + spec!: #TLSRouteSpec +} + +// Spec defines the desired state of TLSRoute. +#TLSRouteSpec: { + // Hostnames defines a set of SNI names that should match against + // the + // SNI attribute of TLS ClientHello message in TLS handshake. This + // matches + // the RFC 1123 definition of a hostname with 2 notable + // exceptions: + // + // 1. IPs are not allowed in SNI names per RFC 6066. + // 2. A hostname may be prefixed with a wildcard label (`*.`). The + // wildcard + // label must appear by itself as the first label. + // + // If a hostname is specified by both the Listener and TLSRoute, + // there + // must be at least one intersecting hostname for the TLSRoute to + // be + // attached to the Listener. For example: + // + // * A Listener with `test.example.com` as the hostname matches + // TLSRoutes + // that have either not specified any hostnames, or have specified + // at + // least one of `test.example.com` or `*.example.com`. + // * A Listener with `*.example.com` as the hostname matches + // TLSRoutes + // that have either not specified any hostnames or have specified + // at least + // one hostname that matches the Listener hostname. For example, + // `test.example.com` and `*.example.com` would both match. On the + // other + // hand, `example.com` and `test.example.net` would not match. + // + // If both the Listener and TLSRoute have specified hostnames, any + // TLSRoute hostnames that do not match the Listener hostname MUST + // be + // ignored. For example, if a Listener specified `*.example.com`, + // and the + // TLSRoute specified `test.example.com` and `test.example.net`, + // `test.example.net` must not be considered for a match. + // + // If both the Listener and TLSRoute have specified hostnames, and + // none + // match with the criteria above, then the TLSRoute is not + // accepted. The + // implementation must raise an 'Accepted' Condition with a status + // of + // `False` in the corresponding RouteParentStatus. + // + // Support: Core + hostnames?: list.MaxItems(16) & [...strings.MaxRunes(253) & strings.MinRunes(1) & =~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"] + + // ParentRefs references the resources (usually Gateways) that a + // Route wants + // to be attached to. Note that the referenced parent resource + // needs to + // allow this for the attachment to be complete. For Gateways, + // that means + // the Gateway needs to allow attachment from Routes of this kind + // and + // namespace. For Services, that means the Service must either be + // in the same + // namespace for a "producer" route, or the mesh implementation + // must support + // and allow "consumer" routes for the referenced Service. + // ReferenceGrant is + // not applicable for governing ParentRefs to Services - it is not + // possible to + // create a "producer" route for a Service in a different + // namespace from the + // Route. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // This API may be extended in the future to support additional + // kinds of parent + // resources. + // + // ParentRefs must be _distinct_. This means either that: + // + // * They select different objects. If this is the case, then + // parentRef + // entries are distinct. In terms of fields, this means that the + // multi-part key defined by `group`, `kind`, `namespace`, and + // `name` must + // be unique across all parentRef entries in the Route. + // * They do not select different objects, but for each optional + // field used, + // each ParentRef that selects the same object must set the same + // set of + // optional fields to different values. If one ParentRef sets a + // combination of optional fields, all must set the same + // combination. + // + // Some examples: + // + // * If one ParentRef sets `sectionName`, all ParentRefs + // referencing the + // same object must also set `sectionName`. + // * If one ParentRef sets `port`, all ParentRefs referencing the + // same + // object must also set `port`. + // * If one ParentRef sets `sectionName` and `port`, all + // ParentRefs + // referencing the same object must also set `sectionName` and + // `port`. + // + // It is possible to separately reference multiple distinct + // objects that may + // be collapsed by an implementation. For example, some + // implementations may + // choose to merge compatible Gateway Listeners together. If that + // is the + // case, the list of routes attached to those resources should + // also be + // merged. + // + // Note that for ParentRefs that cross namespace boundaries, there + // are specific + // rules. Cross-namespace references are only valid if they are + // explicitly + // allowed by something in the namespace they are referring to. + // For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable other kinds of cross-namespace reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + parentRefs?: list.MaxItems(32) & [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // When the parent resource is a Service, this targets a specific + // port in the + // Service spec. When both Port (experimental) and SectionName are + // specified, + // the name and port of the selected port must match both + // specified values. + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Rules are a list of TLS matchers and actions. + rules!: list.MaxItems(16) & [...{ + // BackendRefs defines the backend(s) where matching requests + // should be + // sent. If unspecified or invalid (refers to a non-existent + // resource or + // a Service with no endpoints), the rule performs no forwarding; + // if no + // filters are specified that would result in a response being + // sent, the + // underlying implementation must actively reject request attempts + // to this + // backend, by rejecting the connection or returning a 500 status + // code. + // Request rejections must respect weight; if an invalid backend + // is + // requested to have 80% of requests, then 80% of requests must be + // rejected + // instead. + // + // Support: Core for Kubernetes Service + // + // Support: Extended for Kubernetes ServiceImport + // + // Support: Implementation-specific for any other resource + // + // Support for weight: Extended + backendRefs?: list.MaxItems(16) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + + // Weight specifies the proportion of requests forwarded to the + // referenced + // backend. This is computed as weight/(sum of all weights in this + // BackendRefs list). For non-zero values, there may be some + // epsilon from + // the exact proportion defined here depending on the precision an + // implementation supports. Weight is not a percentage and the sum + // of + // weights does not need to equal 100. + // + // If only one backend is specified and it has a weight greater + // than 0, 100% + // of the traffic is forwarded to that backend. If weight is set + // to 0, no + // traffic should be forwarded for this entry. If unspecified, + // weight + // defaults to 1. + // + // Support for this field varies based on the context where used. + weight?: int32 & int & <=1000000 & >=0 | *1 + }] & [_, ...] + + // Name is the name of the route rule. This name MUST be unique + // within a Route if it is set. + // + // Support: Extended + name?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] & [_, ...] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/udproute/v1alpha2/types_gen.cue b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/udproute/v1alpha2/types_gen.cue new file mode 100644 index 000000000..e6b47b86b --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/gateway.networking.k8s.io/udproute/v1alpha2/types_gen.cue @@ -0,0 +1,416 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/envoyproxy/gateway/releases/download/v1.3.0/install.yaml + +package v1alpha2 + +import ( + "strings" + "list" +) + +// UDPRoute provides a way to route UDP traffic. When combined +// with a Gateway +// listener, it can be used to forward traffic on the port +// specified by the +// listener to a set of backends specified by the UDPRoute. +#UDPRoute: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "gateway.networking.k8s.io/v1alpha2" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "UDPRoute" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Spec defines the desired state of UDPRoute. + spec!: #UDPRouteSpec +} + +// Spec defines the desired state of UDPRoute. +#UDPRouteSpec: { + // ParentRefs references the resources (usually Gateways) that a + // Route wants + // to be attached to. Note that the referenced parent resource + // needs to + // allow this for the attachment to be complete. For Gateways, + // that means + // the Gateway needs to allow attachment from Routes of this kind + // and + // namespace. For Services, that means the Service must either be + // in the same + // namespace for a "producer" route, or the mesh implementation + // must support + // and allow "consumer" routes for the referenced Service. + // ReferenceGrant is + // not applicable for governing ParentRefs to Services - it is not + // possible to + // create a "producer" route for a Service in a different + // namespace from the + // Route. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // This API may be extended in the future to support additional + // kinds of parent + // resources. + // + // ParentRefs must be _distinct_. This means either that: + // + // * They select different objects. If this is the case, then + // parentRef + // entries are distinct. In terms of fields, this means that the + // multi-part key defined by `group`, `kind`, `namespace`, and + // `name` must + // be unique across all parentRef entries in the Route. + // * They do not select different objects, but for each optional + // field used, + // each ParentRef that selects the same object must set the same + // set of + // optional fields to different values. If one ParentRef sets a + // combination of optional fields, all must set the same + // combination. + // + // Some examples: + // + // * If one ParentRef sets `sectionName`, all ParentRefs + // referencing the + // same object must also set `sectionName`. + // * If one ParentRef sets `port`, all ParentRefs referencing the + // same + // object must also set `port`. + // * If one ParentRef sets `sectionName` and `port`, all + // ParentRefs + // referencing the same object must also set `sectionName` and + // `port`. + // + // It is possible to separately reference multiple distinct + // objects that may + // be collapsed by an implementation. For example, some + // implementations may + // choose to merge compatible Gateway Listeners together. If that + // is the + // case, the list of routes attached to those resources should + // also be + // merged. + // + // Note that for ParentRefs that cross namespace boundaries, there + // are specific + // rules. Cross-namespace references are only valid if they are + // explicitly + // allowed by something in the namespace they are referring to. + // For example, + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable other kinds of cross-namespace reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + parentRefs?: list.MaxItems(32) & [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // When the parent resource is a Service, this targets a specific + // port in the + // Service spec. When both Port (experimental) and SectionName are + // specified, + // the name and port of the selected port must match both + // specified values. + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Rules are a list of UDP matchers and actions. + rules!: list.MaxItems(16) & [...{ + // BackendRefs defines the backend(s) where matching requests + // should be + // sent. If unspecified or invalid (refers to a non-existent + // resource or a + // Service with no endpoints), the underlying implementation MUST + // actively + // reject connection attempts to this backend. Packet drops must + // respect weight; if an invalid backend is requested to have 80% + // of + // the packets, then 80% of packets must be dropped instead. + // + // Support: Core for Kubernetes Service + // + // Support: Extended for Kubernetes ServiceImport + // + // Support: Implementation-specific for any other resource + // + // Support for weight: Extended + backendRefs?: list.MaxItems(16) & [...{ + // Group is the group of the referent. For example, + // "gateway.networking.k8s.io". + // When unspecified or empty string, core API group is inferred. + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"" + + // Kind is the Kubernetes resource kind of the referent. For + // example + // "Service". + // + // Defaults to "Service" when not specified. + // + // ExternalName services can refer to CNAME DNS records that may + // live + // outside of the cluster and as such are difficult to reason + // about in + // terms of conformance. They also may not be safe to forward to + // (see + // CVE-2021-25740 for more information). Implementations SHOULD + // NOT + // support ExternalName Services. + // + // Support: Core (Services with a type other than ExternalName) + // + // Support: Implementation-specific (Services with type + // ExternalName) + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Service" + + // Name is the name of the referent. + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the backend. When unspecified, + // the local + // namespace is inferred. + // + // Note that when a namespace different than the local namespace + // is specified, + // a ReferenceGrant object is required in the referent namespace + // to allow that + // namespace's owner to accept the reference. See the + // ReferenceGrant + // documentation for details. + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port specifies the destination port number to use for this + // resource. + // Port is required when the referent is a Kubernetes Service. In + // this + // case, the port number is the service port number, not the + // target port. + // For other resources, destination port might be derived from the + // referent + // resource or this field. + port?: uint16 & >=1 + + // Weight specifies the proportion of requests forwarded to the + // referenced + // backend. This is computed as weight/(sum of all weights in this + // BackendRefs list). For non-zero values, there may be some + // epsilon from + // the exact proportion defined here depending on the precision an + // implementation supports. Weight is not a percentage and the sum + // of + // weights does not need to equal 100. + // + // If only one backend is specified and it has a weight greater + // than 0, 100% + // of the traffic is forwarded to that backend. If weight is set + // to 0, no + // traffic should be forwarded for this entry. If unspecified, + // weight + // defaults to 1. + // + // Support for this field varies based on the context where used. + weight?: int32 & int & <=1000000 & >=0 | *1 + }] & [_, ...] + + // Name is the name of the route rule. This name MUST be unique + // within a Route if it is set. + // + // Support: Extended + name?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] & [_, ...] +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue new file mode 100644 index 000000000..597f5b0e7 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admission/v1 + +package v1 + +#GroupName: "admission.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue new file mode 100644 index 000000000..af26bd060 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue @@ -0,0 +1,172 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admission/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + authenticationv1 "k8s.io/api/authentication/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +// AdmissionReview describes an admission review request/response. +#AdmissionReview: { + metav1.#TypeMeta + + // Request describes the attributes for the admission request. + // +optional + request?: null | #AdmissionRequest @go(Request,*AdmissionRequest) @protobuf(1,bytes,opt) + + // Response describes the attributes for the admission response. + // +optional + response?: null | #AdmissionResponse @go(Response,*AdmissionResponse) @protobuf(2,bytes,opt) +} + +// AdmissionRequest describes the admission.Attributes for the admission request. +#AdmissionRequest: { + // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + // otherwise identical (parallel requests, requests when earlier requests did not modify etc) + // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + uid: types.#UID @go(UID) @protobuf(1,bytes,opt) + + // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale) + kind: metav1.#GroupVersionKind @go(Kind) @protobuf(2,bytes,opt) + + // Resource is the fully-qualified resource being requested (for example, v1.pods) + resource: metav1.#GroupVersionResource @go(Resource) @protobuf(3,bytes,opt) + + // SubResource is the subresource being requested, if any (for example, "status" or "scale") + // +optional + subResource?: string @go(SubResource) @protobuf(4,bytes,opt) + + // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + // + // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + // an API request to apps/v1beta1 deployments would be converted and sent to the webhook + // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + // + // See documentation for the "matchPolicy" field in the webhook configuration type for more details. + // +optional + requestKind?: null | metav1.#GroupVersionKind @go(RequestKind,*metav1.GroupVersionKind) @protobuf(13,bytes,opt) + + // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + // + // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + // an API request to apps/v1beta1 deployments would be converted and sent to the webhook + // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + // + // See documentation for the "matchPolicy" field in the webhook configuration type. + // +optional + requestResource?: null | metav1.#GroupVersionResource @go(RequestResource,*metav1.GroupVersionResource) @protobuf(14,bytes,opt) + + // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + // See documentation for the "matchPolicy" field in the webhook configuration type. + // +optional + requestSubResource?: string @go(RequestSubResource) @protobuf(15,bytes,opt) + + // Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + // rely on the server to generate the name. If that is the case, this field will contain an empty string. + // +optional + name?: string @go(Name) @protobuf(5,bytes,opt) + + // Namespace is the namespace associated with the request (if any). + // +optional + namespace?: string @go(Namespace) @protobuf(6,bytes,opt) + + // Operation is the operation being performed. This may be different than the operation + // requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + operation: #Operation @go(Operation) @protobuf(7,bytes,opt) + + // UserInfo is information about the requesting user + userInfo: authenticationv1.#UserInfo @go(UserInfo) @protobuf(8,bytes,opt) + + // Object is the object from the incoming request. + // +optional + object?: runtime.#RawExtension @go(Object) @protobuf(9,bytes,opt) + + // OldObject is the existing object. Only populated for DELETE and UPDATE requests. + // +optional + oldObject?: runtime.#RawExtension @go(OldObject) @protobuf(10,bytes,opt) + + // DryRun indicates that modifications will definitely not be persisted for this request. + // Defaults to false. + // +optional + dryRun?: null | bool @go(DryRun,*bool) @protobuf(11,varint,opt) + + // Options is the operation option structure of the operation being performed. + // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + // different than the options the caller provided. e.g. for a patch request the performed + // Operation might be a CREATE, in which case the Options will a + // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + // +optional + options?: runtime.#RawExtension @go(Options) @protobuf(12,bytes,opt) +} + +// AdmissionResponse describes an admission response. +#AdmissionResponse: { + // UID is an identifier for the individual request/response. + // This must be copied over from the corresponding AdmissionRequest. + uid: types.#UID @go(UID) @protobuf(1,bytes,opt) + + // Allowed indicates whether or not the admission request was permitted. + allowed: bool @go(Allowed) @protobuf(2,varint,opt) + + // Result contains extra details into why an admission request was denied. + // This field IS NOT consulted in any way if "Allowed" is "true". + // +optional + status?: null | metav1.#Status @go(Result,*metav1.Status) @protobuf(3,bytes,opt) + + // The patch body. Currently we only support "JSONPatch" which implements RFC 6902. + // +optional + patch?: bytes @go(Patch,[]byte) @protobuf(4,bytes,opt) + + // The type of Patch. Currently we only allow "JSONPatch". + // +optional + patchType?: null | #PatchType @go(PatchType,*PatchType) @protobuf(5,bytes,opt) + + // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). + // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with + // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by + // the admission webhook to add additional context to the audit log for this request. + // +optional + auditAnnotations?: {[string]: string} @go(AuditAnnotations,map[string]string) @protobuf(6,bytes,opt) + + // warnings is a list of warning messages to return to the requesting API client. + // Warning messages describe a problem the client making the API request should correct or be aware of. + // Limit warnings to 120 characters if possible. + // Warnings over 256 characters and large numbers of warnings may be truncated. + // +optional + warnings?: [...string] @go(Warnings,[]string) @protobuf(7,bytes,rep) +} + +// PatchType is the type of patch being used to represent the mutated object +#PatchType: string // #enumPatchType + +#enumPatchType: + #PatchTypeJSONPatch + +#PatchTypeJSONPatch: #PatchType & "JSONPatch" + +// Operation is the type of resource operation being checked for admission control +#Operation: string // #enumOperation + +#enumOperation: + #Create | + #Update | + #Delete | + #Connect + +#Create: #Operation & "CREATE" +#Update: #Operation & "UPDATE" +#Delete: #Operation & "DELETE" +#Connect: #Operation & "CONNECT" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue new file mode 100644 index 000000000..5d30100e9 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +// Package v1 is the v1 version of the API. +// AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration +// MutatingWebhookConfiguration and ValidatingWebhookConfiguration are for the +// new dynamic admission controller configuration. +package v1 diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue new file mode 100644 index 000000000..93348e918 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +package v1 + +#GroupName: "admissionregistration.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue new file mode 100644 index 000000000..7038db05a --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue @@ -0,0 +1,645 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended +// to make sure that all the tuple expansions are valid. +#Rule: { + // APIGroups is the API groups the resources belong to. '*' is all groups. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(1,bytes,rep) + + // APIVersions is the API versions the resources belong to. '*' is all versions. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + apiVersions?: [...string] @go(APIVersions,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. + // + // For example: + // 'pods' means pods. + // 'pods/log' means the log subresource of pods. + // '*' means all resources, but not subresources. + // 'pods/*' means all subresources of pods. + // '*/scale' means all scale subresources. + // '*/*' means all resources and their subresources. + // + // If wildcard is present, the validation rule will ensure resources do not + // overlap with each other. + // + // Depending on the enclosing object, subresources might not be allowed. + // Required. + // +listType=atomic + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // scope specifies the scope of this rule. + // Valid values are "Cluster", "Namespaced", and "*" + // "Cluster" means that only cluster-scoped resources will match this rule. + // Namespace API objects are cluster-scoped. + // "Namespaced" means that only namespaced resources will match this rule. + // "*" means that there are no scope restrictions. + // Subresources match the scope of their parent resource. + // Default is "*". + // + // +optional + scope?: null | #ScopeType @go(Scope,*ScopeType) @protobuf(4,bytes,rep) +} + +// ScopeType specifies a scope for a Rule. +// +enum +#ScopeType: string // #enumScopeType + +#enumScopeType: + #ClusterScope | + #NamespacedScope | + #AllScopes + +// ClusterScope means that scope is limited to cluster-scoped objects. +// Namespace objects are cluster-scoped. +#ClusterScope: #ScopeType & "Cluster" + +// NamespacedScope means that scope is limited to namespaced objects. +#NamespacedScope: #ScopeType & "Namespaced" + +// AllScopes means that all scopes are included. +#AllScopes: #ScopeType & "*" + +// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. +// +enum +#FailurePolicyType: string // #enumFailurePolicyType + +#enumFailurePolicyType: + #Ignore | + #Fail + +// Ignore means that an error calling the webhook is ignored. +#Ignore: #FailurePolicyType & "Ignore" + +// Fail means that an error calling the webhook causes the admission to fail. +#Fail: #FailurePolicyType & "Fail" + +// MatchPolicyType specifies the type of match policy. +// +enum +#MatchPolicyType: string // #enumMatchPolicyType + +#enumMatchPolicyType: + #Exact | + #Equivalent + +// Exact means requests should only be sent to the webhook if they exactly match a given rule. +#Exact: #MatchPolicyType & "Exact" + +// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version. +#Equivalent: #MatchPolicyType & "Equivalent" + +// SideEffectClass specifies the types of side effects a webhook may have. +// +enum +#SideEffectClass: string // #enumSideEffectClass + +#enumSideEffectClass: + #SideEffectClassUnknown | + #SideEffectClassNone | + #SideEffectClassSome | + #SideEffectClassNoneOnDryRun + +// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook. +// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. +#SideEffectClassUnknown: #SideEffectClass & "Unknown" + +// SideEffectClassNone means that calling the webhook will have no side effects. +#SideEffectClassNone: #SideEffectClass & "None" + +// SideEffectClassSome means that calling the webhook will possibly have side effects. +// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. +#SideEffectClassSome: #SideEffectClass & "Some" + +// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the +// request being reviewed has the dry-run attribute, the side effects will be suppressed. +#SideEffectClassNoneOnDryRun: #SideEffectClass & "NoneOnDryRun" + +// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it. +#ValidatingWebhookConfiguration: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Webhooks is a list of webhooks and the affected resources and operations. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + webhooks?: [...#ValidatingWebhook] @go(Webhooks,[]ValidatingWebhook) @protobuf(2,bytes,rep,name=Webhooks) +} + +// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration. +#ValidatingWebhookConfigurationList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ValidatingWebhookConfiguration. + items: [...#ValidatingWebhookConfiguration] @go(Items,[]ValidatingWebhookConfiguration) @protobuf(2,bytes,rep) +} + +// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object. +#MutatingWebhookConfiguration: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Webhooks is a list of webhooks and the affected resources and operations. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + webhooks?: [...#MutatingWebhook] @go(Webhooks,[]MutatingWebhook) @protobuf(2,bytes,rep,name=Webhooks) +} + +// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration. +#MutatingWebhookConfigurationList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of MutatingWebhookConfiguration. + items: [...#MutatingWebhookConfiguration] @go(Items,[]MutatingWebhookConfiguration) @protobuf(2,bytes,rep) +} + +// ValidatingWebhook describes an admission webhook and the resources and operations it applies to. +#ValidatingWebhook: { + // The name of the admission webhook. + // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where + // "imagepolicy" is the name of the webhook, and kubernetes.io is the name + // of the organization. + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // ClientConfig defines how to communicate with the hook. + // Required + clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt) + + // Rules describes what operations on what resources/subresources the webhook cares about. + // The webhook cares about an operation if it matches _any_ Rule. + // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks + // from putting the cluster in a state which cannot be recovered from without completely + // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called + // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep) + + // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - + // allowed values are Ignore or Fail. Defaults to Fail. + // +optional + failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType) + + // matchPolicy defines how the "rules" list is used to match incoming requests. + // Allowed values are "Exact" or "Equivalent". + // + // - Exact: match a request only if it exactly matches a specified rule. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + // + // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + // + // Defaults to "Equivalent" + // +optional + matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType) + + // NamespaceSelector decides whether to run the webhook on an object based + // on whether the namespace for that object matches the selector. If the + // object itself is a namespace, the matching is performed on + // object.metadata.labels. If the object is another cluster scoped resource, + // it never skips the webhook. + // + // For example, to run the webhook on any objects whose namespace is not + // associated with "runlevel" of "0" or "1"; you will set the selector as + // follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "runlevel", + // "operator": "NotIn", + // "values": [ + // "0", + // "1" + // ] + // } + // ] + // } + // + // If instead you want to only run the webhook on any objects whose + // namespace is associated with the "environment" of "prod" or "staging"; + // you will set the selector as follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "environment", + // "operator": "In", + // "values": [ + // "prod", + // "staging" + // ] + // } + // ] + // } + // + // See + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + // for more examples of label selectors. + // + // Default to the empty LabelSelector, which matches everything. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt) + + // ObjectSelector decides whether to run the webhook based on if the + // object has matching labels. objectSelector is evaluated against both + // the oldObject and newObject that would be sent to the webhook, and + // is considered to match if either object matches the selector. A null + // object (oldObject in the case of create, or newObject in the case of + // delete) or an object that cannot have labels (like a + // DeploymentRollback or a PodProxyOptions object) is not considered to + // match. + // Use the object selector only if the webhook is opt-in, because end + // users may skip the admission webhook by setting the labels. + // Default to the empty LabelSelector, which matches everything. + // +optional + objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(10,bytes,opt) + + // SideEffects states whether this webhook has side effects. + // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + // Webhooks with side effects MUST implement a reconciliation system, since a request may be + // rejected by a future step in the admission chain and the side effects therefore need to be undone. + // Requests with the dryRun attribute will be auto-rejected if they match a webhook with + // sideEffects == Unknown or Some. + sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass) + + // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + // the webhook call will be ignored or the API call will fail based on the + // failure policy. + // The timeout value must be between 1 and 30 seconds. + // Default to 10 seconds. + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt) + + // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` + // versions the Webhook expects. API server will try to use first version in + // the list which it supports. If none of the versions specified in this list + // supported by API server, validation will fail for this object. + // If a persisted webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail + // and be subject to the failure policy. + admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep) + + // MatchConditions is a list of conditions that must be met for a request to be sent to this + // webhook. Match conditions filter requests that have already been matched by the rules, + // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + // There are a maximum of 64 match conditions allowed. + // + // The exact matching logic is (in order): + // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. + // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. + // 3. If any matchCondition evaluates to an error (but none are FALSE): + // - If failurePolicy=Fail, reject the request + // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped + // + // This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=AdmissionWebhookMatchConditions + // +optional + matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(11,bytes,opt) +} + +// MutatingWebhook describes an admission webhook and the resources and operations it applies to. +#MutatingWebhook: { + // The name of the admission webhook. + // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where + // "imagepolicy" is the name of the webhook, and kubernetes.io is the name + // of the organization. + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // ClientConfig defines how to communicate with the hook. + // Required + clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt) + + // Rules describes what operations on what resources/subresources the webhook cares about. + // The webhook cares about an operation if it matches _any_ Rule. + // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks + // from putting the cluster in a state which cannot be recovered from without completely + // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called + // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep) + + // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - + // allowed values are Ignore or Fail. Defaults to Fail. + // +optional + failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType) + + // matchPolicy defines how the "rules" list is used to match incoming requests. + // Allowed values are "Exact" or "Equivalent". + // + // - Exact: match a request only if it exactly matches a specified rule. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + // + // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + // + // Defaults to "Equivalent" + // +optional + matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType) + + // NamespaceSelector decides whether to run the webhook on an object based + // on whether the namespace for that object matches the selector. If the + // object itself is a namespace, the matching is performed on + // object.metadata.labels. If the object is another cluster scoped resource, + // it never skips the webhook. + // + // For example, to run the webhook on any objects whose namespace is not + // associated with "runlevel" of "0" or "1"; you will set the selector as + // follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "runlevel", + // "operator": "NotIn", + // "values": [ + // "0", + // "1" + // ] + // } + // ] + // } + // + // If instead you want to only run the webhook on any objects whose + // namespace is associated with the "environment" of "prod" or "staging"; + // you will set the selector as follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "environment", + // "operator": "In", + // "values": [ + // "prod", + // "staging" + // ] + // } + // ] + // } + // + // See + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + // for more examples of label selectors. + // + // Default to the empty LabelSelector, which matches everything. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt) + + // ObjectSelector decides whether to run the webhook based on if the + // object has matching labels. objectSelector is evaluated against both + // the oldObject and newObject that would be sent to the webhook, and + // is considered to match if either object matches the selector. A null + // object (oldObject in the case of create, or newObject in the case of + // delete) or an object that cannot have labels (like a + // DeploymentRollback or a PodProxyOptions object) is not considered to + // match. + // Use the object selector only if the webhook is opt-in, because end + // users may skip the admission webhook by setting the labels. + // Default to the empty LabelSelector, which matches everything. + // +optional + objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(11,bytes,opt) + + // SideEffects states whether this webhook has side effects. + // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + // Webhooks with side effects MUST implement a reconciliation system, since a request may be + // rejected by a future step in the admission chain and the side effects therefore need to be undone. + // Requests with the dryRun attribute will be auto-rejected if they match a webhook with + // sideEffects == Unknown or Some. + sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass) + + // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + // the webhook call will be ignored or the API call will fail based on the + // failure policy. + // The timeout value must be between 1 and 30 seconds. + // Default to 10 seconds. + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt) + + // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` + // versions the Webhook expects. API server will try to use first version in + // the list which it supports. If none of the versions specified in this list + // supported by API server, validation will fail for this object. + // If a persisted webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail + // and be subject to the failure policy. + admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep) + + // reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. + // Allowed values are "Never" and "IfNeeded". + // + // Never: the webhook will not be called more than once in a single admission evaluation. + // + // IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation + // if the object being admitted is modified by other admission plugins after the initial webhook call. + // Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. + // Note: + // * the number of additional invocations is not guaranteed to be exactly one. + // * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. + // * webhooks that use this option may be reordered to minimize the number of additional invocations. + // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. + // + // Defaults to "Never". + // +optional + reinvocationPolicy?: null | #ReinvocationPolicyType @go(ReinvocationPolicy,*ReinvocationPolicyType) @protobuf(10,bytes,opt,casttype=ReinvocationPolicyType) + + // MatchConditions is a list of conditions that must be met for a request to be sent to this + // webhook. Match conditions filter requests that have already been matched by the rules, + // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + // There are a maximum of 64 match conditions allowed. + // + // The exact matching logic is (in order): + // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. + // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. + // 3. If any matchCondition evaluates to an error (but none are FALSE): + // - If failurePolicy=Fail, reject the request + // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped + // + // This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=AdmissionWebhookMatchConditions + // +optional + matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(12,bytes,opt) +} + +// ReinvocationPolicyType specifies what type of policy the admission hook uses. +// +enum +#ReinvocationPolicyType: string // #enumReinvocationPolicyType + +#enumReinvocationPolicyType: + #NeverReinvocationPolicy | + #IfNeededReinvocationPolicy + +// NeverReinvocationPolicy indicates that the webhook must not be called more than once in a +// single admission evaluation. +#NeverReinvocationPolicy: #ReinvocationPolicyType & "Never" + +// IfNeededReinvocationPolicy indicates that the webhook may be called at least one +// additional time as part of the admission evaluation if the object being admitted is +// modified by other admission plugins after the initial webhook call. +#IfNeededReinvocationPolicy: #ReinvocationPolicyType & "IfNeeded" + +// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make +// sure that all the tuple expansions are valid. +#RuleWithOperations: { + // Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + // for all of those operations and any future admission operations that are added. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + operations?: [...#OperationType] @go(Operations,[]OperationType) @protobuf(1,bytes,rep,casttype=OperationType) + + #Rule +} + +// OperationType specifies an operation for a request. +// +enum +#OperationType: string // #enumOperationType + +#enumOperationType: + #OperationAll | + #Create | + #Update | + #Delete | + #Connect + +#OperationAll: #OperationType & "*" +#Create: #OperationType & "CREATE" +#Update: #OperationType & "UPDATE" +#Delete: #OperationType & "DELETE" +#Connect: #OperationType & "CONNECT" + +// WebhookClientConfig contains the information to make a TLS +// connection with the webhook +#WebhookClientConfig: { + // `url` gives the location of the webhook, in standard URL form + // (`scheme://host:port/path`). Exactly one of `url` or `service` + // must be specified. + // + // The `host` should not refer to a service running in the cluster; use + // the `service` field instead. The host might be resolved via external + // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve + // in-cluster DNS as that would be a layering violation). `host` may + // also be an IP address. + // + // Please note that using `localhost` or `127.0.0.1` as a `host` is + // risky unless you take great care to run this webhook on all hosts + // which run an apiserver which might need to make calls to this + // webhook. Such installs are likely to be non-portable, i.e., not easy + // to turn up in a new cluster. + // + // The scheme must be "https"; the URL must begin with "https://". + // + // A path is optional, and if present may be any string permissible in + // a URL. You may use the path to pass an arbitrary string to the + // webhook, for example, a cluster identifier. + // + // Attempting to use a user or basic auth e.g. "user:password@" is not + // allowed. Fragments ("#...") and query parameters ("?...") are not + // allowed, either. + // + // +optional + url?: null | string @go(URL,*string) @protobuf(3,bytes,opt) + + // `service` is a reference to the service for this webhook. Either + // `service` or `url` must be specified. + // + // If the webhook is running within the cluster, then you should use `service`. + // + // +optional + service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt) + + // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. + // If unspecified, system trust roots on the apiserver are used. + // +optional + caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt) +} + +// ServiceReference holds a reference to Service.legacy.k8s.io +#ServiceReference: { + // `namespace` is the namespace of the service. + // Required + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // `name` is the name of the service. + // Required + name: string @go(Name) @protobuf(2,bytes,opt) + + // `path` is an optional URL path which will be sent in any request to + // this service. + // +optional + path?: null | string @go(Path,*string) @protobuf(3,bytes,opt) + + // If specified, the port on the service that hosting webhook. + // Default to 443 for backward compatibility. + // `port` should be a valid port number (1-65535, inclusive). + // +optional + port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt) +} + +// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. +#MatchCondition: { + // Name is an identifier for this match condition, used for strategic merging of MatchConditions, + // as well as providing an identifier for logging purposes. A good name should be descriptive of + // the associated expression. + // Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + // must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + // '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + // optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + // + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + // CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + // + // 'object' - The object from the incoming request. The value is null for DELETE requests. + // 'oldObject' - The existing object. The value is null for CREATE requests. + // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + // 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + // 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + // request resource. + // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + // + // Required. + expression: string @go(Expression) @protobuf(2,bytes,opt) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue new file mode 100644 index 000000000..c2497a513 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/apps/v1 + +package v1 + +#GroupName: "apps" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue new file mode 100644 index 000000000..d3ecc8345 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue @@ -0,0 +1,946 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/apps/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +#ControllerRevisionHashLabelKey: "controller-revision-hash" +#StatefulSetRevisionLabel: "controller-revision-hash" +#DeprecatedRollbackTo: "deprecated.deployment.rollback.to" +#DeprecatedTemplateGeneration: "deprecated.daemonset.template.generation" +#StatefulSetPodNameLabel: "statefulset.kubernetes.io/pod-name" +#PodIndexLabel: "apps.kubernetes.io/pod-index" + +// StatefulSet represents a set of pods with consistent identities. +// Identities are defined as: +// - Network: A single stable DNS and hostname. +// - Storage: As many VolumeClaims as requested. +// +// The StatefulSet guarantees that a given network identity will always +// map to the same storage identity. +#StatefulSet: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the desired identities of pods in this set. + // +optional + spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is the current status of Pods in this StatefulSet. This data + // may be out of date by some window of time. + // +optional + status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodManagementPolicyType defines the policy for creating pods under a stateful set. +// +enum +#PodManagementPolicyType: string // #enumPodManagementPolicyType + +#enumPodManagementPolicyType: + #OrderedReadyPodManagement | + #ParallelPodManagement + +// OrderedReadyPodManagement will create pods in strictly increasing order on +// scale up and strictly decreasing order on scale down, progressing only when +// the previous pod is ready or terminated. At most one pod will be changed +// at any time. +#OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady" + +// ParallelPodManagement will create and delete pods as soon as the stateful set +// replica count is changed, and will not wait for pods to be ready or complete +// termination. +#ParallelPodManagement: #PodManagementPolicyType & "Parallel" + +// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet +// controller will use to perform updates. It includes any additional parameters +// necessary to perform the update for the indicated strategy. +#StatefulSetUpdateStrategy: { + // Type indicates the type of the StatefulSetUpdateStrategy. + // Default is RollingUpdate. + // +optional + type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType) + + // RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType. + // +optional + rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt) +} + +// StatefulSetUpdateStrategyType is a string enumeration type that enumerates +// all possible update strategies for the StatefulSet controller. +// +enum +#StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType + +#enumStatefulSetUpdateStrategyType: + #RollingUpdateStatefulSetStrategyType | + #OnDeleteStatefulSetStrategyType + +// RollingUpdateStatefulSetStrategyType indicates that update will be +// applied to all Pods in the StatefulSet with respect to the StatefulSet +// ordering constraints. When a scale operation is performed with this +// strategy, new Pods will be created from the specification version indicated +// by the StatefulSet's updateRevision. +#RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate" + +// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version +// tracking and ordered rolling restarts are disabled. Pods are recreated +// from the StatefulSetSpec when they are manually deleted. When a scale +// operation is performed with this strategy,specification version indicated +// by the StatefulSet's currentRevision. +#OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete" + +// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType. +#RollingUpdateStatefulSetStrategy: { + // Partition indicates the ordinal at which the StatefulSet should be partitioned + // for updates. During a rolling update, all pods from ordinal Replicas-1 to + // Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. + // This is helpful in being able to do a canary based deployment. The default value is 0. + // +optional + partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt) + + // The maximum number of pods that can be unavailable during the update. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // Absolute number is calculated from percentage by rounding up. This can not be 0. + // Defaults to 1. This field is alpha-level and is only honored by servers that enable the + // MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to + // Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it + // will be counted towards MaxUnavailable. + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(2,varint,opt) +} + +// PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine +// when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is +// deleted or scaled down. +#PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType + +#enumPersistentVolumeClaimRetentionPolicyType: + #RetainPersistentVolumeClaimRetentionPolicyType | + #DeletePersistentVolumeClaimRetentionPolicyType + +// RetainPersistentVolumeClaimRetentionPolicyType is the default +// PersistentVolumeClaimRetentionPolicy and specifies that +// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates +// will not be deleted. +#RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain" + +// RetentionPersistentVolumeClaimRetentionPolicyType specifies that +// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates +// will be deleted in the scenario specified in +// StatefulSetPersistentVolumeClaimRetentionPolicy. +#DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete" + +// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs +// created from the StatefulSet VolumeClaimTemplates. +#StatefulSetPersistentVolumeClaimRetentionPolicy: { + // WhenDeleted specifies what happens to PVCs created from StatefulSet + // VolumeClaimTemplates when the StatefulSet is deleted. The default policy + // of `Retain` causes PVCs to not be affected by StatefulSet deletion. The + // `Delete` policy causes those PVCs to be deleted. + whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType) + + // WhenScaled specifies what happens to PVCs created from StatefulSet + // VolumeClaimTemplates when the StatefulSet is scaled down. The default + // policy of `Retain` causes PVCs to not be affected by a scaledown. The + // `Delete` policy causes the associated PVCs for any excess pods above + // the replica count to be deleted. + whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType) +} + +// StatefulSetOrdinals describes the policy used for replica ordinal assignment +// in this StatefulSet. +#StatefulSetOrdinals: { + // start is the number representing the first replica's index. It may be used + // to number replicas from an alternate index (eg: 1-indexed) over the default + // 0-indexed names, or to orchestrate progressive movement of replicas from + // one StatefulSet to another. + // If set, replica indices will be in the range: + // [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas). + // If unset, defaults to 0. Replica indices will be in the range: + // [0, .spec.replicas). + // +optional + start: int32 @go(Start) @protobuf(1,varint,opt) +} + +// A StatefulSetSpec is the specification of a StatefulSet. +#StatefulSetSpec: { + // replicas is the desired number of replicas of the given Template. + // These are replicas in the sense that they are instantiations of the + // same Template, but individual replicas also have a consistent identity. + // If unspecified, defaults to 1. + // TODO: Consider a rename of this field. + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // selector is a label query over pods that should match the replica count. + // It must match the pod template's labels. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // template is the object that describes the pod that will be created if + // insufficient replicas are detected. Each pod stamped out by the StatefulSet + // will fulfill this Template, but have a unique identity from the rest + // of the StatefulSet. Each pod will be named with the format + // -. For example, a pod in a StatefulSet named + // "web" with index number "3" would be named "web-3". + // The only allowed template.spec.restartPolicy value is "Always". + template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt) + + // volumeClaimTemplates is a list of claims that pods are allowed to reference. + // The StatefulSet controller is responsible for mapping network identities to + // claims in a way that maintains the identity of a pod. Every claim in + // this list must have at least one matching (by name) volumeMount in one + // container in the template. A claim in this list takes precedence over + // any volumes in the template, with the same name. + // TODO: Define the behavior if a claim already exists with the same name. + // +optional + volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep) + + // serviceName is the name of the service that governs this StatefulSet. + // This service must exist before the StatefulSet, and is responsible for + // the network identity of the set. Pods get DNS/hostnames that follow the + // pattern: pod-specific-string.serviceName.default.svc.cluster.local + // where "pod-specific-string" is managed by the StatefulSet controller. + serviceName: string @go(ServiceName) @protobuf(5,bytes,opt) + + // podManagementPolicy controls how pods are created during initial scale up, + // when replacing pods on nodes, or when scaling down. The default policy is + // `OrderedReady`, where pods are created in increasing order (pod-0, then + // pod-1, etc) and the controller will wait until each pod is ready before + // continuing. When scaling down, the pods are removed in the opposite order. + // The alternative policy is `Parallel` which will create pods in parallel + // to match the desired scale without waiting, and on scale down will delete + // all pods at once. + // +optional + podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType) + + // updateStrategy indicates the StatefulSetUpdateStrategy that will be + // employed to update Pods in the StatefulSet when a revision is made to + // Template. + updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt) + + // revisionHistoryLimit is the maximum number of revisions that will + // be maintained in the StatefulSet's revision history. The revision history + // consists of all revisions not represented by a currently applied + // StatefulSetSpec version. The default value is 10. + revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt) + + // persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent + // volume claims created from volumeClaimTemplates. By default, all persistent + // volume claims are created as needed and retained until manually deleted. This + // policy allows the lifecycle to be altered, for example by deleting persistent + // volume claims when their stateful set is deleted, or when their pod is scaled + // down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled, + // which is alpha. +optional + persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt) + + // ordinals controls the numbering of replica indices in a StatefulSet. The + // default ordinals behavior assigns a "0" index to the first replica and + // increments the index by one for each additional replica requested. Using + // the ordinals field requires the StatefulSetStartOrdinal feature gate to be + // enabled, which is beta. + // +optional + ordinals?: null | #StatefulSetOrdinals @go(Ordinals,*StatefulSetOrdinals) @protobuf(11,bytes,opt) +} + +// StatefulSetStatus represents the current state of a StatefulSet. +#StatefulSetStatus: { + // observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the + // StatefulSet's generation, which is updated on mutation by the API Server. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt) + + // replicas is the number of Pods created by the StatefulSet controller. + replicas: int32 @go(Replicas) @protobuf(2,varint,opt) + + // readyReplicas is the number of pods created for this StatefulSet with a Ready Condition. + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt) + + // currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version + // indicated by currentRevision. + currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt) + + // updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version + // indicated by updateRevision. + updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt) + + // currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the + // sequence [0,currentReplicas). + currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt) + + // updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence + // [replicas-updatedReplicas,replicas) + updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt) + + // collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller + // uses this field as a collision avoidance mechanism when it needs to create the name for the + // newest ControllerRevision. + // +optional + collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt) + + // Represents the latest available observations of a statefulset's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep) + + // Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset. + // +optional + availableReplicas: int32 @go(AvailableReplicas) @protobuf(11,varint,opt) +} + +#StatefulSetConditionType: string + +// StatefulSetCondition describes the state of a statefulset at a certain point. +#StatefulSetCondition: { + // Type of statefulset condition. + type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // Last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// StatefulSetList is a collection of StatefulSets. +#StatefulSetList: { + metav1.#TypeMeta + + // Standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of stateful sets. + items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep) +} + +// Deployment enables declarative updates for Pods and ReplicaSets. +#Deployment: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the Deployment. + // +optional + spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the Deployment. + // +optional + status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt) +} + +// DeploymentSpec is the specification of the desired behavior of the Deployment. +#DeploymentSpec: { + // Number of desired pods. This is a pointer to distinguish between explicit + // zero and not specified. Defaults to 1. + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // Label selector for pods. Existing ReplicaSets whose pods are + // selected by this will be the ones affected by this deployment. + // It must match the pod template's labels. + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // Template describes the pods that will be created. + // The only allowed template.spec.restartPolicy value is "Always". + template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt) + + // The deployment strategy to use to replace existing pods with new ones. + // +optional + // +patchStrategy=retainKeys + strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing, for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt) + + // The number of old ReplicaSets to retain to allow rollback. + // This is a pointer to distinguish between explicit zero and not specified. + // Defaults to 10. + // +optional + revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt) + + // Indicates that the deployment is paused. + // +optional + paused?: bool @go(Paused) @protobuf(7,varint,opt) + + // The maximum time in seconds for a deployment to make progress before it + // is considered to be failed. The deployment controller will continue to + // process failed deployments and a condition with a ProgressDeadlineExceeded + // reason will be surfaced in the deployment status. Note that progress will + // not be estimated during the time a deployment is paused. Defaults to 600s. + progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt) +} + +// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added +// to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets +// to select new pods (and old pods being select by new ReplicaSet). +#DefaultDeploymentUniqueLabelKey: "pod-template-hash" + +// DeploymentStrategy describes how to replace existing pods with new ones. +#DeploymentStrategy: { + // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. + // +optional + type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType) + + // Rolling update config params. Present only if DeploymentStrategyType = + // RollingUpdate. + //--- + // TODO: Update this to follow our convention for oneOf, whatever we decide it + // to be. + // +optional + rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt) +} + +// +enum +#DeploymentStrategyType: string // #enumDeploymentStrategyType + +#enumDeploymentStrategyType: + #RecreateDeploymentStrategyType | + #RollingUpdateDeploymentStrategyType + +// Kill all existing pods before creating new ones. +#RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate" + +// Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one. +#RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate" + +// Spec to control the desired behavior of rolling update. +#RollingUpdateDeployment: { + // The maximum number of pods that can be unavailable during the update. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // Absolute number is calculated from percentage by rounding down. + // This can not be 0 if MaxSurge is 0. + // Defaults to 25%. + // Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + // immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + // can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + // that the total number of pods available at all times during the update is at + // least 70% of desired pods. + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt) + + // The maximum number of pods that can be scheduled above the desired number of + // pods. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // This can not be 0 if MaxUnavailable is 0. + // Absolute number is calculated from percentage by rounding up. + // Defaults to 25%. + // Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + // the rolling update starts, such that the total number of old and new pods do not exceed + // 130% of desired pods. Once old pods have been killed, + // new ReplicaSet can be scaled up further, ensuring that total number of pods running + // at any time during the update is at most 130% of desired pods. + // +optional + maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt) +} + +// DeploymentStatus is the most recently observed status of the Deployment. +#DeploymentStatus: { + // The generation observed by the deployment controller. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt) + + // Total number of non-terminated pods targeted by this deployment (their labels match the selector). + // +optional + replicas?: int32 @go(Replicas) @protobuf(2,varint,opt) + + // Total number of non-terminated pods targeted by this deployment that have the desired template spec. + // +optional + updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt) + + // readyReplicas is the number of pods targeted by this Deployment with a Ready Condition. + // +optional + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt) + + // Total number of available pods (ready for at least minReadySeconds) targeted by this deployment. + // +optional + availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt) + + // Total number of unavailable pods targeted by this deployment. This is the total number of + // pods that are still required for the deployment to have 100% available capacity. They may + // either be pods that are running but not yet available or pods that still have not been created. + // +optional + unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt) + + // Represents the latest available observations of a deployment's current state. + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep) + + // Count of hash collisions for the Deployment. The Deployment controller uses this + // field as a collision avoidance mechanism when it needs to create the name for the + // newest ReplicaSet. + // +optional + collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt) +} + +#DeploymentConditionType: string // #enumDeploymentConditionType + +#enumDeploymentConditionType: + #DeploymentAvailable | + #DeploymentProgressing | + #DeploymentReplicaFailure + +// Available means the deployment is available, ie. at least the minimum available +// replicas required are up and running for at least minReadySeconds. +#DeploymentAvailable: #DeploymentConditionType & "Available" + +// Progressing means the deployment is progressing. Progress for a deployment is +// considered when a new replica set is created or adopted, and when new pods scale +// up or old pods scale down. Progress is not estimated for paused deployments or +// when progressDeadlineSeconds is not specified. +#DeploymentProgressing: #DeploymentConditionType & "Progressing" + +// ReplicaFailure is added in a deployment when one of its pods fails to be created +// or deleted. +#DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure" + +// DeploymentCondition describes the state of a deployment at a certain point. +#DeploymentCondition: { + // Type of deployment condition. + type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // The last time this condition was updated. + lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt) + + // Last time the condition transitioned from one status to another. + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt) + + // The reason for the condition's last transition. + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// DeploymentList is a list of Deployments. +#DeploymentList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of Deployments. + items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep) +} + +// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet. +#DaemonSetUpdateStrategy: { + // Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. + // +optional + type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt) + + // Rolling update config params. Present only if type = "RollingUpdate". + //--- + // TODO: Update this to follow our convention for oneOf, whatever we decide it + // to be. Same as Deployment `strategy.rollingUpdate`. + // See https://github.com/kubernetes/kubernetes/issues/35345 + // +optional + rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt) +} + +// +enum +#DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType + +#enumDaemonSetUpdateStrategyType: + #RollingUpdateDaemonSetStrategyType | + #OnDeleteDaemonSetStrategyType + +// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other. +#RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate" + +// Replace the old daemons only when it's killed +#OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete" + +// Spec to control the desired behavior of daemon set rolling update. +#RollingUpdateDaemonSet: { + // The maximum number of DaemonSet pods that can be unavailable during the + // update. Value can be an absolute number (ex: 5) or a percentage of total + // number of DaemonSet pods at the start of the update (ex: 10%). Absolute + // number is calculated from percentage by rounding up. + // This cannot be 0 if MaxSurge is 0 + // Default value is 1. + // Example: when this is set to 30%, at most 30% of the total number of nodes + // that should be running the daemon pod (i.e. status.desiredNumberScheduled) + // can have their pods stopped for an update at any given time. The update + // starts by stopping at most 30% of those DaemonSet pods and then brings + // up new DaemonSet pods in their place. Once the new pods are available, + // it then proceeds onto other DaemonSet pods, thus ensuring that at least + // 70% of original number of DaemonSet pods are available at all times during + // the update. + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt) + + // The maximum number of nodes with an existing available DaemonSet pod that + // can have an updated DaemonSet pod during during an update. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // This can not be 0 if MaxUnavailable is 0. + // Absolute number is calculated from percentage by rounding up to a minimum of 1. + // Default value is 0. + // Example: when this is set to 30%, at most 30% of the total number of nodes + // that should be running the daemon pod (i.e. status.desiredNumberScheduled) + // can have their a new pod created before the old pod is marked as deleted. + // The update starts by launching new pods on 30% of nodes. Once an updated + // pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + // on that node is marked deleted. If the old pod becomes unavailable for any + // reason (Ready transitions to false, is evicted, or is drained) an updated + // pod is immediatedly created on that node without considering surge limits. + // Allowing surge implies the possibility that the resources consumed by the + // daemonset on any given node can double if the readiness check fails, and + // so resource intensive daemonsets should take into account that they may + // cause evictions during disruption. + // +optional + maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt) +} + +// DaemonSetSpec is the specification of a daemon set. +#DaemonSetSpec: { + // A label query over pods that are managed by the daemon set. + // Must match in order to be controlled. + // It must match the pod template's labels. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // An object that describes the pod that will be created. + // The DaemonSet will create exactly one copy of this pod on every node + // that matches the template's node selector (or on every node if no node + // selector is specified). + // The only allowed template.spec.restartPolicy value is "Always". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template + template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt) + + // An update strategy to replace existing DaemonSet pods with new pods. + // +optional + updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt) + + // The minimum number of seconds for which a newly created DaemonSet pod should + // be ready without any of its container crashing, for it to be considered + // available. Defaults to 0 (pod will be considered available as soon as it + // is ready). + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt) + + // The number of old history to retain to allow rollback. + // This is a pointer to distinguish between explicit zero and not specified. + // Defaults to 10. + // +optional + revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt) +} + +// DaemonSetStatus represents the current status of a daemon set. +#DaemonSetStatus: { + // The number of nodes that are running at least 1 + // daemon pod and are supposed to run the daemon pod. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt) + + // The number of nodes that are running the daemon pod, but are + // not supposed to run the daemon pod. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt) + + // The total number of nodes that should be running the daemon + // pod (including nodes correctly running the daemon pod). + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt) + + // numberReady is the number of nodes that should be running the daemon pod and have one + // or more of the daemon pod running with a Ready Condition. + numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt) + + // The most recent generation observed by the daemon set controller. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt) + + // The total number of nodes that are running updated daemon pod + // +optional + updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt) + + // The number of nodes that should be running the + // daemon pod and have one or more of the daemon pod running and + // available (ready for at least spec.minReadySeconds) + // +optional + numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt) + + // The number of nodes that should be running the + // daemon pod and have none of the daemon pod running and available + // (ready for at least spec.minReadySeconds) + // +optional + numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt) + + // Count of hash collisions for the DaemonSet. The DaemonSet controller + // uses this field as a collision avoidance mechanism when it needs to + // create the name for the newest ControllerRevision. + // +optional + collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt) + + // Represents the latest available observations of a DaemonSet's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep) +} + +#DaemonSetConditionType: string + +// DaemonSetCondition describes the state of a DaemonSet at a certain point. +#DaemonSetCondition: { + // Type of DaemonSet condition. + type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // Last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// DaemonSet represents the configuration of a daemon set. +#DaemonSet: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The desired behavior of this daemon set. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt) + + // The current status of this daemon set. This data may be + // out of date by some window of time. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// DefaultDaemonSetUniqueLabelKey is the default label key that is added +// to existing DaemonSet pods to distinguish between old and new +// DaemonSet pods during DaemonSet template updates. +#DefaultDaemonSetUniqueLabelKey: "controller-revision-hash" + +// DaemonSetList is a collection of daemon sets. +#DaemonSetList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // A list of daemon sets. + items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep) +} + +// ReplicaSet ensures that a specified number of pod replicas are running at any given time. +#ReplicaSet: { + metav1.#TypeMeta + + // If the Labels of a ReplicaSet are empty, they are defaulted to + // be the same as the Pod(s) that the ReplicaSet manages. + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the specification of the desired behavior of the ReplicaSet. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is the most recently observed status of the ReplicaSet. + // This data may be out of date by some window of time. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ReplicaSetList is a collection of ReplicaSets. +#ReplicaSetList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ReplicaSets. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller + items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep) +} + +// ReplicaSetSpec is the specification of a ReplicaSet. +#ReplicaSetSpec: { + // Replicas is the number of desired replicas. + // This is a pointer to distinguish between explicit zero and unspecified. + // Defaults to 1. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing, for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt) + + // Selector is a label query over pods that should match the replica count. + // Label keys and values that must match in order to be controlled by this replica set. + // It must match the pod template's labels. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // Template is the object that describes the pod that will be created if + // insufficient replicas are detected. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template + // +optional + template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt) +} + +// ReplicaSetStatus represents the current status of a ReplicaSet. +#ReplicaSetStatus: { + // Replicas is the most recently observed number of replicas. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // The number of pods that have labels matching the labels of the pod template of the replicaset. + // +optional + fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt) + + // readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition. + // +optional + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt) + + // The number of available replicas (ready for at least minReadySeconds) for this replica set. + // +optional + availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt) + + // ObservedGeneration reflects the generation of the most recently observed ReplicaSet. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // Represents the latest available observations of a replica set's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep) +} + +#ReplicaSetConditionType: string // #enumReplicaSetConditionType + +#enumReplicaSetConditionType: + #ReplicaSetReplicaFailure + +// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created +// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted +// due to kubelet being down or finalizers are failing. +#ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure" + +// ReplicaSetCondition describes the state of a replica set at a certain point. +#ReplicaSetCondition: { + // Type of replica set condition. + type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // The last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ControllerRevision implements an immutable snapshot of state data. Clients +// are responsible for serializing and deserializing the objects that contain +// their internal state. +// Once a ControllerRevision has been successfully created, it can not be updated. +// The API Server will fail validation of all requests that attempt to mutate +// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both +// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, +// it may be subject to name and representation changes in future releases, and clients should not +// depend on its stability. It is primarily for internal use by controllers. +#ControllerRevision: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Data is the serialized representation of the state. + data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt) + + // Revision indicates the revision of the state represented by Data. + revision: int64 @go(Revision) @protobuf(3,varint,opt) +} + +// ControllerRevisionList is a resource containing a list of ControllerRevision objects. +#ControllerRevisionList: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of ControllerRevisions + items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue new file mode 100644 index 000000000..082560098 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authentication/v1 + +package v1 + +#GroupName: "authentication.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue new file mode 100644 index 000000000..5f0127a65 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue @@ -0,0 +1,206 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authentication/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" +) + +// ImpersonateUserHeader is used to impersonate a particular user during an API server request +#ImpersonateUserHeader: "Impersonate-User" + +// ImpersonateGroupHeader is used to impersonate a particular group during an API server request. +// It can be repeated multiplied times for multiple groups. +#ImpersonateGroupHeader: "Impersonate-Group" + +// ImpersonateUIDHeader is used to impersonate a particular UID during an API server request +#ImpersonateUIDHeader: "Impersonate-Uid" + +// ImpersonateUserExtraHeaderPrefix is a prefix for any header used to impersonate an entry in the +// extra map[string][]string for user.Info. The key will be every after the prefix. +// It can be repeated multiplied times for multiple map keys and the same key can be repeated multiple +// times to have multiple elements in the slice under a single key +#ImpersonateUserExtraHeaderPrefix: "Impersonate-Extra-" + +// TokenReview attempts to authenticate a token to a known user. +// Note: TokenReview requests may be cached by the webhook token authenticator +// plugin in the kube-apiserver. +#TokenReview: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #TokenReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request can be authenticated. + // +optional + status?: #TokenReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// TokenReviewSpec is a description of the token authentication request. +#TokenReviewSpec: { + // Token is the opaque bearer token. + // +optional + token?: string @go(Token) @protobuf(1,bytes,opt) + + // Audiences is a list of the identifiers that the resource server presented + // with the token identifies as. Audience-aware token authenticators will + // verify that the token was intended for at least one of the audiences in + // this list. If no audiences are provided, the audience will default to the + // audience of the Kubernetes apiserver. + // +optional + audiences?: [...string] @go(Audiences,[]string) @protobuf(2,bytes,rep) +} + +// TokenReviewStatus is the result of the token authentication request. +#TokenReviewStatus: { + // Authenticated indicates that the token was associated with a known user. + // +optional + authenticated?: bool @go(Authenticated) @protobuf(1,varint,opt) + + // User is the UserInfo associated with the provided token. + // +optional + user?: #UserInfo @go(User) @protobuf(2,bytes,opt) + + // Audiences are audience identifiers chosen by the authenticator that are + // compatible with both the TokenReview and token. An identifier is any + // identifier in the intersection of the TokenReviewSpec audiences and the + // token's audiences. A client of the TokenReview API that sets the + // spec.audiences field should validate that a compatible audience identifier + // is returned in the status.audiences field to ensure that the TokenReview + // server is audience aware. If a TokenReview returns an empty + // status.audience field where status.authenticated is "true", the token is + // valid against the audience of the Kubernetes API server. + // +optional + audiences?: [...string] @go(Audiences,[]string) @protobuf(4,bytes,rep) + + // Error indicates that the token couldn't be checked + // +optional + error?: string @go(Error) @protobuf(3,bytes,opt) +} + +// UserInfo holds the information about the user needed to implement the +// user.Info interface. +#UserInfo: { + // The name that uniquely identifies this user among all active users. + // +optional + username?: string @go(Username) @protobuf(1,bytes,opt) + + // A unique value that identifies this user across time. If this user is + // deleted and another user by the same name is added, they will have + // different UIDs. + // +optional + uid?: string @go(UID) @protobuf(2,bytes,opt) + + // The names of groups this user is a part of. + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(3,bytes,rep) + + // Any additional information provided by the authenticator. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(4,bytes,rep) +} + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// TokenRequest requests a token for a given service account. +#TokenRequest: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #TokenRequestSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the token can be authenticated. + // +optional + status?: #TokenRequestStatus @go(Status) @protobuf(3,bytes,opt) +} + +// TokenRequestSpec contains client provided parameters of a token request. +#TokenRequestSpec: { + // Audiences are the intendend audiences of the token. A recipient of a + // token must identify themself with an identifier in the list of + // audiences of the token, and otherwise should reject the token. A + // token issued for multiple audiences may be used to authenticate + // against any of the audiences listed but implies a high degree of + // trust between the target audiences. + audiences: [...string] @go(Audiences,[]string) @protobuf(1,bytes,rep) + + // ExpirationSeconds is the requested duration of validity of the request. The + // token issuer may return a token with a different validity duration so a + // client needs to check the 'expiration' field in a response. + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(4,varint,opt) + + // BoundObjectRef is a reference to an object that the token will be bound to. + // The token will only be valid for as long as the bound object exists. + // NOTE: The API server's TokenReview endpoint will validate the + // BoundObjectRef, but other audiences may not. Keep ExpirationSeconds + // small if you want prompt revocation. + // +optional + boundObjectRef?: null | #BoundObjectReference @go(BoundObjectRef,*BoundObjectReference) @protobuf(3,bytes,opt) +} + +// TokenRequestStatus is the result of a token request. +#TokenRequestStatus: { + // Token is the opaque bearer token. + token: string @go(Token) @protobuf(1,bytes,opt) + + // ExpirationTimestamp is the time of expiration of the returned token. + expirationTimestamp: metav1.#Time @go(ExpirationTimestamp) @protobuf(2,bytes,opt) +} + +// BoundObjectReference is a reference to an object that a token is bound to. +#BoundObjectReference: { + // Kind of the referent. Valid kinds are 'Pod' and 'Secret'. + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // API version of the referent. + // +optional + apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt) + + // Name of the referent. + // +optional + name?: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // +optional + uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. +// When using impersonation, users will receive the user info of the user being impersonated. If impersonation or +// request header authentication is used, any extra keys will have their case ignored and returned as lowercase. +#SelfSubjectReview: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Status is filled in by the server with the user attributes. + status?: #SelfSubjectReviewStatus @go(Status) @protobuf(2,bytes,opt) +} + +// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user. +#SelfSubjectReviewStatus: { + // User attributes of the user making this request. + // +optional + userInfo?: #UserInfo @go(UserInfo) @protobuf(1,bytes,opt) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue new file mode 100644 index 000000000..afd54ec06 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authorization/v1 + +package v1 + +#GroupName: "authorization.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue new file mode 100644 index 000000000..6eaf81871 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue @@ -0,0 +1,262 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authorization/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// SubjectAccessReview checks whether or not a user or group can perform an action. +#SubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a +// spec.namespace means "in all namespaces". Self is a special case, because users should always be able +// to check whether they can perform an action +#SelfSubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. user and groups must be empty + spec: #SelfSubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. +// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions +// checking. +#LocalSubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace + // you made the request against. If empty, it is defaulted. + spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface +#ResourceAttributes: { + // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces + // "" (empty) is defaulted for LocalSubjectAccessReviews + // "" (empty) is empty for cluster-scoped resources + // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview + // +optional + namespace?: string @go(Namespace) @protobuf(1,bytes,opt) + + // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all. + // +optional + verb?: string @go(Verb) @protobuf(2,bytes,opt) + + // Group is the API Group of the Resource. "*" means all. + // +optional + group?: string @go(Group) @protobuf(3,bytes,opt) + + // Version is the API Version of the Resource. "*" means all. + // +optional + version?: string @go(Version) @protobuf(4,bytes,opt) + + // Resource is one of the existing resource types. "*" means all. + // +optional + resource?: string @go(Resource) @protobuf(5,bytes,opt) + + // Subresource is one of the existing resource types. "" means none. + // +optional + subresource?: string @go(Subresource) @protobuf(6,bytes,opt) + + // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all. + // +optional + name?: string @go(Name) @protobuf(7,bytes,opt) +} + +// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface +#NonResourceAttributes: { + // Path is the URL path of the request + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // Verb is the standard HTTP verb + // +optional + verb?: string @go(Verb) @protobuf(2,bytes,opt) +} + +// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes +// and NonResourceAuthorizationAttributes must be set +#SubjectAccessReviewSpec: { + // ResourceAuthorizationAttributes describes information for a resource access request + // +optional + resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt) + + // NonResourceAttributes describes information for a non-resource access request + // +optional + nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt) + + // User is the user you're testing for. + // If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // Groups is the groups you're testing for. + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep) + + // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer + // it needs a reflection here. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(5,bytes,rep) + + // UID information about the requesting user. + // +optional + uid?: string @go(UID) @protobuf(6,bytes,opt) +} + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes +// and NonResourceAuthorizationAttributes must be set +#SelfSubjectAccessReviewSpec: { + // ResourceAuthorizationAttributes describes information for a resource access request + // +optional + resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt) + + // NonResourceAttributes describes information for a non-resource access request + // +optional + nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt) +} + +// SubjectAccessReviewStatus +#SubjectAccessReviewStatus: { + // Allowed is required. True if the action would be allowed, false otherwise. + allowed: bool @go(Allowed) @protobuf(1,varint,opt) + + // Denied is optional. True if the action would be denied, otherwise + // false. If both allowed is false and denied is false, then the + // authorizer has no opinion on whether to authorize the action. Denied + // may not be true if Allowed is true. + // +optional + denied?: bool @go(Denied) @protobuf(4,varint,opt) + + // Reason is optional. It indicates why a request was allowed or denied. + // +optional + reason?: string @go(Reason) @protobuf(2,bytes,opt) + + // EvaluationError is an indication that some error occurred during the authorization check. + // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. + // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request. + // +optional + evaluationError?: string @go(EvaluationError) @protobuf(3,bytes,opt) +} + +// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. +// The returned list of actions may be incomplete depending on the server's authorization mode, +// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, +// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to +// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. +// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. +#SelfSubjectRulesReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. + spec: #SelfSubjectRulesReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates the set of actions a user can perform. + // +optional + status?: #SubjectRulesReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview. +#SelfSubjectRulesReviewSpec: { + // Namespace to evaluate rules for. Required. + namespace?: string @go(Namespace) @protobuf(1,bytes,opt) +} + +// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on +// the set of authorizers the server is configured with and any errors experienced during evaluation. +// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, +// even if that list is incomplete. +#SubjectRulesReviewStatus: { + // ResourceRules is the list of actions the subject is allowed to perform on resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + resourceRules: [...#ResourceRule] @go(ResourceRules,[]ResourceRule) @protobuf(1,bytes,rep) + + // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + nonResourceRules: [...#NonResourceRule] @go(NonResourceRules,[]NonResourceRule) @protobuf(2,bytes,rep) + + // Incomplete is true when the rules returned by this call are incomplete. This is most commonly + // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. + incomplete: bool @go(Incomplete) @protobuf(3,bytes,rep) + + // EvaluationError can appear in combination with Rules. It indicates an error occurred during + // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that + // ResourceRules and/or NonResourceRules may be incomplete. + // +optional + evaluationError?: string @go(EvaluationError) @protobuf(4,bytes,opt) +} + +// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, +// may contain duplicates, and possibly be incomplete. +#ResourceRule: { + // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "*" means all. + // +optional + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. + // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups. + // +optional + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. + // +optional + resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep) +} + +// NonResourceRule holds information that describes a rule for the non-resource +#NonResourceRule: { + // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, + // final step in the path. "*" means all. + // +optional + nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue new file mode 100644 index 000000000..0a7f3423c --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v1 + +package v1 + +#GroupName: "autoscaling" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue new file mode 100644 index 000000000..6e873a358 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue @@ -0,0 +1,542 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/api/core/v1" +) + +// CrossVersionObjectReference contains enough information to let you identify the referred resource. +// +structType=atomic +#CrossVersionObjectReference: { + // kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(2,bytes,opt) + + // apiVersion is the API version of the referent + // +optional + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) +} + +// specification of a horizontal pod autoscaler. +#HorizontalPodAutoscalerSpec: { + // reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption + // and will set the desired number of pods by using its Scale subresource. + scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt) + + // minReplicas is the lower limit for the number of replicas to which the autoscaler + // can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + // alpha feature gate HPAScaleToZero is enabled and at least one Object or External + // metric is configured. Scaling is active as long as at least one metric value is + // available. + // +optional + minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt) + + // maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas. + maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt) + + // targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods; + // if not specified the default autoscaling policy will be used. + // +optional + targetCPUUtilizationPercentage?: null | int32 @go(TargetCPUUtilizationPercentage,*int32) @protobuf(4,varint,opt) +} + +// current status of a horizontal pod autoscaler +#HorizontalPodAutoscalerStatus: { + // observedGeneration is the most recent generation observed by this autoscaler. + // +optional + observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt) + + // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods; + // used by the autoscaler to control how often the number of pods is changed. + // +optional + lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt) + + // currentReplicas is the current number of replicas of pods managed by this autoscaler. + currentReplicas: int32 @go(CurrentReplicas) @protobuf(3,varint,opt) + + // desiredReplicas is the desired number of replicas of pods managed by this autoscaler. + desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt) + + // currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU, + // e.g. 70 means that an average pod is using now 70% of its requested CPU. + // +optional + currentCPUUtilizationPercentage?: null | int32 @go(CurrentCPUUtilizationPercentage,*int32) @protobuf(5,varint,opt) +} + +// configuration of a horizontal pod autoscaler. +#HorizontalPodAutoscaler: { + metav1.#TypeMeta + + // Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current information about the autoscaler. + // +optional + status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// list of horizontal pod autoscaler objects. +#HorizontalPodAutoscalerList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of horizontal pod autoscaler objects. + items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep) +} + +// Scale represents a scaling request for a resource. +#Scale: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #ScaleSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only. + // +optional + status?: #ScaleStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ScaleSpec describes the attributes of a scale subresource. +#ScaleSpec: { + // replicas is the desired number of instances for the scaled object. + // +optional + replicas?: int32 @go(Replicas) @protobuf(1,varint,opt) +} + +// ScaleStatus represents the current status of a scale subresource. +#ScaleStatus: { + // replicas is the actual number of observed instances of the scaled object. + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // selector is the label query over pods that should match the replicas count. This is same + // as the label selector but in the string format to avoid introspection + // by clients. The string will be in the same format as the query-param syntax. + // More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + // +optional + selector?: string @go(Selector) @protobuf(2,bytes,opt) +} + +// MetricSourceType indicates the type of metric. +// +enum +#MetricSourceType: string // #enumMetricSourceType + +#enumMetricSourceType: + #ObjectMetricSourceType | + #PodsMetricSourceType | + #ResourceMetricSourceType | + #ContainerResourceMetricSourceType | + #ExternalMetricSourceType + +// ObjectMetricSourceType is a metric describing a kubernetes object +// (for example, hits-per-second on an Ingress object). +#ObjectMetricSourceType: #MetricSourceType & "Object" + +// PodsMetricSourceType is a metric describing each pod in the current scale +// target (for example, transactions-processed-per-second). The values +// will be averaged together before being compared to the target value. +#PodsMetricSourceType: #MetricSourceType & "Pods" + +// ResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ResourceMetricSourceType: #MetricSourceType & "Resource" + +// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing a single container in each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource" + +// ExternalMetricSourceType is a global metric that is not associated +// with any Kubernetes object. It allows autoscaling based on information +// coming from components running outside of cluster +// (for example length of queue in cloud messaging service, or +// QPS from loadbalancer running outside of cluster). +#ExternalMetricSourceType: #MetricSourceType & "External" + +// MetricSpec specifies how to scale based on a single metric +// (only `type` and one other matching field should be set at once). +#MetricSpec: { + // type is the type of metric source. It should be one of "ContainerResource", + // "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod of the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. + // +optional + containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt) +} + +// ObjectMetricSource indicates how to scale on a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricSource: { + // target is the described Kubernetes object. + target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes) + + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(2,bytes) + + // targetValue is the target value of the metric (as a quantity). + targetValue: resource.#Quantity @go(TargetValue) @protobuf(3,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric. + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes) + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes) +} + +// PodsMetricSource indicates how to scale on a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +// The values will be averaged together before being compared to the target +// value. +#PodsMetricSource: { + // metricName is the name of the metric in question + metricName: string @go(MetricName) @protobuf(1,bytes) + + // targetAverageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + targetAverageValue: resource.#Quantity @go(TargetAverageValue) @protobuf(2,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes) +} + +// ResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // targetAverageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt) + + // targetAverageValue is the target value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt) +} + +// ContainerResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in the requests and limits, describing a single container in +// each of the pods of the current scale target(e.g. CPU or memory). The values will be +// averaged together before being compared to the target. Such metrics are built into +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ContainerResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // targetAverageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt) + + // targetAverageValue is the target value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // container is the name of the container in the pods of the scaling target. + container: string @go(Container) @protobuf(5,bytes,opt) +} + +// ExternalMetricSource indicates how to scale on a metric not associated with +// any Kubernetes object (for example length of queue in cloud +// messaging service, or QPS from loadbalancer running outside of cluster). +#ExternalMetricSource: { + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(1,bytes) + + // metricSelector is used to identify a specific time series + // within a given metric. + // +optional + metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // targetValue is the target value of the metric (as a quantity). + // Mutually exclusive with TargetAverageValue. + // +optional + targetValue?: null | resource.#Quantity @go(TargetValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // targetAverageValue is the target per-pod value of global metric (as a quantity). + // Mutually exclusive with TargetValue. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(4,bytes,opt) +} + +// MetricStatus describes the last-read state of a single metric. +#MetricStatus: { + // type is the type of metric source. It will be one of "ContainerResource", + // "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt) +} + +// HorizontalPodAutoscalerConditionType are the valid conditions of +// a HorizontalPodAutoscaler. +#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType + +#enumHorizontalPodAutoscalerConditionType: + #ScalingActive | + #AbleToScale | + #ScalingLimited + +// ScalingActive indicates that the HPA controller is able to scale if necessary: +// it's correctly configured, can fetch the desired metrics, and isn't disabled. +#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive" + +// AbleToScale indicates a lack of transient issues which prevent scaling from occurring, +// such as being in a backoff window, or being unable to access/update the target scale. +#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale" + +// ScalingLimited indicates that the calculated scale based on metrics would be above or +// below the range for the HPA, and has thus been capped. +#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited" + +// HorizontalPodAutoscalerCondition describes the state of +// a HorizontalPodAutoscaler at a certain point. +#HorizontalPodAutoscalerCondition: { + // type describes the current condition + type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes) + + // status is the status of the condition (True, False, Unknown) + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes) + + // lastTransitionTime is the last time the condition transitioned from + // one status to another + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is the reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable explanation containing details about + // the transition + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ObjectMetricStatus indicates the current value of a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricStatus: { + // target is the described Kubernetes object. + target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes) + + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(2,bytes) + + // currentValue is the current value of the metric (as a quantity). + currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes) + + // averageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes) +} + +// PodsMetricStatus indicates the current value of a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +#PodsMetricStatus: { + // metricName is the name of the metric in question + metricName: string @go(MetricName) @protobuf(1,bytes) + + // currentAverageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(2,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes) +} + +// ResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. It will only be + // present if `targetAverageValue` was set in the corresponding metric + // specification. + // +optional + currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt) + + // currentAverageValue is the current value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // It will always be set, regardless of the corresponding metric specification. + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes) +} + +// ContainerResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing a single container in each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ContainerResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. It will only be + // present if `targetAverageValue` was set in the corresponding metric + // specification. + // +optional + currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt) + + // currentAverageValue is the current value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // It will always be set, regardless of the corresponding metric specification. + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes) + + // container is the name of the container in the pods of the scaling taget + container: string @go(Container) @protobuf(4,bytes,opt) +} + +// ExternalMetricStatus indicates the current value of a global metric +// not associated with any Kubernetes object. +#ExternalMetricStatus: { + // metricName is the name of a metric used for autoscaling in + // metric system. + metricName: string @go(MetricName) @protobuf(1,bytes) + + // metricSelector is used to identify a specific time series + // within a given metric. + // +optional + metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // currentValue is the current value of the metric (as a quantity) + currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes) + + // currentAverageValue is the current value of metric averaged over autoscaled pods. + // +optional + currentAverageValue?: null | resource.#Quantity @go(CurrentAverageValue,*resource.Quantity) @protobuf(4,bytes,opt) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue new file mode 100644 index 000000000..aea0fb269 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v2 + +package v2 + +#GroupName: "autoscaling" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue new file mode 100644 index 000000000..767020856 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue @@ -0,0 +1,597 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v2 + +package v2 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" +) + +// HorizontalPodAutoscaler is the configuration for a horizontal pod +// autoscaler, which automatically manages the replica count of any resource +// implementing the scale subresource based on the metrics specified. +#HorizontalPodAutoscaler: { + metav1.#TypeMeta + + // metadata is the standard object metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the specification for the behaviour of the autoscaler. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current information about the autoscaler. + // +optional + status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler. +#HorizontalPodAutoscalerSpec: { + // scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics + // should be collected, as well as to actually change the replica count. + scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt) + + // minReplicas is the lower limit for the number of replicas to which the autoscaler + // can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + // alpha feature gate HPAScaleToZero is enabled and at least one Object or External + // metric is configured. Scaling is active as long as at least one metric value is + // available. + // +optional + minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt) + + // maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. + // It cannot be less that minReplicas. + maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt) + + // metrics contains the specifications for which to use to calculate the + // desired replica count (the maximum replica count across all metrics will + // be used). The desired replica count is calculated multiplying the + // ratio between the target value and the current value by the current + // number of pods. Ergo, metrics used must decrease as the pod count is + // increased, and vice-versa. See the individual metric source types for + // more information about how each type of metric must respond. + // If not set, the default metric will be set to 80% average CPU utilization. + // +listType=atomic + // +optional + metrics?: [...#MetricSpec] @go(Metrics,[]MetricSpec) @protobuf(4,bytes,rep) + + // behavior configures the scaling behavior of the target + // in both Up and Down directions (scaleUp and scaleDown fields respectively). + // If not set, the default HPAScalingRules for scale up and scale down are used. + // +optional + behavior?: null | #HorizontalPodAutoscalerBehavior @go(Behavior,*HorizontalPodAutoscalerBehavior) @protobuf(5,bytes,opt) +} + +// CrossVersionObjectReference contains enough information to let you identify the referred resource. +#CrossVersionObjectReference: { + // kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(2,bytes,opt) + + // apiVersion is the API version of the referent + // +optional + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) +} + +// MetricSpec specifies how to scale based on a single metric +// (only `type` and one other matching field should be set at once). +#MetricSpec: { + // type is the type of metric source. It should be one of "ContainerResource", "External", + // "Object", "Pods" or "Resource", each mapping to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in + // each pod of the current scale target (e.g. CPU or memory). Such metrics are + // built in to Kubernetes, and have special scaling options on top of those + // available to normal per-pod metrics using the "pods" source. + // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. + // +optional + containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt) +} + +// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target +// in both Up and Down directions (scaleUp and scaleDown fields respectively). +#HorizontalPodAutoscalerBehavior: { + // scaleUp is scaling policy for scaling Up. + // If not set, the default value is the higher of: + // * increase no more than 4 pods per 60 seconds + // * double the number of pods per 60 seconds + // No stabilization is used. + // +optional + scaleUp?: null | #HPAScalingRules @go(ScaleUp,*HPAScalingRules) @protobuf(1,bytes,opt) + + // scaleDown is scaling policy for scaling Down. + // If not set, the default value is to allow to scale down to minReplicas pods, with a + // 300 second stabilization window (i.e., the highest recommendation for + // the last 300sec is used). + // +optional + scaleDown?: null | #HPAScalingRules @go(ScaleDown,*HPAScalingRules) @protobuf(2,bytes,opt) +} + +// ScalingPolicySelect is used to specify which policy should be used while scaling in a certain direction +#ScalingPolicySelect: string // #enumScalingPolicySelect + +#enumScalingPolicySelect: + #MaxChangePolicySelect | + #MinChangePolicySelect | + #DisabledPolicySelect + +// MaxChangePolicySelect selects the policy with the highest possible change. +#MaxChangePolicySelect: #ScalingPolicySelect & "Max" + +// MinChangePolicySelect selects the policy with the lowest possible change. +#MinChangePolicySelect: #ScalingPolicySelect & "Min" + +// DisabledPolicySelect disables the scaling in this direction. +#DisabledPolicySelect: #ScalingPolicySelect & "Disabled" + +// HPAScalingRules configures the scaling behavior for one direction. +// These Rules are applied after calculating DesiredReplicas from metrics for the HPA. +// They can limit the scaling velocity by specifying scaling policies. +// They can prevent flapping by specifying the stabilization window, so that the +// number of replicas is not set instantly, instead, the safest value from the stabilization +// window is chosen. +#HPAScalingRules: { + // stabilizationWindowSeconds is the number of seconds for which past recommendations should be + // considered while scaling up or scaling down. + // StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + // If not set, use the default values: + // - For scale up: 0 (i.e. no stabilization is done). + // - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + // +optional + stabilizationWindowSeconds?: null | int32 @go(StabilizationWindowSeconds,*int32) @protobuf(3,varint,opt) + + // selectPolicy is used to specify which policy should be used. + // If not set, the default value Max is used. + // +optional + selectPolicy?: null | #ScalingPolicySelect @go(SelectPolicy,*ScalingPolicySelect) @protobuf(1,bytes,opt) + + // policies is a list of potential scaling polices which can be used during scaling. + // At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid + // +listType=atomic + // +optional + policies?: [...#HPAScalingPolicy] @go(Policies,[]HPAScalingPolicy) @protobuf(2,bytes,rep) +} + +// HPAScalingPolicyType is the type of the policy which could be used while making scaling decisions. +#HPAScalingPolicyType: string // #enumHPAScalingPolicyType + +#enumHPAScalingPolicyType: + #PodsScalingPolicy | + #PercentScalingPolicy + +// PodsScalingPolicy is a policy used to specify a change in absolute number of pods. +#PodsScalingPolicy: #HPAScalingPolicyType & "Pods" + +// PercentScalingPolicy is a policy used to specify a relative amount of change with respect to +// the current number of pods. +#PercentScalingPolicy: #HPAScalingPolicyType & "Percent" + +// HPAScalingPolicy is a single policy which must hold true for a specified past interval. +#HPAScalingPolicy: { + // type is used to specify the scaling policy. + type: #HPAScalingPolicyType @go(Type) @protobuf(1,bytes,opt,casttype=HPAScalingPolicyType) + + // value contains the amount of change which is permitted by the policy. + // It must be greater than zero + value: int32 @go(Value) @protobuf(2,varint,opt) + + // periodSeconds specifies the window of time for which the policy should hold true. + // PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + periodSeconds: int32 @go(PeriodSeconds) @protobuf(3,varint,opt) +} + +// MetricSourceType indicates the type of metric. +#MetricSourceType: string // #enumMetricSourceType + +#enumMetricSourceType: + #ObjectMetricSourceType | + #PodsMetricSourceType | + #ResourceMetricSourceType | + #ContainerResourceMetricSourceType | + #ExternalMetricSourceType + +// ObjectMetricSourceType is a metric describing a kubernetes object +// (for example, hits-per-second on an Ingress object). +#ObjectMetricSourceType: #MetricSourceType & "Object" + +// PodsMetricSourceType is a metric describing each pod in the current scale +// target (for example, transactions-processed-per-second). The values +// will be averaged together before being compared to the target value. +#PodsMetricSourceType: #MetricSourceType & "Pods" + +// ResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ResourceMetricSourceType: #MetricSourceType & "Resource" + +// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing a single container in each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource" + +// ExternalMetricSourceType is a global metric that is not associated +// with any Kubernetes object. It allows autoscaling based on information +// coming from components running outside of cluster +// (for example length of queue in cloud messaging service, or +// QPS from loadbalancer running outside of cluster). +#ExternalMetricSourceType: #MetricSourceType & "External" + +// ObjectMetricSource indicates how to scale on a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricSource: { + // describedObject specifies the descriptions of a object,such as kind,name apiVersion + describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) + + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(3,bytes) +} + +// PodsMetricSource indicates how to scale on a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +// The values will be averaged together before being compared to the target +// value. +#PodsMetricSource: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// ResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// ContainerResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ContainerResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) + + // container is the name of the container in the pods of the scaling target + container: string @go(Container) @protobuf(3,bytes,opt) +} + +// ExternalMetricSource indicates how to scale on a metric not associated with +// any Kubernetes object (for example length of queue in cloud +// messaging service, or QPS from loadbalancer running outside of cluster). +#ExternalMetricSource: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// MetricIdentifier defines the name and optionally selector for a metric +#MetricIdentifier: { + // name is the name of the given metric + name: string @go(Name) @protobuf(1,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes) +} + +// MetricTarget defines the target value, average value, or average utilization of a specific metric +#MetricTarget: { + // type represents whether the metric type is Utilization, Value, or AverageValue + type: #MetricTargetType @go(Type) @protobuf(1,bytes) + + // value is the target value of the metric (as a quantity). + // +optional + value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(2,bytes,opt) + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // averageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // Currently only valid for Resource metric source type + // +optional + averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(4,bytes,opt) +} + +// MetricTargetType specifies the type of metric being targeted, and should be either +// "Value", "AverageValue", or "Utilization" +#MetricTargetType: string // #enumMetricTargetType + +#enumMetricTargetType: + #UtilizationMetricType | + #ValueMetricType | + #AverageValueMetricType + +// UtilizationMetricType declares a MetricTarget is an AverageUtilization value +#UtilizationMetricType: #MetricTargetType & "Utilization" + +// ValueMetricType declares a MetricTarget is a raw value +#ValueMetricType: #MetricTargetType & "Value" + +// AverageValueMetricType declares a MetricTarget is an +#AverageValueMetricType: #MetricTargetType & "AverageValue" + +// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler. +#HorizontalPodAutoscalerStatus: { + // observedGeneration is the most recent generation observed by this autoscaler. + // +optional + observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt) + + // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, + // used by the autoscaler to control how often the number of pods is changed. + // +optional + lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt) + + // currentReplicas is current number of replicas of pods managed by this autoscaler, + // as last seen by the autoscaler. + // +optional + currentReplicas?: int32 @go(CurrentReplicas) @protobuf(3,varint,opt) + + // desiredReplicas is the desired number of replicas of pods managed by this autoscaler, + // as last calculated by the autoscaler. + desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt) + + // currentMetrics is the last read state of the metrics used by this autoscaler. + // +listType=atomic + // +optional + currentMetrics: [...#MetricStatus] @go(CurrentMetrics,[]MetricStatus) @protobuf(5,bytes,rep) + + // conditions is the set of conditions required for this autoscaler to scale its target, + // and indicates whether or not those conditions are met. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + // +optional + conditions?: [...#HorizontalPodAutoscalerCondition] @go(Conditions,[]HorizontalPodAutoscalerCondition) @protobuf(6,bytes,rep) +} + +// HorizontalPodAutoscalerConditionType are the valid conditions of +// a HorizontalPodAutoscaler. +#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType + +#enumHorizontalPodAutoscalerConditionType: + #ScalingActive | + #AbleToScale | + #ScalingLimited + +// ScalingActive indicates that the HPA controller is able to scale if necessary: +// it's correctly configured, can fetch the desired metrics, and isn't disabled. +#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive" + +// AbleToScale indicates a lack of transient issues which prevent scaling from occurring, +// such as being in a backoff window, or being unable to access/update the target scale. +#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale" + +// ScalingLimited indicates that the calculated scale based on metrics would be above or +// below the range for the HPA, and has thus been capped. +#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited" + +// HorizontalPodAutoscalerCondition describes the state of +// a HorizontalPodAutoscaler at a certain point. +#HorizontalPodAutoscalerCondition: { + // type describes the current condition + type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes) + + // status is the status of the condition (True, False, Unknown) + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes) + + // lastTransitionTime is the last time the condition transitioned from + // one status to another + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is the reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable explanation containing details about + // the transition + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// MetricStatus describes the last-read state of a single metric. +#MetricStatus: { + // type is the type of metric source. It will be one of "ContainerResource", "External", + // "Object", "Pods" or "Resource", each corresponds to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt) + + // container resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt) +} + +// ObjectMetricStatus indicates the current value of a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) + + // DescribedObject specifies the descriptions of a object,such as kind,name apiVersion + describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(3,bytes) +} + +// PodsMetricStatus indicates the current value of a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +#PodsMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// ResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// ContainerResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing a single container in each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ContainerResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) + + // container is the name of the container in the pods of the scaling target + container: string @go(Container) @protobuf(3,bytes,opt) +} + +// ExternalMetricStatus indicates the current value of a global metric +// not associated with any Kubernetes object. +#ExternalMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// MetricValueStatus holds the current value for a metric +#MetricValueStatus: { + // value is the current value of the metric (as a quantity). + // +optional + value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(1,bytes,opt) + + // averageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(2,bytes,opt) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(3,bytes,opt) +} + +// HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects. +#HorizontalPodAutoscalerList: { + metav1.#TypeMeta + + // metadata is the standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of horizontal pod autoscaler objects. + items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue new file mode 100644 index 000000000..5c4890873 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/batch/v1 + +package v1 + +#GroupName: "batch" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue new file mode 100644 index 000000000..3cbdc66ff --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue @@ -0,0 +1,693 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/batch/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" +) + +// All Kubernetes labels need to be prefixed with Kubernetes to distinguish them from end-user labels +// More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#label-selector-and-annotation-conventions +_#labelPrefix: "batch.kubernetes.io/" + +// CronJobScheduledTimestampAnnotation is the scheduled timestamp annotation for the Job. +// It records the original/expected scheduled timestamp for the running job, represented in RFC3339. +// The CronJob controller adds this annotation if the CronJobsScheduledAnnotation feature gate (beta in 1.28) is enabled. +#CronJobScheduledTimestampAnnotation: "batch.kubernetes.io/cronjob-scheduled-timestamp" +#JobCompletionIndexAnnotation: "batch.kubernetes.io/job-completion-index" + +// JobTrackingFinalizer is a finalizer for Job's pods. It prevents them from +// being deleted before being accounted in the Job status. +// +// Additionally, the apiserver and job controller use this string as a Job +// annotation, to mark Jobs that are being tracked using pod finalizers. +// However, this behavior is deprecated in kubernetes 1.26. This means that, in +// 1.27+, one release after JobTrackingWithFinalizers graduates to GA, the +// apiserver and job controller will ignore this annotation and they will +// always track jobs using finalizers. +#JobTrackingFinalizer: "batch.kubernetes.io/job-tracking" + +// The Job labels will use batch.kubernetes.io as a prefix for all labels +// Historically the job controller uses unprefixed labels for job-name and controller-uid and +// Kubernetes continutes to recognize those unprefixed labels for consistency. +#JobNameLabel: "batch.kubernetes.io/job-name" + +// ControllerUid is used to programatically get pods corresponding to a Job. +// There is a corresponding label without the batch.kubernetes.io that we support for legacy reasons. +#ControllerUidLabel: "batch.kubernetes.io/controller-uid" + +// Annotation indicating the number of failures for the index corresponding +// to the pod, which are counted towards the backoff limit. +#JobIndexFailureCountAnnotation: "batch.kubernetes.io/job-index-failure-count" + +// Annotation indicating the number of failures for the index corresponding +// to the pod, which don't count towards the backoff limit, according to the +// pod failure policy. When the annotation is absent zero is implied. +#JobIndexIgnoredFailureCountAnnotation: "batch.kubernetes.io/job-index-ignored-failure-count" + +// Job represents the configuration of a single job. +#Job: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of a job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt) + + // Current status of a job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #JobStatus @go(Status) @protobuf(3,bytes,opt) +} + +// JobList is a collection of jobs. +#JobList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of Jobs. + items: [...#Job] @go(Items,[]Job) @protobuf(2,bytes,rep) +} + +// CompletionMode specifies how Pod completions of a Job are tracked. +// +enum +#CompletionMode: string // #enumCompletionMode + +#enumCompletionMode: + #NonIndexedCompletion | + #IndexedCompletion + +// NonIndexedCompletion is a Job completion mode. In this mode, the Job is +// considered complete when there have been .spec.completions +// successfully completed Pods. Pod completions are homologous to each other. +#NonIndexedCompletion: #CompletionMode & "NonIndexed" + +// IndexedCompletion is a Job completion mode. In this mode, the Pods of a +// Job get an associated completion index from 0 to (.spec.completions - 1). +// The Job is considered complete when a Pod completes for each completion +// index. +#IndexedCompletion: #CompletionMode & "Indexed" + +// PodFailurePolicyAction specifies how a Pod failure is handled. +// +enum +#PodFailurePolicyAction: string // #enumPodFailurePolicyAction + +#enumPodFailurePolicyAction: + #PodFailurePolicyActionFailJob | + #PodFailurePolicyActionFailIndex | + #PodFailurePolicyActionIgnore | + #PodFailurePolicyActionCount + +// This is an action which might be taken on a pod failure - mark the +// pod's job as Failed and terminate all running pods. +#PodFailurePolicyActionFailJob: #PodFailurePolicyAction & "FailJob" + +// This is an action which might be taken on a pod failure - mark the +// Job's index as failed to avoid restarts within this index. This action +// can only be used when backoffLimitPerIndex is set. +#PodFailurePolicyActionFailIndex: #PodFailurePolicyAction & "FailIndex" + +// This is an action which might be taken on a pod failure - the counter towards +// .backoffLimit, represented by the job's .status.failed field, is not +// incremented and a replacement pod is created. +#PodFailurePolicyActionIgnore: #PodFailurePolicyAction & "Ignore" + +// This is an action which might be taken on a pod failure - the pod failure +// is handled in the default way - the counter towards .backoffLimit, +// represented by the job's .status.failed field, is incremented. +#PodFailurePolicyActionCount: #PodFailurePolicyAction & "Count" + +// +enum +#PodFailurePolicyOnExitCodesOperator: string // #enumPodFailurePolicyOnExitCodesOperator + +#enumPodFailurePolicyOnExitCodesOperator: + #PodFailurePolicyOnExitCodesOpIn | + #PodFailurePolicyOnExitCodesOpNotIn + +#PodFailurePolicyOnExitCodesOpIn: #PodFailurePolicyOnExitCodesOperator & "In" +#PodFailurePolicyOnExitCodesOpNotIn: #PodFailurePolicyOnExitCodesOperator & "NotIn" + +// PodReplacementPolicy specifies the policy for creating pod replacements. +// +enum +#PodReplacementPolicy: string // #enumPodReplacementPolicy + +#enumPodReplacementPolicy: + #TerminatingOrFailed | + #Failed + +// TerminatingOrFailed means that we recreate pods +// when they are terminating (has a metadata.deletionTimestamp) or failed. +#TerminatingOrFailed: #PodReplacementPolicy & "TerminatingOrFailed" + +// Failed means to wait until a previously created Pod is fully terminated (has phase +// Failed or Succeeded) before creating a replacement Pod. +#Failed: #PodReplacementPolicy & "Failed" + +// PodFailurePolicyOnExitCodesRequirement describes the requirement for handling +// a failed pod based on its container exit codes. In particular, it lookups the +// .state.terminated.exitCode for each app container and init container status, +// represented by the .status.containerStatuses and .status.initContainerStatuses +// fields in the Pod status, respectively. Containers completed with success +// (exit code 0) are excluded from the requirement check. +#PodFailurePolicyOnExitCodesRequirement: { + // Restricts the check for exit codes to the container with the + // specified name. When null, the rule applies to all containers. + // When specified, it should match one the container or initContainer + // names in the pod template. + // +optional + containerName?: null | string @go(ContainerName,*string) @protobuf(1,bytes,opt) + + // Represents the relationship between the container exit code(s) and the + // specified values. Containers completed with success (exit code 0) are + // excluded from the requirement check. Possible values are: + // + // - In: the requirement is satisfied if at least one container exit code + // (might be multiple if there are multiple containers not restricted + // by the 'containerName' field) is in the set of specified values. + // - NotIn: the requirement is satisfied if at least one container exit code + // (might be multiple if there are multiple containers not restricted + // by the 'containerName' field) is not in the set of specified values. + // Additional values are considered to be added in the future. Clients should + // react to an unknown operator by assuming the requirement is not satisfied. + operator: #PodFailurePolicyOnExitCodesOperator @go(Operator) @protobuf(2,bytes,req) + + // Specifies the set of values. Each returned container exit code (might be + // multiple in case of multiple containers) is checked against this set of + // values with respect to the operator. The list of values must be ordered + // and must not contain duplicates. Value '0' cannot be used for the In operator. + // At least one element is required. At most 255 elements are allowed. + // +listType=set + values: [...int32] @go(Values,[]int32) @protobuf(3,varint,rep) +} + +// PodFailurePolicyOnPodConditionsPattern describes a pattern for matching +// an actual pod condition type. +#PodFailurePolicyOnPodConditionsPattern: { + // Specifies the required Pod condition type. To match a pod condition + // it is required that specified type equals the pod condition type. + type: corev1.#PodConditionType @go(Type) @protobuf(1,bytes,req) + + // Specifies the required Pod condition status. To match a pod condition + // it is required that the specified status equals the pod condition status. + // Defaults to True. + status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,req) +} + +// PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. +// One of onExitCodes and onPodConditions, but not both, can be used in each rule. +#PodFailurePolicyRule: { + // Specifies the action taken on a pod failure when the requirements are satisfied. + // Possible values are: + // + // - FailJob: indicates that the pod's job is marked as Failed and all + // running pods are terminated. + // - FailIndex: indicates that the pod's index is marked as Failed and will + // not be restarted. + // This value is alpha-level. It can be used when the + // `JobBackoffLimitPerIndex` feature gate is enabled (disabled by default). + // - Ignore: indicates that the counter towards the .backoffLimit is not + // incremented and a replacement pod is created. + // - Count: indicates that the pod is handled in the default way - the + // counter towards the .backoffLimit is incremented. + // Additional values are considered to be added in the future. Clients should + // react to an unknown action by skipping the rule. + action: #PodFailurePolicyAction @go(Action) @protobuf(1,bytes,req) + + // Represents the requirement on the container exit codes. + // +optional + onExitCodes?: null | #PodFailurePolicyOnExitCodesRequirement @go(OnExitCodes,*PodFailurePolicyOnExitCodesRequirement) @protobuf(2,bytes,opt) + + // Represents the requirement on the pod conditions. The requirement is represented + // as a list of pod condition patterns. The requirement is satisfied if at + // least one pattern matches an actual pod condition. At most 20 elements are allowed. + // +listType=atomic + // +optional + onPodConditions: [...#PodFailurePolicyOnPodConditionsPattern] @go(OnPodConditions,[]PodFailurePolicyOnPodConditionsPattern) @protobuf(3,bytes,opt) +} + +// PodFailurePolicy describes how failed pods influence the backoffLimit. +#PodFailurePolicy: { + // A list of pod failure policy rules. The rules are evaluated in order. + // Once a rule matches a Pod failure, the remaining of the rules are ignored. + // When no rule matches the Pod failure, the default handling applies - the + // counter of pod failures is incremented and it is checked against + // the backoffLimit. At most 20 elements are allowed. + // +listType=atomic + rules: [...#PodFailurePolicyRule] @go(Rules,[]PodFailurePolicyRule) @protobuf(1,bytes,opt) +} + +// JobSpec describes how the job execution will look like. +#JobSpec: { + // Specifies the maximum desired number of pods the job should + // run at any given time. The actual number of pods running in steady state will + // be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism), + // i.e. when the work left to do is less than max parallelism. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + parallelism?: null | int32 @go(Parallelism,*int32) @protobuf(1,varint,opt) + + // Specifies the desired number of successfully finished pods the + // job should be run with. Setting to null means that the success of any + // pod signals the success of all pods, and allows parallelism to have any positive + // value. Setting to 1 means that parallelism is limited to 1 and the success of that + // pod signals the success of the job. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + completions?: null | int32 @go(Completions,*int32) @protobuf(2,varint,opt) + + // Specifies the duration in seconds relative to the startTime that the job + // may be continuously active before the system tries to terminate it; value + // must be positive integer. If a Job is suspended (at creation or through an + // update), this timer will effectively be stopped and reset when the Job is + // resumed again. + // +optional + activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(3,varint,opt) + + // Specifies the policy of handling failed pods. In particular, it allows to + // specify the set of actions and conditions which need to be + // satisfied to take the associated action. + // If empty, the default behaviour applies - the counter of failed pods, + // represented by the jobs's .status.failed field, is incremented and it is + // checked against the backoffLimit. This field cannot be used in combination + // with restartPolicy=OnFailure. + // + // This field is beta-level. It can be used when the `JobPodFailurePolicy` + // feature gate is enabled (enabled by default). + // +optional + podFailurePolicy?: null | #PodFailurePolicy @go(PodFailurePolicy,*PodFailurePolicy) @protobuf(11,bytes,opt) + + // Specifies the number of retries before marking this job failed. + // Defaults to 6 + // +optional + backoffLimit?: null | int32 @go(BackoffLimit,*int32) @protobuf(7,varint,opt) + + // Specifies the limit for the number of retries within an + // index before marking this index as failed. When enabled the number of + // failures per index is kept in the pod's + // batch.kubernetes.io/job-index-failure-count annotation. It can only + // be set when Job's completionMode=Indexed, and the Pod's restart + // policy is Never. The field is immutable. + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + backoffLimitPerIndex?: null | int32 @go(BackoffLimitPerIndex,*int32) @protobuf(12,varint,opt) + + // Specifies the maximal number of failed indexes before marking the Job as + // failed, when backoffLimitPerIndex is set. Once the number of failed + // indexes exceeds this number the entire Job is marked as Failed and its + // execution is terminated. When left as null the job continues execution of + // all of its indexes and is marked with the `Complete` Job condition. + // It can only be specified when backoffLimitPerIndex is set. + // It can be null or up to completions. It is required and must be + // less than or equal to 10^4 when is completions greater than 10^5. + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + maxFailedIndexes?: null | int32 @go(MaxFailedIndexes,*int32) @protobuf(13,varint,opt) + + // A label query over pods that should match the pod count. + // Normally, the system sets this field for you. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // manualSelector controls generation of pod labels and pod selectors. + // Leave `manualSelector` unset unless you are certain what you are doing. + // When false or unset, the system pick labels unique to this job + // and appends those labels to the pod template. When true, + // the user is responsible for picking unique labels and specifying + // the selector. Failure to pick a unique label may cause this + // and other jobs to not function correctly. However, You may see + // `manualSelector=true` in jobs that were created with the old `extensions/v1beta1` + // API. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector + // +optional + manualSelector?: null | bool @go(ManualSelector,*bool) @protobuf(5,varint,opt) + + // Describes the pod that will be created when executing a job. + // The only allowed template.spec.restartPolicy values are "Never" or "OnFailure". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + template: corev1.#PodTemplateSpec @go(Template) @protobuf(6,bytes,opt) + + // ttlSecondsAfterFinished limits the lifetime of a Job that has finished + // execution (either Complete or Failed). If this field is set, + // ttlSecondsAfterFinished after the Job finishes, it is eligible to be + // automatically deleted. When the Job is being deleted, its lifecycle + // guarantees (e.g. finalizers) will be honored. If this field is unset, + // the Job won't be automatically deleted. If this field is set to zero, + // the Job becomes eligible to be deleted immediately after it finishes. + // +optional + ttlSecondsAfterFinished?: null | int32 @go(TTLSecondsAfterFinished,*int32) @protobuf(8,varint,opt) + + // completionMode specifies how Pod completions are tracked. It can be + // `NonIndexed` (default) or `Indexed`. + // + // `NonIndexed` means that the Job is considered complete when there have + // been .spec.completions successfully completed Pods. Each Pod completion is + // homologous to each other. + // + // `Indexed` means that the Pods of a + // Job get an associated completion index from 0 to (.spec.completions - 1), + // available in the annotation batch.kubernetes.io/job-completion-index. + // The Job is considered complete when there is one successfully completed Pod + // for each index. + // When value is `Indexed`, .spec.completions must be specified and + // `.spec.parallelism` must be less than or equal to 10^5. + // In addition, The Pod name takes the form + // `$(job-name)-$(index)-$(random-string)`, + // the Pod hostname takes the form `$(job-name)-$(index)`. + // + // More completion modes can be added in the future. + // If the Job controller observes a mode that it doesn't recognize, which + // is possible during upgrades due to version skew, the controller + // skips updates for the Job. + // +optional + completionMode?: null | #CompletionMode @go(CompletionMode,*CompletionMode) @protobuf(9,bytes,opt,casttype=CompletionMode) + + // suspend specifies whether the Job controller should create Pods or not. If + // a Job is created with suspend set to true, no Pods are created by the Job + // controller. If a Job is suspended after creation (i.e. the flag goes from + // false to true), the Job controller will delete all active Pods associated + // with this Job. Users must design their workload to gracefully handle this. + // Suspending a Job will reset the StartTime field of the Job, effectively + // resetting the ActiveDeadlineSeconds timer too. Defaults to false. + // + // +optional + suspend?: null | bool @go(Suspend,*bool) @protobuf(10,varint,opt) + + // podReplacementPolicy specifies when to create replacement Pods. + // Possible values are: + // - TerminatingOrFailed means that we recreate pods + // when they are terminating (has a metadata.deletionTimestamp) or failed. + // - Failed means to wait until a previously created Pod is fully terminated (has phase + // Failed or Succeeded) before creating a replacement Pod. + // + // When using podFailurePolicy, Failed is the the only allowed value. + // TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use. + // This is an alpha field. Enable JobPodReplacementPolicy to be able to use this field. + // +optional + podReplacementPolicy?: null | #PodReplacementPolicy @go(PodReplacementPolicy,*PodReplacementPolicy) @protobuf(14,bytes,opt,casttype=podReplacementPolicy) +} + +// JobStatus represents the current state of a Job. +#JobStatus: { + // The latest available observations of an object's current state. When a Job + // fails, one of the conditions will have type "Failed" and status true. When + // a Job is suspended, one of the conditions will have type "Suspended" and + // status true; when the Job is resumed, the status of this condition will + // become false. When a Job is completed, one of the conditions will have + // type "Complete" and status true. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=atomic + conditions?: [...#JobCondition] @go(Conditions,[]JobCondition) @protobuf(1,bytes,rep) + + // Represents time when the job controller started processing a job. When a + // Job is created in the suspended state, this field is not set until the + // first time it is resumed. This field is reset every time a Job is resumed + // from suspension. It is represented in RFC3339 form and is in UTC. + // +optional + startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(2,bytes,opt) + + // Represents time when the job was completed. It is not guaranteed to + // be set in happens-before order across separate operations. + // It is represented in RFC3339 form and is in UTC. + // The completion time is only set when the job finishes successfully. + // +optional + completionTime?: null | metav1.#Time @go(CompletionTime,*metav1.Time) @protobuf(3,bytes,opt) + + // The number of pending and running pods. + // +optional + active?: int32 @go(Active) @protobuf(4,varint,opt) + + // The number of pods which reached phase Succeeded. + // +optional + succeeded?: int32 @go(Succeeded) @protobuf(5,varint,opt) + + // The number of pods which reached phase Failed. + // +optional + failed?: int32 @go(Failed) @protobuf(6,varint,opt) + + // The number of pods which are terminating (in phase Pending or Running + // and have a deletionTimestamp). + // + // This field is alpha-level. The job controller populates the field when + // the feature gate JobPodReplacementPolicy is enabled (disabled by default). + // +optional + terminating?: null | int32 @go(Terminating,*int32) @protobuf(11,varint,opt) + + // completedIndexes holds the completed indexes when .spec.completionMode = + // "Indexed" in a text format. The indexes are represented as decimal integers + // separated by commas. The numbers are listed in increasing order. Three or + // more consecutive numbers are compressed and represented by the first and + // last element of the series, separated by a hyphen. + // For example, if the completed indexes are 1, 3, 4, 5 and 7, they are + // represented as "1,3-5,7". + // +optional + completedIndexes?: string @go(CompletedIndexes) @protobuf(7,bytes,opt) + + // FailedIndexes holds the failed indexes when backoffLimitPerIndex=true. + // The indexes are represented in the text format analogous as for the + // `completedIndexes` field, ie. they are kept as decimal integers + // separated by commas. The numbers are listed in increasing order. Three or + // more consecutive numbers are compressed and represented by the first and + // last element of the series, separated by a hyphen. + // For example, if the failed indexes are 1, 3, 4, 5 and 7, they are + // represented as "1,3-5,7". + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + failedIndexes?: null | string @go(FailedIndexes,*string) @protobuf(10,bytes,opt) + + // uncountedTerminatedPods holds the UIDs of Pods that have terminated but + // the job controller hasn't yet accounted for in the status counters. + // + // The job controller creates pods with a finalizer. When a pod terminates + // (succeeded or failed), the controller does three steps to account for it + // in the job status: + // + // 1. Add the pod UID to the arrays in this field. + // 2. Remove the pod finalizer. + // 3. Remove the pod UID from the arrays while increasing the corresponding + // counter. + // + // Old jobs might not be tracked using this field, in which case the field + // remains null. + // +optional + uncountedTerminatedPods?: null | #UncountedTerminatedPods @go(UncountedTerminatedPods,*UncountedTerminatedPods) @protobuf(8,bytes,opt) + + // The number of pods which have a Ready condition. + // + // This field is beta-level. The job controller populates the field when + // the feature gate JobReadyPods is enabled (enabled by default). + // +optional + ready?: null | int32 @go(Ready,*int32) @protobuf(9,varint,opt) +} + +// UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't +// been accounted in Job status counters. +#UncountedTerminatedPods: { + // succeeded holds UIDs of succeeded Pods. + // +listType=set + // +optional + succeeded?: [...types.#UID] @go(Succeeded,[]types.UID) @protobuf(1,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID) + + // failed holds UIDs of failed Pods. + // +listType=set + // +optional + failed?: [...types.#UID] @go(Failed,[]types.UID) @protobuf(2,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +#JobConditionType: string // #enumJobConditionType + +#enumJobConditionType: + #JobSuspended | + #JobComplete | + #JobFailed | + #JobFailureTarget + +// JobSuspended means the job has been suspended. +#JobSuspended: #JobConditionType & "Suspended" + +// JobComplete means the job has completed its execution. +#JobComplete: #JobConditionType & "Complete" + +// JobFailed means the job has failed its execution. +#JobFailed: #JobConditionType & "Failed" + +// FailureTarget means the job is about to fail its execution. +#JobFailureTarget: #JobConditionType & "FailureTarget" + +// JobCondition describes current state of a job. +#JobCondition: { + // Type of job condition, Complete or Failed. + type: #JobConditionType @go(Type) @protobuf(1,bytes,opt,casttype=JobConditionType) + + // Status of the condition, one of True, False, Unknown. + status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // Last time the condition was checked. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // Last time the condition transit from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // (brief) reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// JobTemplateSpec describes the data a Job should have when created from a template +#JobTemplateSpec: { + // Standard object's metadata of the jobs created from this template. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CronJob represents the configuration of a single cron job. +#CronJob: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of a cron job, including the schedule. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #CronJobSpec @go(Spec) @protobuf(2,bytes,opt) + + // Current status of a cron job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #CronJobStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CronJobList is a collection of cron jobs. +#CronJobList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CronJobs. + items: [...#CronJob] @go(Items,[]CronJob) @protobuf(2,bytes,rep) +} + +// CronJobSpec describes how the job execution will look like and when it will actually run. +#CronJobSpec: { + // The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron. + schedule: string @go(Schedule) @protobuf(1,bytes,opt) + + // The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. + // If not specified, this will default to the time zone of the kube-controller-manager process. + // The set of valid time zone names and the time zone offset is loaded from the system-wide time zone + // database by the API server during CronJob validation and the controller manager during execution. + // If no system-wide time zone database can be found a bundled version of the database is used instead. + // If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host + // configuration, the controller will stop creating new new Jobs and will create a system event with the + // reason UnknownTimeZone. + // More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones + // +optional + timeZone?: null | string @go(TimeZone,*string) @protobuf(8,bytes,opt) + + // Optional deadline in seconds for starting the job if it misses scheduled + // time for any reason. Missed jobs executions will be counted as failed ones. + // +optional + startingDeadlineSeconds?: null | int64 @go(StartingDeadlineSeconds,*int64) @protobuf(2,varint,opt) + + // Specifies how to treat concurrent executions of a Job. + // Valid values are: + // + // - "Allow" (default): allows CronJobs to run concurrently; + // - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet; + // - "Replace": cancels currently running job and replaces it with a new one + // +optional + concurrencyPolicy?: #ConcurrencyPolicy @go(ConcurrencyPolicy) @protobuf(3,bytes,opt,casttype=ConcurrencyPolicy) + + // This flag tells the controller to suspend subsequent executions, it does + // not apply to already started executions. Defaults to false. + // +optional + suspend?: null | bool @go(Suspend,*bool) @protobuf(4,varint,opt) + + // Specifies the job that will be created when executing a CronJob. + jobTemplate: #JobTemplateSpec @go(JobTemplate) @protobuf(5,bytes,opt) + + // The number of successful finished jobs to retain. Value must be non-negative integer. + // Defaults to 3. + // +optional + successfulJobsHistoryLimit?: null | int32 @go(SuccessfulJobsHistoryLimit,*int32) @protobuf(6,varint,opt) + + // The number of failed finished jobs to retain. Value must be non-negative integer. + // Defaults to 1. + // +optional + failedJobsHistoryLimit?: null | int32 @go(FailedJobsHistoryLimit,*int32) @protobuf(7,varint,opt) +} + +// ConcurrencyPolicy describes how the job will be handled. +// Only one of the following concurrent policies may be specified. +// If none of the following policies is specified, the default one +// is AllowConcurrent. +// +enum +#ConcurrencyPolicy: string // #enumConcurrencyPolicy + +#enumConcurrencyPolicy: + #AllowConcurrent | + #ForbidConcurrent | + #ReplaceConcurrent + +// AllowConcurrent allows CronJobs to run concurrently. +#AllowConcurrent: #ConcurrencyPolicy & "Allow" + +// ForbidConcurrent forbids concurrent runs, skipping next run if previous +// hasn't finished yet. +#ForbidConcurrent: #ConcurrencyPolicy & "Forbid" + +// ReplaceConcurrent cancels currently running job and replaces it with a new one. +#ReplaceConcurrent: #ConcurrencyPolicy & "Replace" + +// CronJobStatus represents the current state of a cron job. +#CronJobStatus: { + // A list of pointers to currently running jobs. + // +optional + // +listType=atomic + active?: [...corev1.#ObjectReference] @go(Active,[]corev1.ObjectReference) @protobuf(1,bytes,rep) + + // Information when was the last time the job was successfully scheduled. + // +optional + lastScheduleTime?: null | metav1.#Time @go(LastScheduleTime,*metav1.Time) @protobuf(4,bytes,opt) + + // Information when was the last time the job successfully completed. + // +optional + lastSuccessfulTime?: null | metav1.#Time @go(LastSuccessfulTime,*metav1.Time) @protobuf(5,bytes,opt) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue new file mode 100644 index 000000000..f2ce34369 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/certificates/v1 + +package v1 + +#GroupName: "certificates.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue new file mode 100644 index 000000000..401ca5c97 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue @@ -0,0 +1,318 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/certificates/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" +) + +// CertificateSigningRequest objects provide a mechanism to obtain x509 certificates +// by submitting a certificate signing request, and having it asynchronously approved and issued. +// +// Kubelets use this API to obtain: +// 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName). +// 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName). +// +// This API can be used to request client certificates to authenticate to kube-apiserver +// (with the "kubernetes.io/kube-apiserver-client" signerName), +// or to obtain certificates from custom non-Kubernetes signers. +#CertificateSigningRequest: { + metav1.#TypeMeta + + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec contains the certificate request, and is immutable after creation. + // Only the request, signerName, expirationSeconds, and usages fields can be set on creation. + // Other fields are derived by Kubernetes and cannot be modified by users. + spec: #CertificateSigningRequestSpec @go(Spec) @protobuf(2,bytes,opt) + + // status contains information about whether the request is approved or denied, + // and the certificate issued by the signer, or the failure condition indicating signer failure. + // +optional + status?: #CertificateSigningRequestStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CertificateSigningRequestSpec contains the certificate request. +#CertificateSigningRequestSpec: { + // request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. + // When serialized as JSON or YAML, the data is additionally base64-encoded. + // +listType=atomic + request: bytes @go(Request,[]byte) @protobuf(1,bytes,opt) + + // signerName indicates the requested signer, and is a qualified name. + // + // List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector. + // + // Well-known Kubernetes signers are: + // 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver. + // Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager. + // 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver. + // Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. + // 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely. + // Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. + // + // More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers + // + // Custom signerNames can also be specified. The signer defines: + // 1. Trust distribution: how trust (CA bundles) are distributed. + // 2. Permitted subjects: and behavior when a disallowed subject is requested. + // 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested. + // 4. Required, permitted, or forbidden key usages / extended key usages. + // 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin. + // 6. Whether or not requests for CA certificates are allowed. + signerName: string @go(SignerName) @protobuf(7,bytes,opt) + + // expirationSeconds is the requested duration of validity of the issued + // certificate. The certificate signer may issue a certificate with a different + // validity duration so a client must check the delta between the notBefore and + // and notAfter fields in the issued certificate to determine the actual duration. + // + // The v1.22+ in-tree implementations of the well-known Kubernetes signers will + // honor this field as long as the requested duration is not greater than the + // maximum duration they will honor per the --cluster-signing-duration CLI + // flag to the Kubernetes controller manager. + // + // Certificate signers may not honor this field for various reasons: + // + // 1. Old signer that is unaware of the field (such as the in-tree + // implementations prior to v1.22) + // 2. Signer whose configured maximum is shorter than the requested duration + // 3. Signer whose configured minimum is longer than the requested duration + // + // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes. + // + // +optional + expirationSeconds?: null | int32 @go(ExpirationSeconds,*int32) @protobuf(8,varint,opt) + + // usages specifies a set of key usages requested in the issued certificate. + // + // Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth". + // + // Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth". + // + // Valid values are: + // "signing", "digital signature", "content commitment", + // "key encipherment", "key agreement", "data encipherment", + // "cert sign", "crl sign", "encipher only", "decipher only", "any", + // "server auth", "client auth", + // "code signing", "email protection", "s/mime", + // "ipsec end system", "ipsec tunnel", "ipsec user", + // "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" + // +listType=atomic + usages?: [...#KeyUsage] @go(Usages,[]KeyUsage) @protobuf(5,bytes,opt) + + // username contains the name of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + username?: string @go(Username) @protobuf(2,bytes,opt) + + // uid contains the uid of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + uid?: string @go(UID) @protobuf(3,bytes,opt) + + // groups contains group membership of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +listType=atomic + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep) + + // extra contains extra attributes of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(6,bytes,rep) +} + +// "kubernetes.io/kube-apiserver-client" signer issues client certificates that can be used to authenticate to kube-apiserver. +// Never auto-approved by kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeAPIServerClientSignerName: "kubernetes.io/kube-apiserver-client" + +// "kubernetes.io/kube-apiserver-client-kubelet" issues client certificates that kubelets use to authenticate to kube-apiserver. +// Can be auto-approved by the "csrapproving" controller in kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeAPIServerClientKubeletSignerName: "kubernetes.io/kube-apiserver-client-kubelet" + +// "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, +// which kube-apiserver can connect to securely. +// Never auto-approved by kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeletServingSignerName: "kubernetes.io/kubelet-serving" + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// CertificateSigningRequestStatus contains conditions used to indicate +// approved/denied/failed status of the request, and the issued certificate. +#CertificateSigningRequestStatus: { + // conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed". + // +listType=map + // +listMapKey=type + // +optional + conditions?: [...#CertificateSigningRequestCondition] @go(Conditions,[]CertificateSigningRequestCondition) @protobuf(1,bytes,rep) + + // certificate is populated with an issued certificate by the signer after an Approved condition is present. + // This field is set via the /status subresource. Once populated, this field is immutable. + // + // If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. + // If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty. + // + // Validation requirements: + // 1. certificate must contain one or more PEM blocks. + // 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data + // must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280. + // 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated, + // to allow for explanatory text as described in section 5.2 of RFC7468. + // + // If more than one PEM block is present, and the definition of the requested spec.signerName + // does not indicate otherwise, the first block is the issued certificate, + // and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes. + // + // The certificate is encoded in PEM format. + // + // When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of: + // + // base64( + // -----BEGIN CERTIFICATE----- + // ... + // -----END CERTIFICATE----- + // ) + // + // +listType=atomic + // +optional + certificate?: bytes @go(Certificate,[]byte) @protobuf(2,bytes,opt) +} + +// RequestConditionType is the type of a CertificateSigningRequestCondition +#RequestConditionType: string // #enumRequestConditionType + +#enumRequestConditionType: + #CertificateApproved | + #CertificateDenied | + #CertificateFailed + +// Approved indicates the request was approved and should be issued by the signer. +#CertificateApproved: #RequestConditionType & "Approved" + +// Denied indicates the request was denied and should not be issued by the signer. +#CertificateDenied: #RequestConditionType & "Denied" + +// Failed indicates the signer failed to issue the certificate. +#CertificateFailed: #RequestConditionType & "Failed" + +// CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object +#CertificateSigningRequestCondition: { + // type of the condition. Known conditions are "Approved", "Denied", and "Failed". + // + // An "Approved" condition is added via the /approval subresource, + // indicating the request was approved and should be issued by the signer. + // + // A "Denied" condition is added via the /approval subresource, + // indicating the request was denied and should not be issued by the signer. + // + // A "Failed" condition is added via the /status subresource, + // indicating the signer failed to issue the certificate. + // + // Approved and Denied conditions are mutually exclusive. + // Approved, Denied, and Failed conditions cannot be removed once added. + // + // Only one condition of a given type is allowed. + type: #RequestConditionType @go(Type) @protobuf(1,bytes,opt,casttype=RequestConditionType) + + // status of the condition, one of True, False, Unknown. + // Approved, Denied, and Failed conditions may not be "False" or "Unknown". + status: v1.#ConditionStatus @go(Status) @protobuf(6,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // reason indicates a brief reason for the request state + // +optional + reason?: string @go(Reason) @protobuf(2,bytes,opt) + + // message contains a human readable message with details about the request state + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // lastUpdateTime is the time of the last update to this condition + // +optional + lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(4,bytes,opt) + + // lastTransitionTime is the time the condition last transitioned from one status to another. + // If unset, when a new condition type is added or an existing condition's status is changed, + // the server defaults this to the current time. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(5,bytes,opt) +} + +// CertificateSigningRequestList is a collection of CertificateSigningRequest objects +#CertificateSigningRequestList: { + metav1.#TypeMeta + + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a collection of CertificateSigningRequest objects + items: [...#CertificateSigningRequest] @go(Items,[]CertificateSigningRequest) @protobuf(2,bytes,rep) +} + +// KeyUsage specifies valid usage contexts for keys. +// See: +// +// https://tools.ietf.org/html/rfc5280#section-4.2.1.3 +// https://tools.ietf.org/html/rfc5280#section-4.2.1.12 +// +// +enum +#KeyUsage: string // #enumKeyUsage + +#enumKeyUsage: + #UsageSigning | + #UsageDigitalSignature | + #UsageContentCommitment | + #UsageKeyEncipherment | + #UsageKeyAgreement | + #UsageDataEncipherment | + #UsageCertSign | + #UsageCRLSign | + #UsageEncipherOnly | + #UsageDecipherOnly | + #UsageAny | + #UsageServerAuth | + #UsageClientAuth | + #UsageCodeSigning | + #UsageEmailProtection | + #UsageSMIME | + #UsageIPsecEndSystem | + #UsageIPsecTunnel | + #UsageIPsecUser | + #UsageTimestamping | + #UsageOCSPSigning | + #UsageMicrosoftSGC | + #UsageNetscapeSGC + +#UsageSigning: #KeyUsage & "signing" +#UsageDigitalSignature: #KeyUsage & "digital signature" +#UsageContentCommitment: #KeyUsage & "content commitment" +#UsageKeyEncipherment: #KeyUsage & "key encipherment" +#UsageKeyAgreement: #KeyUsage & "key agreement" +#UsageDataEncipherment: #KeyUsage & "data encipherment" +#UsageCertSign: #KeyUsage & "cert sign" +#UsageCRLSign: #KeyUsage & "crl sign" +#UsageEncipherOnly: #KeyUsage & "encipher only" +#UsageDecipherOnly: #KeyUsage & "decipher only" +#UsageAny: #KeyUsage & "any" +#UsageServerAuth: #KeyUsage & "server auth" +#UsageClientAuth: #KeyUsage & "client auth" +#UsageCodeSigning: #KeyUsage & "code signing" +#UsageEmailProtection: #KeyUsage & "email protection" +#UsageSMIME: #KeyUsage & "s/mime" +#UsageIPsecEndSystem: #KeyUsage & "ipsec end system" +#UsageIPsecTunnel: #KeyUsage & "ipsec tunnel" +#UsageIPsecUser: #KeyUsage & "ipsec user" +#UsageTimestamping: #KeyUsage & "timestamping" +#UsageOCSPSigning: #KeyUsage & "ocsp signing" +#UsageMicrosoftSGC: #KeyUsage & "microsoft sgc" +#UsageNetscapeSGC: #KeyUsage & "netscape sgc" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue new file mode 100644 index 000000000..d0a257d5e --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/coordination/v1 + +package v1 + +#GroupName: "coordination.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue new file mode 100644 index 000000000..de2c74126 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue @@ -0,0 +1,61 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/coordination/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Lease defines a lease concept. +#Lease: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec contains the specification of the Lease. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #LeaseSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// LeaseSpec is a specification of a Lease. +#LeaseSpec: { + // holderIdentity contains the identity of the holder of a current lease. + // +optional + holderIdentity?: null | string @go(HolderIdentity,*string) @protobuf(1,bytes,opt) + + // leaseDurationSeconds is a duration that candidates for a lease need + // to wait to force acquire it. This is measure against time of last + // observed renewTime. + // +optional + leaseDurationSeconds?: null | int32 @go(LeaseDurationSeconds,*int32) @protobuf(2,varint,opt) + + // acquireTime is a time when the current lease was acquired. + // +optional + acquireTime?: null | metav1.#MicroTime @go(AcquireTime,*metav1.MicroTime) @protobuf(3,bytes,opt) + + // renewTime is a time when the current holder of a lease has last + // updated the lease. + // +optional + renewTime?: null | metav1.#MicroTime @go(RenewTime,*metav1.MicroTime) @protobuf(4,bytes,opt) + + // leaseTransitions is the number of transitions of a lease between + // holders. + // +optional + leaseTransitions?: null | int32 @go(LeaseTransitions,*int32) @protobuf(5,varint,opt) +} + +// LeaseList is a list of Lease objects. +#LeaseList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#Lease] @go(Items,[]Lease) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue new file mode 100644 index 000000000..3a3027906 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue @@ -0,0 +1,147 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy +// webhook backend fails. +#ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open" + +// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods +#MirrorPodAnnotationKey: "kubernetes.io/config.mirror" + +// TolerationsAnnotationKey represents the key of tolerations data (json serialized) +// in the Annotations of a Pod. +#TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations" + +// TaintsAnnotationKey represents the key of taints data (json serialized) +// in the Annotations of a Node. +#TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints" + +// SeccompPodAnnotationKey represents the key of a seccomp profile applied +// to all containers of a pod. +// Deprecated: set a pod security context `seccompProfile` field. +#SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod" + +// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied +// to one container of a pod. +// Deprecated: set a container security context `seccompProfile` field. +#SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/" + +// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime. +// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. +#SeccompProfileRuntimeDefault: "runtime/default" + +// SeccompProfileNameUnconfined is the unconfined seccomp profile. +#SeccompProfileNameUnconfined: "unconfined" + +// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk. +#SeccompLocalhostProfileNamePrefix: "localhost/" + +// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile. +#AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/" + +// AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile. +#AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName" + +// AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles. +#AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames" + +// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default. +#AppArmorBetaProfileRuntimeDefault: "runtime/default" + +// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node. +#AppArmorBetaProfileNamePrefix: "localhost/" + +// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile +#AppArmorBetaProfileNameUnconfined: "unconfined" + +// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker. +// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. +#DeprecatedSeccompProfileDockerDefault: "docker/default" + +// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized) +// in the Annotations of a Node. +#PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods" + +// ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache +// an object (e.g. secret, config map) before fetching it again from apiserver. +// This annotation can be attached to node. +#ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl" + +// annotation key prefix used to identify non-convertible json paths. +#NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io" +_#kubectlPrefix: "kubectl.kubernetes.io/" + +// LastAppliedConfigAnnotation is the annotation used to store the previous +// configuration of a resource for use in a three way diff by UpdateApplyAnnotation. +#LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration" + +// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers +// +// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to +// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow +// access only from the CIDRs currently allocated to MIT & the USPS. +// +// Not all cloud providers support this annotation, though AWS & GCE do. +#AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges" + +// EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that +// represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z') +// of the last change, of some Pod or Service object, that triggered the endpoints object change. +// In other words, if a Pod / Service changed at time T0, that change was observed by endpoints +// controller at T1, and the Endpoints object was changed at T2, the +// EndpointsLastChangeTriggerTime would be set to T0. +// +// The "endpoints change trigger" here means any Pod or Service change that resulted in the +// Endpoints object change. +// +// Given the definition of the "endpoints change trigger", please note that this annotation will +// be set ONLY for endpoints object changes triggered by either Pod or Service change. If the +// Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's +// already set). +// +// This annotation will be used to compute the in-cluster network programming latency SLI, see +// https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md +#EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time" + +// EndpointsOverCapacity will be set on an Endpoints resource when it +// exceeds the maximum capacity of 1000 addresses. Initially the Endpoints +// controller will set this annotation with a value of "warning". In a +// future release, the controller may set this annotation with a value of +// "truncated" to indicate that any addresses exceeding the limit of 1000 +// have been truncated from the Endpoints resource. +#EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity" + +// MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated +// list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode. +// This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or +// CSI Backend for a volume plugin on a specific node. +#MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins" + +// PodDeletionCost can be used to set to an int32 that represent the cost of deleting +// a pod compared to other pods belonging to the same ReplicaSet. Pods with lower +// deletion cost are preferred to be deleted before pods with higher deletion cost. +// Note that this is honored on a best-effort basis, and so it does not offer guarantees on +// pod deletion order. +// The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted. +// +// This annotation is beta-level and is only honored when PodDeletionCost feature is enabled. +#PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost" + +// DeprecatedAnnotationTopologyAwareHints can be used to enable or disable +// Topology Aware Hints for a Service. This may be set to "Auto" or +// "Disabled". Any other value is treated as "Disabled". This annotation has +// been deprecated in favor of the "service.kubernetes.io/topology-mode" +// annotation. +#DeprecatedAnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints" + +// AnnotationTopologyMode can be used to enable or disable Topology Aware +// Routing for a Service. Well known values are "Auto" and "Disabled". +// Implementations may choose to develop new topology approaches, exposing +// them with domain-prefixed values. For example, "example.com/lowest-rtt" +// could be a valid implementation-specific value for this annotation. These +// heuristics will often populate topology hints on EndpointSlices, but that +// is not a requirement. +#AnnotationTopologyMode: "service.kubernetes.io/topology-mode" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue new file mode 100644 index 000000000..2bf1afce0 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +// Package v1 is the v1 version of the core API. +package v1 diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue new file mode 100644 index 000000000..29c24abce --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +#GroupName: "" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue new file mode 100644 index 000000000..d87edcff5 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue @@ -0,0 +1,7617 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/types" +) + +// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients +#NamespaceDefault: "default" + +// NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces +#NamespaceAll: "" + +// NamespaceNodeLease is the namespace where we place node lease objects (used for node heartbeats) +#NamespaceNodeLease: "kube-node-lease" + +// Volume represents a named volume in a pod that may be accessed by any container in the pod. +#Volume: { + // name of the volume. + // Must be a DNS_LABEL and unique within the pod. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(1,bytes,opt) + + #VolumeSource +} + +// Represents the source of a volume to mount. +// Only one of its members may be specified. +#VolumeSource: { + // hostPath represents a pre-existing file or directory on the host + // machine that is directly exposed to the container. This is generally + // used for system agents or other privileged things that are allowed + // to see the host machine. Most containers will NOT need this. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // --- + // TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + // mount host directories as read/write. + // +optional + hostPath?: null | #HostPathVolumeSource @go(HostPath,*HostPathVolumeSource) @protobuf(1,bytes,opt) + + // emptyDir represents a temporary directory that shares a pod's lifetime. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + emptyDir?: null | #EmptyDirVolumeSource @go(EmptyDir,*EmptyDirVolumeSource) @protobuf(2,bytes,opt) + + // gcePersistentDisk represents a GCE Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + gcePersistentDisk?: null | #GCEPersistentDiskVolumeSource @go(GCEPersistentDisk,*GCEPersistentDiskVolumeSource) @protobuf(3,bytes,opt) + + // awsElasticBlockStore represents an AWS Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + awsElasticBlockStore?: null | #AWSElasticBlockStoreVolumeSource @go(AWSElasticBlockStore,*AWSElasticBlockStoreVolumeSource) @protobuf(4,bytes,opt) + + // gitRepo represents a git repository at a particular revision. + // DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + // EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + // into the Pod's container. + // +optional + gitRepo?: null | #GitRepoVolumeSource @go(GitRepo,*GitRepoVolumeSource) @protobuf(5,bytes,opt) + + // secret represents a secret that should populate this volume. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + // +optional + secret?: null | #SecretVolumeSource @go(Secret,*SecretVolumeSource) @protobuf(6,bytes,opt) + + // nfs represents an NFS mount on the host that shares a pod's lifetime + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + nfs?: null | #NFSVolumeSource @go(NFS,*NFSVolumeSource) @protobuf(7,bytes,opt) + + // iscsi represents an ISCSI Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://examples.k8s.io/volumes/iscsi/README.md + // +optional + iscsi?: null | #ISCSIVolumeSource @go(ISCSI,*ISCSIVolumeSource) @protobuf(8,bytes,opt) + + // glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md + // +optional + glusterfs?: null | #GlusterfsVolumeSource @go(Glusterfs,*GlusterfsVolumeSource) @protobuf(9,bytes,opt) + + // persistentVolumeClaimVolumeSource represents a reference to a + // PersistentVolumeClaim in the same namespace. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + persistentVolumeClaim?: null | #PersistentVolumeClaimVolumeSource @go(PersistentVolumeClaim,*PersistentVolumeClaimVolumeSource) @protobuf(10,bytes,opt) + + // rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/rbd/README.md + // +optional + rbd?: null | #RBDVolumeSource @go(RBD,*RBDVolumeSource) @protobuf(11,bytes,opt) + + // flexVolume represents a generic volume resource that is + // provisioned/attached using an exec based plugin. + // +optional + flexVolume?: null | #FlexVolumeSource @go(FlexVolume,*FlexVolumeSource) @protobuf(12,bytes,opt) + + // cinder represents a cinder volume attached and mounted on kubelets host machine. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + cinder?: null | #CinderVolumeSource @go(Cinder,*CinderVolumeSource) @protobuf(13,bytes,opt) + + // cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + // +optional + cephfs?: null | #CephFSVolumeSource @go(CephFS,*CephFSVolumeSource) @protobuf(14,bytes,opt) + + // flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + // +optional + flocker?: null | #FlockerVolumeSource @go(Flocker,*FlockerVolumeSource) @protobuf(15,bytes,opt) + + // downwardAPI represents downward API about the pod that should populate this volume + // +optional + downwardAPI?: null | #DownwardAPIVolumeSource @go(DownwardAPI,*DownwardAPIVolumeSource) @protobuf(16,bytes,opt) + + // fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + // +optional + fc?: null | #FCVolumeSource @go(FC,*FCVolumeSource) @protobuf(17,bytes,opt) + + // azureFile represents an Azure File Service mount on the host and bind mount to the pod. + // +optional + azureFile?: null | #AzureFileVolumeSource @go(AzureFile,*AzureFileVolumeSource) @protobuf(18,bytes,opt) + + // configMap represents a configMap that should populate this volume + // +optional + configMap?: null | #ConfigMapVolumeSource @go(ConfigMap,*ConfigMapVolumeSource) @protobuf(19,bytes,opt) + + // vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + // +optional + vsphereVolume?: null | #VsphereVirtualDiskVolumeSource @go(VsphereVolume,*VsphereVirtualDiskVolumeSource) @protobuf(20,bytes,opt) + + // quobyte represents a Quobyte mount on the host that shares a pod's lifetime + // +optional + quobyte?: null | #QuobyteVolumeSource @go(Quobyte,*QuobyteVolumeSource) @protobuf(21,bytes,opt) + + // azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + // +optional + azureDisk?: null | #AzureDiskVolumeSource @go(AzureDisk,*AzureDiskVolumeSource) @protobuf(22,bytes,opt) + + // photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + photonPersistentDisk?: null | #PhotonPersistentDiskVolumeSource @go(PhotonPersistentDisk,*PhotonPersistentDiskVolumeSource) @protobuf(23,bytes,opt) + + // projected items for all in one resources secrets, configmaps, and downward API + projected?: null | #ProjectedVolumeSource @go(Projected,*ProjectedVolumeSource) @protobuf(26,bytes,opt) + + // portworxVolume represents a portworx volume attached and mounted on kubelets host machine + // +optional + portworxVolume?: null | #PortworxVolumeSource @go(PortworxVolume,*PortworxVolumeSource) @protobuf(24,bytes,opt) + + // scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + // +optional + scaleIO?: null | #ScaleIOVolumeSource @go(ScaleIO,*ScaleIOVolumeSource) @protobuf(25,bytes,opt) + + // storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + // +optional + storageos?: null | #StorageOSVolumeSource @go(StorageOS,*StorageOSVolumeSource) @protobuf(27,bytes,opt) + + // csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + // +optional + csi?: null | #CSIVolumeSource @go(CSI,*CSIVolumeSource) @protobuf(28,bytes,opt) + + // ephemeral represents a volume that is handled by a cluster storage driver. + // The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + // and deleted when the pod is removed. + // + // Use this if: + // a) the volume is only needed while the pod runs, + // b) features of normal volumes like restoring from snapshot or capacity + // tracking are needed, + // c) the storage driver is specified through a storage class, and + // d) the storage driver supports dynamic volume provisioning through + // a PersistentVolumeClaim (see EphemeralVolumeSource for more + // information on the connection between this volume type + // and PersistentVolumeClaim). + // + // Use PersistentVolumeClaim or one of the vendor-specific + // APIs for volumes that persist for longer than the lifecycle + // of an individual pod. + // + // Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + // be used that way - see the documentation of the driver for + // more information. + // + // A pod can use both types of ephemeral volumes and + // persistent volumes at the same time. + // + // +optional + ephemeral?: null | #EphemeralVolumeSource @go(Ephemeral,*EphemeralVolumeSource) @protobuf(29,bytes,opt) +} + +// PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. +// This volume finds the bound PV and mounts that volume for the pod. A +// PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another +// type of volume that is owned by someone else (the system). +#PersistentVolumeClaimVolumeSource: { + // claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + claimName: string @go(ClaimName) @protobuf(1,bytes,opt) + + // readOnly Will force the ReadOnly setting in VolumeMounts. + // Default false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt) +} + +// PersistentVolumeSource is similar to VolumeSource but meant for the +// administrator who creates PVs. Exactly one of its members must be set. +#PersistentVolumeSource: { + // gcePersistentDisk represents a GCE Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. Provisioned by an admin. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + gcePersistentDisk?: null | #GCEPersistentDiskVolumeSource @go(GCEPersistentDisk,*GCEPersistentDiskVolumeSource) @protobuf(1,bytes,opt) + + // awsElasticBlockStore represents an AWS Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + awsElasticBlockStore?: null | #AWSElasticBlockStoreVolumeSource @go(AWSElasticBlockStore,*AWSElasticBlockStoreVolumeSource) @protobuf(2,bytes,opt) + + // hostPath represents a directory on the host. + // Provisioned by a developer or tester. + // This is useful for single-node development and testing only! + // On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // +optional + hostPath?: null | #HostPathVolumeSource @go(HostPath,*HostPathVolumeSource) @protobuf(3,bytes,opt) + + // glusterfs represents a Glusterfs volume that is attached to a host and + // exposed to the pod. Provisioned by an admin. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md + // +optional + glusterfs?: null | #GlusterfsPersistentVolumeSource @go(Glusterfs,*GlusterfsPersistentVolumeSource) @protobuf(4,bytes,opt) + + // nfs represents an NFS mount on the host. Provisioned by an admin. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + nfs?: null | #NFSVolumeSource @go(NFS,*NFSVolumeSource) @protobuf(5,bytes,opt) + + // rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/rbd/README.md + // +optional + rbd?: null | #RBDPersistentVolumeSource @go(RBD,*RBDPersistentVolumeSource) @protobuf(6,bytes,opt) + + // iscsi represents an ISCSI Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. Provisioned by an admin. + // +optional + iscsi?: null | #ISCSIPersistentVolumeSource @go(ISCSI,*ISCSIPersistentVolumeSource) @protobuf(7,bytes,opt) + + // cinder represents a cinder volume attached and mounted on kubelets host machine. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + cinder?: null | #CinderPersistentVolumeSource @go(Cinder,*CinderPersistentVolumeSource) @protobuf(8,bytes,opt) + + // cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + // +optional + cephfs?: null | #CephFSPersistentVolumeSource @go(CephFS,*CephFSPersistentVolumeSource) @protobuf(9,bytes,opt) + + // fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + // +optional + fc?: null | #FCVolumeSource @go(FC,*FCVolumeSource) @protobuf(10,bytes,opt) + + // flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running + // +optional + flocker?: null | #FlockerVolumeSource @go(Flocker,*FlockerVolumeSource) @protobuf(11,bytes,opt) + + // flexVolume represents a generic volume resource that is + // provisioned/attached using an exec based plugin. + // +optional + flexVolume?: null | #FlexPersistentVolumeSource @go(FlexVolume,*FlexPersistentVolumeSource) @protobuf(12,bytes,opt) + + // azureFile represents an Azure File Service mount on the host and bind mount to the pod. + // +optional + azureFile?: null | #AzureFilePersistentVolumeSource @go(AzureFile,*AzureFilePersistentVolumeSource) @protobuf(13,bytes,opt) + + // vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + // +optional + vsphereVolume?: null | #VsphereVirtualDiskVolumeSource @go(VsphereVolume,*VsphereVirtualDiskVolumeSource) @protobuf(14,bytes,opt) + + // quobyte represents a Quobyte mount on the host that shares a pod's lifetime + // +optional + quobyte?: null | #QuobyteVolumeSource @go(Quobyte,*QuobyteVolumeSource) @protobuf(15,bytes,opt) + + // azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + // +optional + azureDisk?: null | #AzureDiskVolumeSource @go(AzureDisk,*AzureDiskVolumeSource) @protobuf(16,bytes,opt) + + // photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + photonPersistentDisk?: null | #PhotonPersistentDiskVolumeSource @go(PhotonPersistentDisk,*PhotonPersistentDiskVolumeSource) @protobuf(17,bytes,opt) + + // portworxVolume represents a portworx volume attached and mounted on kubelets host machine + // +optional + portworxVolume?: null | #PortworxVolumeSource @go(PortworxVolume,*PortworxVolumeSource) @protobuf(18,bytes,opt) + + // scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + // +optional + scaleIO?: null | #ScaleIOPersistentVolumeSource @go(ScaleIO,*ScaleIOPersistentVolumeSource) @protobuf(19,bytes,opt) + + // local represents directly-attached storage with node affinity + // +optional + local?: null | #LocalVolumeSource @go(Local,*LocalVolumeSource) @protobuf(20,bytes,opt) + + // storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod + // More info: https://examples.k8s.io/volumes/storageos/README.md + // +optional + storageos?: null | #StorageOSPersistentVolumeSource @go(StorageOS,*StorageOSPersistentVolumeSource) @protobuf(21,bytes,opt) + + // csi represents storage that is handled by an external CSI driver (Beta feature). + // +optional + csi?: null | #CSIPersistentVolumeSource @go(CSI,*CSIPersistentVolumeSource) @protobuf(22,bytes,opt) +} + +// BetaStorageClassAnnotation represents the beta/previous StorageClass annotation. +// It's currently still used and will be held for backwards compatibility +#BetaStorageClassAnnotation: "volume.beta.kubernetes.io/storage-class" + +// MountOptionAnnotation defines mount option annotation used in PVs +#MountOptionAnnotation: "volume.beta.kubernetes.io/mount-options" + +// PersistentVolume (PV) is a storage resource provisioned by an administrator. +// It is analogous to a node. +// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes +#PersistentVolume: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines a specification of a persistent volume owned by the cluster. + // Provisioned by an administrator. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes + // +optional + spec?: #PersistentVolumeSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents the current information/status for the persistent volume. + // Populated by the system. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes + // +optional + status?: #PersistentVolumeStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PersistentVolumeSpec is the specification of a persistent volume. +#PersistentVolumeSpec: { + // capacity is the description of the persistent volume's resources and capacity. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + #PersistentVolumeSource + + // accessModes contains all ways the volume can be mounted. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(3,bytes,rep,casttype=PersistentVolumeAccessMode) + + // claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. + // Expected to be non-nil when bound. + // claim.VolumeName is the authoritative bind between PV and PVC. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding + // +optional + // +structType=granular + claimRef?: null | #ObjectReference @go(ClaimRef,*ObjectReference) @protobuf(4,bytes,opt) + + // persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. + // Valid options are Retain (default for manually created PersistentVolumes), Delete (default + // for dynamically provisioned PersistentVolumes), and Recycle (deprecated). + // Recycle must be supported by the volume plugin underlying this PersistentVolume. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming + // +optional + persistentVolumeReclaimPolicy?: #PersistentVolumeReclaimPolicy @go(PersistentVolumeReclaimPolicy) @protobuf(5,bytes,opt,casttype=PersistentVolumeReclaimPolicy) + + // storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value + // means that this volume does not belong to any StorageClass. + // +optional + storageClassName?: string @go(StorageClassName) @protobuf(6,bytes,opt) + + // mountOptions is the list of mount options, e.g. ["ro", "soft"]. Not validated - mount will + // simply fail if one is invalid. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options + // +optional + mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(7,bytes,opt) + + // volumeMode defines if a volume is intended to be used with a formatted filesystem + // or to remain in raw block state. Value of Filesystem is implied when not included in spec. + // +optional + volumeMode?: null | #PersistentVolumeMode @go(VolumeMode,*PersistentVolumeMode) @protobuf(8,bytes,opt,casttype=PersistentVolumeMode) + + // nodeAffinity defines constraints that limit what nodes this volume can be accessed from. + // This field influences the scheduling of pods that use this volume. + // +optional + nodeAffinity?: null | #VolumeNodeAffinity @go(NodeAffinity,*VolumeNodeAffinity) @protobuf(9,bytes,opt) +} + +// VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from. +#VolumeNodeAffinity: { + // required specifies hard node constraints that must be met. + required?: null | #NodeSelector @go(Required,*NodeSelector) @protobuf(1,bytes,opt) +} + +// PersistentVolumeReclaimPolicy describes a policy for end-of-life maintenance of persistent volumes. +// +enum +#PersistentVolumeReclaimPolicy: string // #enumPersistentVolumeReclaimPolicy + +#enumPersistentVolumeReclaimPolicy: + #PersistentVolumeReclaimRecycle | + #PersistentVolumeReclaimDelete | + #PersistentVolumeReclaimRetain + +// PersistentVolumeReclaimRecycle means the volume will be recycled back into the pool of unbound persistent volumes on release from its claim. +// The volume plugin must support Recycling. +#PersistentVolumeReclaimRecycle: #PersistentVolumeReclaimPolicy & "Recycle" + +// PersistentVolumeReclaimDelete means the volume will be deleted from Kubernetes on release from its claim. +// The volume plugin must support Deletion. +#PersistentVolumeReclaimDelete: #PersistentVolumeReclaimPolicy & "Delete" + +// PersistentVolumeReclaimRetain means the volume will be left in its current phase (Released) for manual reclamation by the administrator. +// The default policy is Retain. +#PersistentVolumeReclaimRetain: #PersistentVolumeReclaimPolicy & "Retain" + +// PersistentVolumeMode describes how a volume is intended to be consumed, either Block or Filesystem. +// +enum +#PersistentVolumeMode: string // #enumPersistentVolumeMode + +#enumPersistentVolumeMode: + #PersistentVolumeBlock | + #PersistentVolumeFilesystem + +// PersistentVolumeBlock means the volume will not be formatted with a filesystem and will remain a raw block device. +#PersistentVolumeBlock: #PersistentVolumeMode & "Block" + +// PersistentVolumeFilesystem means the volume will be or is formatted with a filesystem. +#PersistentVolumeFilesystem: #PersistentVolumeMode & "Filesystem" + +// PersistentVolumeStatus is the current status of a persistent volume. +#PersistentVolumeStatus: { + // phase indicates if a volume is available, bound to a claim, or released by a claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase + // +optional + phase?: #PersistentVolumePhase @go(Phase) @protobuf(1,bytes,opt,casttype=PersistentVolumePhase) + + // message is a human-readable message indicating details about why the volume is in this state. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) + + // reason is a brief CamelCase string that describes any failure and is meant + // for machine parsing and tidy display in the CLI. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // lastPhaseTransitionTime is the time the phase transitioned from one to another + // and automatically resets to current time everytime a volume phase transitions. + // This is an alpha field and requires enabling PersistentVolumeLastPhaseTransitionTime feature. + // +featureGate=PersistentVolumeLastPhaseTransitionTime + // +optional + lastPhaseTransitionTime?: null | metav1.#Time @go(LastPhaseTransitionTime,*metav1.Time) @protobuf(4,bytes,opt) +} + +// PersistentVolumeList is a list of PersistentVolume items. +#PersistentVolumeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of persistent volumes. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes + items: [...#PersistentVolume] @go(Items,[]PersistentVolume) @protobuf(2,bytes,rep) +} + +// PersistentVolumeClaim is a user's request for and claim to a persistent volume +#PersistentVolumeClaim: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the desired characteristics of a volume requested by a pod author. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + spec?: #PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents the current information/status of a persistent volume claim. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + status?: #PersistentVolumeClaimStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PersistentVolumeClaimList is a list of PersistentVolumeClaim items. +#PersistentVolumeClaimList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of persistent volume claims. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + items: [...#PersistentVolumeClaim] @go(Items,[]PersistentVolumeClaim) @protobuf(2,bytes,rep) +} + +// PersistentVolumeClaimSpec describes the common attributes of storage devices +// and allows a Source for provider-specific attributes +#PersistentVolumeClaimSpec: { + // accessModes contains the desired access modes the volume should have. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(1,bytes,rep,casttype=PersistentVolumeAccessMode) + + // selector is a label query over volumes to consider for binding. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // resources represents the minimum resources the volume should have. + // If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + // that are lower than previous value but must still be higher than capacity recorded in the + // status field of the claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(2,bytes,opt) + + // volumeName is the binding reference to the PersistentVolume backing this claim. + // +optional + volumeName?: string @go(VolumeName) @protobuf(3,bytes,opt) + + // storageClassName is the name of the StorageClass required by the claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + // +optional + storageClassName?: null | string @go(StorageClassName,*string) @protobuf(5,bytes,opt) + + // volumeMode defines what type of volume is required by the claim. + // Value of Filesystem is implied when not included in claim spec. + // +optional + volumeMode?: null | #PersistentVolumeMode @go(VolumeMode,*PersistentVolumeMode) @protobuf(6,bytes,opt,casttype=PersistentVolumeMode) + + // dataSource field can be used to specify either: + // * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + // * An existing PVC (PersistentVolumeClaim) + // If the provisioner or an external controller can support the specified data source, + // it will create a new volume based on the contents of the specified data source. + // When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + // and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + // If the namespace is specified, then dataSourceRef will not be copied to dataSource. + // +optional + dataSource?: null | #TypedLocalObjectReference @go(DataSource,*TypedLocalObjectReference) @protobuf(7,bytes,opt) + + // dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + // volume is desired. This may be any object from a non-empty API group (non + // core object) or a PersistentVolumeClaim object. + // When this field is specified, volume binding will only succeed if the type of + // the specified object matches some installed volume populator or dynamic + // provisioner. + // This field will replace the functionality of the dataSource field and as such + // if both fields are non-empty, they must have the same value. For backwards + // compatibility, when namespace isn't specified in dataSourceRef, + // both fields (dataSource and dataSourceRef) will be set to the same + // value automatically if one of them is empty and the other is non-empty. + // When namespace is specified in dataSourceRef, + // dataSource isn't set to the same value and must be empty. + // There are three important differences between dataSource and dataSourceRef: + // * While dataSource only allows two specific types of objects, dataSourceRef + // allows any non-core object, as well as PersistentVolumeClaim objects. + // * While dataSource ignores disallowed values (dropping them), dataSourceRef + // preserves all values, and generates an error if a disallowed value is + // specified. + // * While dataSource only allows local objects, dataSourceRef allows objects + // in any namespaces. + // (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + // (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + // +optional + dataSourceRef?: null | #TypedObjectReference @go(DataSourceRef,*TypedObjectReference) @protobuf(8,bytes,opt) +} + +#TypedObjectReference: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the core API group. + // For any other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) + + // Namespace is the namespace of resource being referenced + // Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + // (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + // +featureGate=CrossNamespaceVolumeDataSource + // +optional + namespace?: null | string @go(Namespace,*string) @protobuf(4,bytes,opt) +} + +// PersistentVolumeClaimConditionType is a valid value of PersistentVolumeClaimCondition.Type +#PersistentVolumeClaimConditionType: string // #enumPersistentVolumeClaimConditionType + +#enumPersistentVolumeClaimConditionType: + #PersistentVolumeClaimResizing | + #PersistentVolumeClaimFileSystemResizePending + +// PersistentVolumeClaimResizing - a user trigger resize of pvc has been started +#PersistentVolumeClaimResizing: #PersistentVolumeClaimConditionType & "Resizing" + +// PersistentVolumeClaimFileSystemResizePending - controller resize is finished and a file system resize is pending on node +#PersistentVolumeClaimFileSystemResizePending: #PersistentVolumeClaimConditionType & "FileSystemResizePending" + +// +enum +// When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource +// that it does not recognizes, then it should ignore that update and let other controllers +// handle it. +#ClaimResourceStatus: string // #enumClaimResourceStatus + +#enumClaimResourceStatus: + #PersistentVolumeClaimControllerResizeInProgress | + #PersistentVolumeClaimControllerResizeFailed | + #PersistentVolumeClaimNodeResizePending | + #PersistentVolumeClaimNodeResizeInProgress | + #PersistentVolumeClaimNodeResizeFailed + +// State set when resize controller starts resizing the volume in control-plane. +#PersistentVolumeClaimControllerResizeInProgress: #ClaimResourceStatus & "ControllerResizeInProgress" + +// State set when resize has failed in resize controller with a terminal error. +// Transient errors such as timeout should not set this status and should leave allocatedResourceStatus +// unmodified, so as resize controller can resume the volume expansion. +#PersistentVolumeClaimControllerResizeFailed: #ClaimResourceStatus & "ControllerResizeFailed" + +// State set when resize controller has finished resizing the volume but further resizing of volume +// is needed on the node. +#PersistentVolumeClaimNodeResizePending: #ClaimResourceStatus & "NodeResizePending" + +// State set when kubelet starts resizing the volume. +#PersistentVolumeClaimNodeResizeInProgress: #ClaimResourceStatus & "NodeResizeInProgress" + +// State set when resizing has failed in kubelet with a terminal error. Transient errors don't set NodeResizeFailed +#PersistentVolumeClaimNodeResizeFailed: #ClaimResourceStatus & "NodeResizeFailed" + +// PersistentVolumeClaimCondition contains details about state of pvc +#PersistentVolumeClaimCondition: { + type: #PersistentVolumeClaimConditionType @go(Type) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimConditionType) + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // lastProbeTime is the time we probed the condition. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // lastTransitionTime is the time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // reason is a unique, this should be a short, machine understandable string that gives the reason + // for condition's last transition. If it reports "ResizeStarted" that means the underlying + // persistent volume is being resized. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // message is the human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// PersistentVolumeClaimStatus is the current status of a persistent volume claim. +#PersistentVolumeClaimStatus: { + // phase represents the current phase of PersistentVolumeClaim. + // +optional + phase?: #PersistentVolumeClaimPhase @go(Phase) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimPhase) + + // accessModes contains the actual access modes the volume backing the PVC has. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(2,bytes,rep,casttype=PersistentVolumeAccessMode) + + // capacity represents the actual resources of the underlying volume. + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(3,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // conditions is the current Condition of persistent volume claim. If underlying persistent volume is being + // resized then the Condition will be set to 'ResizeStarted'. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#PersistentVolumeClaimCondition] @go(Conditions,[]PersistentVolumeClaimCondition) @protobuf(4,bytes,rep) + + // allocatedResources tracks the resources allocated to a PVC including its capacity. + // Key names follow standard Kubernetes label syntax. Valid values are either: + // * Un-prefixed keys: + // - storage - the capacity of the volume. + // * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" + // Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered + // reserved and hence may not be used. + // + // Capacity reported here may be larger than the actual capacity when a volume expansion operation + // is requested. + // For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. + // If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. + // If a volume expansion capacity request is lowered, allocatedResources is only + // lowered if there are no expansion operations in progress and if the actual volume capacity + // is equal or lower than the requested capacity. + // + // A controller that receives PVC update with previously unknown resourceName + // should ignore the update for the purpose it was designed. For example - a controller that + // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid + // resources associated with PVC. + // + // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature. + // +featureGate=RecoverVolumeExpansionFailure + // +optional + allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // allocatedResourceStatuses stores status of resource being resized for the given PVC. + // Key names follow standard Kubernetes label syntax. Valid values are either: + // * Un-prefixed keys: + // - storage - the capacity of the volume. + // * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" + // Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered + // reserved and hence may not be used. + // + // ClaimResourceStatus can be in any of following states: + // - ControllerResizeInProgress: + // State set when resize controller starts resizing the volume in control-plane. + // - ControllerResizeFailed: + // State set when resize has failed in resize controller with a terminal error. + // - NodeResizePending: + // State set when resize controller has finished resizing the volume but further resizing of + // volume is needed on the node. + // - NodeResizeInProgress: + // State set when kubelet starts resizing the volume. + // - NodeResizeFailed: + // State set when resizing has failed in kubelet with a terminal error. Transient errors don't set + // NodeResizeFailed. + // For example: if expanding a PVC for more capacity - this field can be one of the following states: + // - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeInProgress" + // - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeFailed" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizePending" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeInProgress" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeFailed" + // When this field is not set, it means that no resize operation is in progress for the given PVC. + // + // A controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus + // should ignore the update for the purpose it was designed. For example - a controller that + // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid + // resources associated with PVC. + // + // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature. + // +featureGate=RecoverVolumeExpansionFailure + // +mapType=granular + // +optional + allocatedResourceStatuses?: {[string]: #ClaimResourceStatus} @go(AllocatedResourceStatuses,map[ResourceName]ClaimResourceStatus) @protobuf(7,bytes,rep) +} + +// +enum +#PersistentVolumeAccessMode: string // #enumPersistentVolumeAccessMode + +#enumPersistentVolumeAccessMode: + #ReadWriteOnce | + #ReadOnlyMany | + #ReadWriteMany | + #ReadWriteOncePod + +// can be mounted in read/write mode to exactly 1 host +#ReadWriteOnce: #PersistentVolumeAccessMode & "ReadWriteOnce" + +// can be mounted in read-only mode to many hosts +#ReadOnlyMany: #PersistentVolumeAccessMode & "ReadOnlyMany" + +// can be mounted in read/write mode to many hosts +#ReadWriteMany: #PersistentVolumeAccessMode & "ReadWriteMany" + +// can be mounted in read/write mode to exactly 1 pod +// cannot be used in combination with other access modes +#ReadWriteOncePod: #PersistentVolumeAccessMode & "ReadWriteOncePod" + +// +enum +#PersistentVolumePhase: string // #enumPersistentVolumePhase + +#enumPersistentVolumePhase: + #VolumePending | + #VolumeAvailable | + #VolumeBound | + #VolumeReleased | + #VolumeFailed + +// used for PersistentVolumes that are not available +#VolumePending: #PersistentVolumePhase & "Pending" + +// used for PersistentVolumes that are not yet bound +// Available volumes are held by the binder and matched to PersistentVolumeClaims +#VolumeAvailable: #PersistentVolumePhase & "Available" + +// used for PersistentVolumes that are bound +#VolumeBound: #PersistentVolumePhase & "Bound" + +// used for PersistentVolumes where the bound PersistentVolumeClaim was deleted +// released volumes must be recycled before becoming available again +// this phase is used by the persistent volume claim binder to signal to another process to reclaim the resource +#VolumeReleased: #PersistentVolumePhase & "Released" + +// used for PersistentVolumes that failed to be correctly recycled or deleted after being released from a claim +#VolumeFailed: #PersistentVolumePhase & "Failed" + +// +enum +#PersistentVolumeClaimPhase: string // #enumPersistentVolumeClaimPhase + +#enumPersistentVolumeClaimPhase: + #ClaimPending | + #ClaimBound | + #ClaimLost + +// used for PersistentVolumeClaims that are not yet bound +#ClaimPending: #PersistentVolumeClaimPhase & "Pending" + +// used for PersistentVolumeClaims that are bound +#ClaimBound: #PersistentVolumeClaimPhase & "Bound" + +// used for PersistentVolumeClaims that lost their underlying +// PersistentVolume. The claim was bound to a PersistentVolume and this +// volume does not exist any longer and all data on it was lost. +#ClaimLost: #PersistentVolumeClaimPhase & "Lost" + +// +enum +#HostPathType: string // #enumHostPathType + +#enumHostPathType: + #HostPathUnset | + #HostPathDirectoryOrCreate | + #HostPathDirectory | + #HostPathFileOrCreate | + #HostPathFile | + #HostPathSocket | + #HostPathCharDev | + #HostPathBlockDev + +// For backwards compatible, leave it empty if unset +#HostPathUnset: #HostPathType & "" + +// If nothing exists at the given path, an empty directory will be created there +// as needed with file mode 0755, having the same group and ownership with Kubelet. +#HostPathDirectoryOrCreate: #HostPathType & "DirectoryOrCreate" + +// A directory must exist at the given path +#HostPathDirectory: #HostPathType & "Directory" + +// If nothing exists at the given path, an empty file will be created there +// as needed with file mode 0644, having the same group and ownership with Kubelet. +#HostPathFileOrCreate: #HostPathType & "FileOrCreate" + +// A file must exist at the given path +#HostPathFile: #HostPathType & "File" + +// A UNIX socket must exist at the given path +#HostPathSocket: #HostPathType & "Socket" + +// A character device must exist at the given path +#HostPathCharDev: #HostPathType & "CharDevice" + +// A block device must exist at the given path +#HostPathBlockDev: #HostPathType & "BlockDevice" + +// Represents a host path mapped into a pod. +// Host path volumes do not support ownership management or SELinux relabeling. +#HostPathVolumeSource: { + // path of the directory on the host. + // If the path is a symlink, it will follow the link to the real path. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + path: string @go(Path) @protobuf(1,bytes,opt) + + // type for HostPath Volume + // Defaults to "" + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // +optional + type?: null | #HostPathType @go(Type,*HostPathType) @protobuf(2,bytes,opt) +} + +// Represents an empty directory for a pod. +// Empty directory volumes support ownership management and SELinux relabeling. +#EmptyDirVolumeSource: { + // medium represents what type of storage medium should back this directory. + // The default is "" which means to use the node's default medium. + // Must be an empty string (default) or Memory. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + medium?: #StorageMedium @go(Medium) @protobuf(1,bytes,opt,casttype=StorageMedium) + + // sizeLimit is the total amount of local storage required for this EmptyDir volume. + // The size limit is also applicable for memory medium. + // The maximum usage on memory medium EmptyDir would be the minimum value between + // the SizeLimit specified here and the sum of memory limits of all containers in a pod. + // The default is nil which means that the limit is undefined. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + sizeLimit?: null | resource.#Quantity @go(SizeLimit,*resource.Quantity) @protobuf(2,bytes,opt) +} + +// Represents a Glusterfs mount that lasts the lifetime of a pod. +// Glusterfs volumes do not support ownership management or SELinux relabeling. +#GlusterfsVolumeSource: { + // endpoints is the endpoint name that details Glusterfs topology. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + endpoints: string @go(EndpointsName) @protobuf(1,bytes,opt) + + // path is the Glusterfs volume path. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// Represents a Glusterfs mount that lasts the lifetime of a pod. +// Glusterfs volumes do not support ownership management or SELinux relabeling. +#GlusterfsPersistentVolumeSource: { + // endpoints is the endpoint name that details Glusterfs topology. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + endpoints: string @go(EndpointsName) @protobuf(1,bytes,opt) + + // path is the Glusterfs volume path. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // endpointsNamespace is the namespace that contains Glusterfs endpoint. + // If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + endpointsNamespace?: null | string @go(EndpointsNamespace,*string) @protobuf(4,bytes,opt) +} + +// Represents a Rados Block Device mount that lasts the lifetime of a pod. +// RBD volumes support ownership management and SELinux relabeling. +#RBDVolumeSource: { + // monitors is a collection of Ceph monitors. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + monitors: [...string] @go(CephMonitors,[]string) @protobuf(1,bytes,rep) + + // image is the rados image name. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + image: string @go(RBDImage) @protobuf(2,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // pool is the rados pool name. + // Default is rbd. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + pool?: string @go(RBDPool) @protobuf(4,bytes,opt) + + // user is the rados user name. + // Default is admin. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + user?: string @go(RadosUser) @protobuf(5,bytes,opt) + + // keyring is the path to key ring for RBDUser. + // Default is /etc/ceph/keyring. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + keyring?: string @go(Keyring) @protobuf(6,bytes,opt) + + // secretRef is name of the authentication secret for RBDUser. If provided + // overrides keyring. + // Default is nil. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(7,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(8,varint,opt) +} + +// Represents a Rados Block Device mount that lasts the lifetime of a pod. +// RBD volumes support ownership management and SELinux relabeling. +#RBDPersistentVolumeSource: { + // monitors is a collection of Ceph monitors. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + monitors: [...string] @go(CephMonitors,[]string) @protobuf(1,bytes,rep) + + // image is the rados image name. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + image: string @go(RBDImage) @protobuf(2,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // pool is the rados pool name. + // Default is rbd. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + pool?: string @go(RBDPool) @protobuf(4,bytes,opt) + + // user is the rados user name. + // Default is admin. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + user?: string @go(RadosUser) @protobuf(5,bytes,opt) + + // keyring is the path to key ring for RBDUser. + // Default is /etc/ceph/keyring. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + keyring?: string @go(Keyring) @protobuf(6,bytes,opt) + + // secretRef is name of the authentication secret for RBDUser. If provided + // overrides keyring. + // Default is nil. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(7,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(8,varint,opt) +} + +// Represents a cinder volume resource in Openstack. +// A Cinder volume must exist before mounting to a container. +// The volume must also be in the same region as the kubelet. +// Cinder volumes support ownership management and SELinux relabeling. +#CinderVolumeSource: { + // volumeID used to identify the volume in cinder. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretRef is optional: points to a secret object containing parameters used to connect + // to OpenStack. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(4,bytes,opt) +} + +// Represents a cinder volume resource in Openstack. +// A Cinder volume must exist before mounting to a container. +// The volume must also be in the same region as the kubelet. +// Cinder volumes support ownership management and SELinux relabeling. +#CinderPersistentVolumeSource: { + // volumeID used to identify the volume in cinder. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretRef is Optional: points to a secret object containing parameters used to connect + // to OpenStack. + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(4,bytes,opt) +} + +// Represents a Ceph Filesystem mount that lasts the lifetime of a pod +// Cephfs volumes do not support ownership management or SELinux relabeling. +#CephFSVolumeSource: { + // monitors is Required: Monitors is a collection of Ceph monitors + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + monitors: [...string] @go(Monitors,[]string) @protobuf(1,bytes,rep) + + // path is Optional: Used as the mounted root, rather than the full Ceph tree, default is / + // +optional + path?: string @go(Path) @protobuf(2,bytes,opt) + + // user is optional: User is the rados user name, default is admin + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretFile?: string @go(SecretFile) @protobuf(4,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) +} + +// SecretReference represents a Secret Reference. It has enough information to retrieve secret +// in any namespace +// +structType=atomic +#SecretReference: { + // name is unique within a namespace to reference a secret resource. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // namespace defines the space within which the secret name must be unique. + // +optional + namespace?: string @go(Namespace) @protobuf(2,bytes,opt) +} + +// Represents a Ceph Filesystem mount that lasts the lifetime of a pod +// Cephfs volumes do not support ownership management or SELinux relabeling. +#CephFSPersistentVolumeSource: { + // monitors is Required: Monitors is a collection of Ceph monitors + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + monitors: [...string] @go(Monitors,[]string) @protobuf(1,bytes,rep) + + // path is Optional: Used as the mounted root, rather than the full Ceph tree, default is / + // +optional + path?: string @go(Path) @protobuf(2,bytes,opt) + + // user is Optional: User is the rados user name, default is admin + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretFile?: string @go(SecretFile) @protobuf(4,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(5,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) +} + +// Represents a Flocker volume mounted by the Flocker agent. +// One and only one of datasetName and datasetUUID should be set. +// Flocker volumes do not support ownership management or SELinux relabeling. +#FlockerVolumeSource: { + // datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + // should be considered as deprecated + // +optional + datasetName?: string @go(DatasetName) @protobuf(1,bytes,opt) + + // datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset + // +optional + datasetUUID?: string @go(DatasetUUID) @protobuf(2,bytes,opt) +} + +// StorageMedium defines ways that storage can be allocated to a volume. +#StorageMedium: string // #enumStorageMedium + +#enumStorageMedium: + #StorageMediumDefault | + #StorageMediumMemory | + #StorageMediumHugePages | + #StorageMediumHugePagesPrefix + +#StorageMediumDefault: #StorageMedium & "" +#StorageMediumMemory: #StorageMedium & "Memory" +#StorageMediumHugePages: #StorageMedium & "HugePages" +#StorageMediumHugePagesPrefix: #StorageMedium & "HugePages-" + +// Protocol defines network protocols supported for things like container ports. +// +enum +#Protocol: string // #enumProtocol + +#enumProtocol: + #ProtocolTCP | + #ProtocolUDP | + #ProtocolSCTP + +// ProtocolTCP is the TCP protocol. +#ProtocolTCP: #Protocol & "TCP" + +// ProtocolUDP is the UDP protocol. +#ProtocolUDP: #Protocol & "UDP" + +// ProtocolSCTP is the SCTP protocol. +#ProtocolSCTP: #Protocol & "SCTP" + +// Represents a Persistent Disk resource in Google Compute Engine. +// +// A GCE PD must exist before mounting to a container. The disk must +// also be in the same GCE project and zone as the kubelet. A GCE PD +// can only be mounted as read/write once or read-only many times. GCE +// PDs support ownership management and SELinux relabeling. +#GCEPersistentDiskVolumeSource: { + // pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + pdName: string @go(PDName) @protobuf(1,bytes,opt) + + // fsType is filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // partition is the partition in the volume that you want to mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + partition?: int32 @go(Partition) @protobuf(3,varint,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) +} + +// Represents a Quobyte mount that lasts the lifetime of a pod. +// Quobyte volumes do not support ownership management or SELinux relabeling. +#QuobyteVolumeSource: { + // registry represents a single or multiple Quobyte Registry services + // specified as a string as host:port pair (multiple entries are separated with commas) + // which acts as the central registry for volumes + registry: string @go(Registry) @protobuf(1,bytes,opt) + + // volume is a string that references an already created Quobyte volume by name. + volume: string @go(Volume) @protobuf(2,bytes,opt) + + // readOnly here will force the Quobyte volume to be mounted with read-only permissions. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // user to map volume access to + // Defaults to serivceaccount user + // +optional + user?: string @go(User) @protobuf(4,bytes,opt) + + // group to map volume access to + // Default is no group + // +optional + group?: string @go(Group) @protobuf(5,bytes,opt) + + // tenant owning the given Quobyte volume in the Backend + // Used with dynamically provisioned Quobyte volumes, value is set by the plugin + // +optional + tenant?: string @go(Tenant) @protobuf(6,bytes,opt) +} + +// FlexPersistentVolumeSource represents a generic persistent volume resource that is +// provisioned/attached using an exec based plugin. +#FlexPersistentVolumeSource: { + // driver is the name of the driver to use for this volume. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // fsType is the Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the secret object containing + // sensitive information to pass to the plugin scripts. This may be + // empty if no secret object is specified. If the secret object + // contains more than one secret, all secrets are passed to the plugin + // scripts. + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(3,bytes,opt) + + // readOnly is Optional: defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // options is Optional: this field holds extra command options if any. + // +optional + options?: {[string]: string} @go(Options,map[string]string) @protobuf(5,bytes,rep) +} + +// FlexVolume represents a generic volume resource that is +// provisioned/attached using an exec based plugin. +#FlexVolumeSource: { + // driver is the name of the driver to use for this volume. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // secretRef is Optional: secretRef is reference to the secret object containing + // sensitive information to pass to the plugin scripts. This may be + // empty if no secret object is specified. If the secret object + // contains more than one secret, all secrets are passed to the plugin + // scripts. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(3,bytes,opt) + + // readOnly is Optional: defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // options is Optional: this field holds extra command options if any. + // +optional + options?: {[string]: string} @go(Options,map[string]string) @protobuf(5,bytes,rep) +} + +// Represents a Persistent Disk resource in AWS. +// +// An AWS EBS disk must exist before mounting to a container. The disk +// must also be in the same AWS zone as the kubelet. An AWS EBS disk +// can only be mounted as read/write once. AWS EBS volumes support +// ownership management and SELinux relabeling. +#AWSElasticBlockStoreVolumeSource: { + // volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // partition is the partition in the volume that you want to mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + // +optional + partition?: int32 @go(Partition) @protobuf(3,varint,opt) + + // readOnly value true will force the readOnly setting in VolumeMounts. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) +} + +// Represents a volume that is populated with the contents of a git repository. +// Git repo volumes do not support ownership management. +// Git repo volumes support SELinux relabeling. +// +// DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an +// EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir +// into the Pod's container. +#GitRepoVolumeSource: { + // repository is the URL + repository: string @go(Repository) @protobuf(1,bytes,opt) + + // revision is the commit hash for the specified revision. + // +optional + revision?: string @go(Revision) @protobuf(2,bytes,opt) + + // directory is the target directory name. + // Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + // git repository. Otherwise, if specified, the volume will contain the git repository in + // the subdirectory with the given name. + // +optional + directory?: string @go(Directory) @protobuf(3,bytes,opt) +} + +// Adapts a Secret into a volume. +// +// The contents of the target Secret's Data field will be presented in a volume +// as files using the keys in the Data field as the file names. +// Secret volumes support ownership management and SELinux relabeling. +#SecretVolumeSource: { + // secretName is the name of the secret in the pod's namespace to use. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + // +optional + secretName?: string @go(SecretName) @protobuf(1,bytes,opt) + + // items If unspecified, each key-value pair in the Data field of the referenced + // Secret will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the Secret, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // defaultMode is Optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values + // for mode bits. Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(3,bytes,opt) + + // optional field specify whether the Secret or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +#SecretVolumeSourceDefaultMode: int32 & 0o644 + +// Adapts a secret into a projected volume. +// +// The contents of the target Secret's Data field will be presented in a +// projected volume as files using the keys in the Data field as the file names. +// Note that this is identical to a secret volume source without the default +// mode. +#SecretProjection: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // Secret will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the Secret, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // optional field specify whether the Secret or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +// Represents an NFS mount that lasts the lifetime of a pod. +// NFS volumes do not support ownership management or SELinux relabeling. +#NFSVolumeSource: { + // server is the hostname or IP address of the NFS server. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + server: string @go(Server) @protobuf(1,bytes,opt) + + // path that is exported by the NFS server. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the NFS export to be mounted with read-only permissions. + // Defaults to false. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// Represents an ISCSI disk. +// ISCSI volumes can only be mounted as read/write once. +// ISCSI volumes support ownership management and SELinux relabeling. +#ISCSIVolumeSource: { + // targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + targetPortal: string @go(TargetPortal) @protobuf(1,bytes,opt) + + // iqn is the target iSCSI Qualified Name. + iqn: string @go(IQN) @protobuf(2,bytes,opt) + + // lun represents iSCSI Target Lun number. + lun: int32 @go(Lun) @protobuf(3,varint,opt) + + // iscsiInterface is the interface Name that uses an iSCSI transport. + // Defaults to 'default' (tcp). + // +optional + iscsiInterface?: string @go(ISCSIInterface) @protobuf(4,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(5,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) + + // portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + // +optional + portals?: [...string] @go(Portals,[]string) @protobuf(7,bytes,opt) + + // chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + // +optional + chapAuthDiscovery?: bool @go(DiscoveryCHAPAuth) @protobuf(8,varint,opt) + + // chapAuthSession defines whether support iSCSI Session CHAP authentication + // +optional + chapAuthSession?: bool @go(SessionCHAPAuth) @protobuf(11,varint,opt) + + // secretRef is the CHAP Secret for iSCSI target and initiator authentication + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(10,bytes,opt) + + // initiatorName is the custom iSCSI Initiator Name. + // If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + // : will be created for the connection. + // +optional + initiatorName?: null | string @go(InitiatorName,*string) @protobuf(12,bytes,opt) +} + +// ISCSIPersistentVolumeSource represents an ISCSI disk. +// ISCSI volumes can only be mounted as read/write once. +// ISCSI volumes support ownership management and SELinux relabeling. +#ISCSIPersistentVolumeSource: { + // targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + targetPortal: string @go(TargetPortal) @protobuf(1,bytes,opt) + + // iqn is Target iSCSI Qualified Name. + iqn: string @go(IQN) @protobuf(2,bytes,opt) + + // lun is iSCSI Target Lun number. + lun: int32 @go(Lun) @protobuf(3,varint,opt) + + // iscsiInterface is the interface Name that uses an iSCSI transport. + // Defaults to 'default' (tcp). + // +optional + iscsiInterface?: string @go(ISCSIInterface) @protobuf(4,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(5,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) + + // portals is the iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + // +optional + portals?: [...string] @go(Portals,[]string) @protobuf(7,bytes,opt) + + // chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + // +optional + chapAuthDiscovery?: bool @go(DiscoveryCHAPAuth) @protobuf(8,varint,opt) + + // chapAuthSession defines whether support iSCSI Session CHAP authentication + // +optional + chapAuthSession?: bool @go(SessionCHAPAuth) @protobuf(11,varint,opt) + + // secretRef is the CHAP Secret for iSCSI target and initiator authentication + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(10,bytes,opt) + + // initiatorName is the custom iSCSI Initiator Name. + // If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + // : will be created for the connection. + // +optional + initiatorName?: null | string @go(InitiatorName,*string) @protobuf(12,bytes,opt) +} + +// Represents a Fibre Channel volume. +// Fibre Channel volumes can only be mounted as read/write once. +// Fibre Channel volumes support ownership management and SELinux relabeling. +#FCVolumeSource: { + // targetWWNs is Optional: FC target worldwide names (WWNs) + // +optional + targetWWNs?: [...string] @go(TargetWWNs,[]string) @protobuf(1,bytes,rep) + + // lun is Optional: FC target lun number + // +optional + lun?: null | int32 @go(Lun,*int32) @protobuf(2,varint,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // wwids Optional: FC volume world wide identifiers (wwids) + // Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + // +optional + wwids?: [...string] @go(WWIDs,[]string) @protobuf(5,bytes,rep) +} + +// AzureFile represents an Azure File Service mount on the host and bind mount to the pod. +#AzureFileVolumeSource: { + // secretName is the name of secret that contains Azure Storage Account Name and Key + secretName: string @go(SecretName) @protobuf(1,bytes,opt) + + // shareName is the azure share Name + shareName: string @go(ShareName) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// AzureFile represents an Azure File Service mount on the host and bind mount to the pod. +#AzureFilePersistentVolumeSource: { + // secretName is the name of secret that contains Azure Storage Account Name and Key + secretName: string @go(SecretName) @protobuf(1,bytes,opt) + + // shareName is the azure Share Name + shareName: string @go(ShareName) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretNamespace is the namespace of the secret that contains Azure Storage Account Name and Key + // default is the same as the Pod + // +optional + secretNamespace?: null | string @go(SecretNamespace,*string) @protobuf(4,bytes,opt) +} + +// Represents a vSphere volume resource. +#VsphereVirtualDiskVolumeSource: { + // volumePath is the path that identifies vSphere volume vmdk + volumePath: string @go(VolumePath) @protobuf(1,bytes,opt) + + // fsType is filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // storagePolicyName is the storage Policy Based Management (SPBM) profile name. + // +optional + storagePolicyName?: string @go(StoragePolicyName) @protobuf(3,bytes,opt) + + // storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. + // +optional + storagePolicyID?: string @go(StoragePolicyID) @protobuf(4,bytes,opt) +} + +// Represents a Photon Controller persistent disk resource. +#PhotonPersistentDiskVolumeSource: { + // pdID is the ID that identifies Photon Controller persistent disk + pdID: string @go(PdID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + fsType?: string @go(FSType) @protobuf(2,bytes,opt) +} + +// +enum +#AzureDataDiskCachingMode: string // #enumAzureDataDiskCachingMode + +#enumAzureDataDiskCachingMode: + #AzureDataDiskCachingNone | + #AzureDataDiskCachingReadOnly | + #AzureDataDiskCachingReadWrite + +// +enum +#AzureDataDiskKind: string // #enumAzureDataDiskKind + +#enumAzureDataDiskKind: + #AzureSharedBlobDisk | + #AzureDedicatedBlobDisk | + #AzureManagedDisk + +#AzureDataDiskCachingNone: #AzureDataDiskCachingMode & "None" +#AzureDataDiskCachingReadOnly: #AzureDataDiskCachingMode & "ReadOnly" +#AzureDataDiskCachingReadWrite: #AzureDataDiskCachingMode & "ReadWrite" +#AzureSharedBlobDisk: #AzureDataDiskKind & "Shared" +#AzureDedicatedBlobDisk: #AzureDataDiskKind & "Dedicated" +#AzureManagedDisk: #AzureDataDiskKind & "Managed" + +// AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. +#AzureDiskVolumeSource: { + // diskName is the Name of the data disk in the blob storage + diskName: string @go(DiskName) @protobuf(1,bytes,opt) + + // diskURI is the URI of data disk in the blob storage + diskURI: string @go(DataDiskURI) @protobuf(2,bytes,opt) + + // cachingMode is the Host Caching mode: None, Read Only, Read Write. + // +optional + cachingMode?: null | #AzureDataDiskCachingMode @go(CachingMode,*AzureDataDiskCachingMode) @protobuf(3,bytes,opt,casttype=AzureDataDiskCachingMode) + + // fsType is Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(4,bytes,opt) + + // readOnly Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: null | bool @go(ReadOnly,*bool) @protobuf(5,varint,opt) + + // kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared + kind?: null | #AzureDataDiskKind @go(Kind,*AzureDataDiskKind) @protobuf(6,bytes,opt,casttype=AzureDataDiskKind) +} + +// PortworxVolumeSource represents a Portworx volume resource. +#PortworxVolumeSource: { + // volumeID uniquely identifies a Portworx volume + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fSType represents the filesystem type to mount + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// ScaleIOVolumeSource represents a persistent ScaleIO volume +#ScaleIOVolumeSource: { + // gateway is the host address of the ScaleIO API Gateway. + gateway: string @go(Gateway) @protobuf(1,bytes,opt) + + // system is the name of the storage system as configured in ScaleIO. + system: string @go(System) @protobuf(2,bytes,opt) + + // secretRef references to the secret for ScaleIO user and other + // sensitive information. If this is not provided, Login operation will fail. + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(3,bytes,opt) + + // sslEnabled Flag enable/disable SSL communication with Gateway, default false + // +optional + sslEnabled?: bool @go(SSLEnabled) @protobuf(4,varint,opt) + + // protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + // +optional + protectionDomain?: string @go(ProtectionDomain) @protobuf(5,bytes,opt) + + // storagePool is the ScaleIO Storage Pool associated with the protection domain. + // +optional + storagePool?: string @go(StoragePool) @protobuf(6,bytes,opt) + + // storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + // Default is ThinProvisioned. + // +optional + storageMode?: string @go(StorageMode) @protobuf(7,bytes,opt) + + // volumeName is the name of a volume already created in the ScaleIO system + // that is associated with this volume source. + volumeName?: string @go(VolumeName) @protobuf(8,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // Default is "xfs". + // +optional + fsType?: string @go(FSType) @protobuf(9,bytes,opt) + + // readOnly Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(10,varint,opt) +} + +// ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume +#ScaleIOPersistentVolumeSource: { + // gateway is the host address of the ScaleIO API Gateway. + gateway: string @go(Gateway) @protobuf(1,bytes,opt) + + // system is the name of the storage system as configured in ScaleIO. + system: string @go(System) @protobuf(2,bytes,opt) + + // secretRef references to the secret for ScaleIO user and other + // sensitive information. If this is not provided, Login operation will fail. + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(3,bytes,opt) + + // sslEnabled is the flag to enable/disable SSL communication with Gateway, default false + // +optional + sslEnabled?: bool @go(SSLEnabled) @protobuf(4,varint,opt) + + // protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + // +optional + protectionDomain?: string @go(ProtectionDomain) @protobuf(5,bytes,opt) + + // storagePool is the ScaleIO Storage Pool associated with the protection domain. + // +optional + storagePool?: string @go(StoragePool) @protobuf(6,bytes,opt) + + // storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + // Default is ThinProvisioned. + // +optional + storageMode?: string @go(StorageMode) @protobuf(7,bytes,opt) + + // volumeName is the name of a volume already created in the ScaleIO system + // that is associated with this volume source. + volumeName?: string @go(VolumeName) @protobuf(8,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // Default is "xfs" + // +optional + fsType?: string @go(FSType) @protobuf(9,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(10,varint,opt) +} + +// Represents a StorageOS persistent volume resource. +#StorageOSVolumeSource: { + // volumeName is the human-readable name of the StorageOS volume. Volume + // names are only unique within a namespace. + volumeName?: string @go(VolumeName) @protobuf(1,bytes,opt) + + // volumeNamespace specifies the scope of the volume within StorageOS. If no + // namespace is specified then the Pod's namespace will be used. This allows the + // Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + // Set VolumeName to any name to override the default behaviour. + // Set to "default" if you are not using namespaces within StorageOS. + // Namespaces that do not pre-exist within StorageOS will be created. + // +optional + volumeNamespace?: string @go(VolumeNamespace) @protobuf(2,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // secretRef specifies the secret to use for obtaining the StorageOS API + // credentials. If not specified, default values will be attempted. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) +} + +// Represents a StorageOS persistent volume resource. +#StorageOSPersistentVolumeSource: { + // volumeName is the human-readable name of the StorageOS volume. Volume + // names are only unique within a namespace. + volumeName?: string @go(VolumeName) @protobuf(1,bytes,opt) + + // volumeNamespace specifies the scope of the volume within StorageOS. If no + // namespace is specified then the Pod's namespace will be used. This allows the + // Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + // Set VolumeName to any name to override the default behaviour. + // Set to "default" if you are not using namespaces within StorageOS. + // Namespaces that do not pre-exist within StorageOS will be created. + // +optional + volumeNamespace?: string @go(VolumeNamespace) @protobuf(2,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // secretRef specifies the secret to use for obtaining the StorageOS API + // credentials. If not specified, default values will be attempted. + // +optional + secretRef?: null | #ObjectReference @go(SecretRef,*ObjectReference) @protobuf(5,bytes,opt) +} + +// Adapts a ConfigMap into a volume. +// +// The contents of the target ConfigMap's Data field will be presented in a +// volume as files using the keys in the Data field as the file names, unless +// the items element is populated with specific mappings of keys to paths. +// ConfigMap volumes support ownership management and SELinux relabeling. +#ConfigMapVolumeSource: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // ConfigMap will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the ConfigMap, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // defaultMode is optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(3,varint,opt) + + // optional specify whether the ConfigMap or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +#ConfigMapVolumeSourceDefaultMode: int32 & 0o644 + +// Adapts a ConfigMap into a projected volume. +// +// The contents of the target ConfigMap's Data field will be presented in a +// projected volume as files using the keys in the Data field as the file names, +// unless the items element is populated with specific mappings of keys to paths. +// Note that this is identical to a configmap volume source without the default +// mode. +#ConfigMapProjection: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // ConfigMap will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the ConfigMap, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // optional specify whether the ConfigMap or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +// ServiceAccountTokenProjection represents a projected service account token +// volume. This projection can be used to insert a service account token into +// the pods runtime filesystem for use against APIs (Kubernetes API Server or +// otherwise). +#ServiceAccountTokenProjection: { + // audience is the intended audience of the token. A recipient of a token + // must identify itself with an identifier specified in the audience of the + // token, and otherwise should reject the token. The audience defaults to the + // identifier of the apiserver. + // +optional + audience?: string @go(Audience) @protobuf(1,bytes,rep) + + // expirationSeconds is the requested duration of validity of the service + // account token. As the token approaches expiration, the kubelet volume + // plugin will proactively rotate the service account token. The kubelet will + // start trying to rotate the token if the token is older than 80 percent of + // its time to live or if the token is older than 24 hours.Defaults to 1 hour + // and must be at least 10 minutes. + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt) + + // path is the path relative to the mount point of the file to project the + // token into. + path: string @go(Path) @protobuf(3,bytes,opt) +} + +// Represents a projected volume source +#ProjectedVolumeSource: { + // sources is the list of volume projections + // +optional + sources: [...#VolumeProjection] @go(Sources,[]VolumeProjection) @protobuf(1,bytes,rep) + + // defaultMode are the mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(2,varint,opt) +} + +// Projection that may be projected along with other supported volume types +#VolumeProjection: { + // secret information about the secret data to project + // +optional + secret?: null | #SecretProjection @go(Secret,*SecretProjection) @protobuf(1,bytes,opt) + + // downwardAPI information about the downwardAPI data to project + // +optional + downwardAPI?: null | #DownwardAPIProjection @go(DownwardAPI,*DownwardAPIProjection) @protobuf(2,bytes,opt) + + // configMap information about the configMap data to project + // +optional + configMap?: null | #ConfigMapProjection @go(ConfigMap,*ConfigMapProjection) @protobuf(3,bytes,opt) + + // serviceAccountToken is information about the serviceAccountToken data to project + // +optional + serviceAccountToken?: null | #ServiceAccountTokenProjection @go(ServiceAccountToken,*ServiceAccountTokenProjection) @protobuf(4,bytes,opt) +} + +#ProjectedVolumeSourceDefaultMode: int32 & 0o644 + +// Maps a string key to a path within a volume. +#KeyToPath: { + // key is the key to project. + key: string @go(Key) @protobuf(1,bytes,opt) + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path: string @go(Path) @protobuf(2,bytes,opt) + + // mode is Optional: mode bits used to set permissions on this file. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + mode?: null | int32 @go(Mode,*int32) @protobuf(3,varint,opt) +} + +// Local represents directly-attached storage with node affinity (Beta feature) +#LocalVolumeSource: { + // path of the full path to the volume on the node. + // It can be either a directory or block device (disk, partition, ...). + path: string @go(Path) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // It applies only when the Path is a block device. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default value is to auto-select a filesystem if unspecified. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(2,bytes,opt) +} + +// Represents storage that is managed by an external CSI volume driver (Beta feature) +#CSIPersistentVolumeSource: { + // driver is the name of the driver to use for this volume. + // Required. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // volumeHandle is the unique volume name returned by the CSI volume + // plugin’s CreateVolume to refer to the volume on all subsequent calls. + // Required. + volumeHandle: string @go(VolumeHandle) @protobuf(2,bytes,opt) + + // readOnly value to pass to ControllerPublishVolumeRequest. + // Defaults to false (read/write). + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // fsType to mount. Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // +optional + fsType?: string @go(FSType) @protobuf(4,bytes,opt) + + // volumeAttributes of the volume to publish. + // +optional + volumeAttributes?: {[string]: string} @go(VolumeAttributes,map[string]string) @protobuf(5,bytes,rep) + + // controllerPublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // ControllerPublishVolume and ControllerUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + controllerPublishSecretRef?: null | #SecretReference @go(ControllerPublishSecretRef,*SecretReference) @protobuf(6,bytes,opt) + + // nodeStageSecretRef is a reference to the secret object containing sensitive + // information to pass to the CSI driver to complete the CSI NodeStageVolume + // and NodeStageVolume and NodeUnstageVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + nodeStageSecretRef?: null | #SecretReference @go(NodeStageSecretRef,*SecretReference) @protobuf(7,bytes,opt) + + // nodePublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodePublishVolume and NodeUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + nodePublishSecretRef?: null | #SecretReference @go(NodePublishSecretRef,*SecretReference) @protobuf(8,bytes,opt) + + // controllerExpandSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // ControllerExpandVolume call. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + controllerExpandSecretRef?: null | #SecretReference @go(ControllerExpandSecretRef,*SecretReference) @protobuf(9,bytes,opt) + + // nodeExpandSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodeExpandVolume call. + // This is a beta field which is enabled default by CSINodeExpandSecret feature gate. + // This field is optional, may be omitted if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +featureGate=CSINodeExpandSecret + // +optional + nodeExpandSecretRef?: null | #SecretReference @go(NodeExpandSecretRef,*SecretReference) @protobuf(10,bytes,opt) +} + +// Represents a source location of a volume to mount, managed by an external CSI driver +#CSIVolumeSource: { + // driver is the name of the CSI driver that handles this volume. + // Consult with your admin for the correct name as registered in the cluster. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // readOnly specifies a read-only configuration for the volume. + // Defaults to false (read/write). + // +optional + readOnly?: null | bool @go(ReadOnly,*bool) @protobuf(2,varint,opt) + + // fsType to mount. Ex. "ext4", "xfs", "ntfs". + // If not provided, the empty value is passed to the associated CSI driver + // which will determine the default filesystem to apply. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(3,bytes,opt) + + // volumeAttributes stores driver-specific properties that are passed to the CSI + // driver. Consult your driver's documentation for supported values. + // +optional + volumeAttributes?: {[string]: string} @go(VolumeAttributes,map[string]string) @protobuf(4,bytes,rep) + + // nodePublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodePublishVolume and NodeUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secret references are passed. + // +optional + nodePublishSecretRef?: null | #LocalObjectReference @go(NodePublishSecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) +} + +// Represents an ephemeral volume that is handled by a normal storage driver. +#EphemeralVolumeSource: { + // Will be used to create a stand-alone PVC to provision the volume. + // The pod in which this EphemeralVolumeSource is embedded will be the + // owner of the PVC, i.e. the PVC will be deleted together with the + // pod. The name of the PVC will be `-` where + // `` is the name from the `PodSpec.Volumes` array + // entry. Pod validation will reject the pod if the concatenated name + // is not valid for a PVC (for example, too long). + // + // An existing PVC with that name that is not owned by the pod + // will *not* be used for the pod to avoid using an unrelated + // volume by mistake. Starting the pod is then blocked until + // the unrelated PVC is removed. If such a pre-created PVC is + // meant to be used by the pod, the PVC has to updated with an + // owner reference to the pod once the pod exists. Normally + // this should not be necessary, but it may be useful when + // manually reconstructing a broken cluster. + // + // This field is read-only and no changes will be made by Kubernetes + // to the PVC after it has been created. + // + // Required, must not be nil. + volumeClaimTemplate?: null | #PersistentVolumeClaimTemplate @go(VolumeClaimTemplate,*PersistentVolumeClaimTemplate) @protobuf(1,bytes,opt) +} + +// PersistentVolumeClaimTemplate is used to produce +// PersistentVolumeClaim objects as part of an EphemeralVolumeSource. +#PersistentVolumeClaimTemplate: { + // May contain labels and annotations that will be copied into the PVC + // when creating it. No other fields are allowed and will be rejected during + // validation. + // + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The specification for the PersistentVolumeClaim. The entire content is + // copied unchanged into the PVC that gets created from this + // template. The same fields as in a PersistentVolumeClaim + // are also valid here. + spec: #PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes) +} + +// ContainerPort represents a network port in a single container. +#ContainerPort: { + // If specified, this must be an IANA_SVC_NAME and unique within the pod. Each + // named port in a pod must have a unique name. Name for the port that can be + // referred to by services. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // Number of port to expose on the host. + // If specified, this must be a valid port number, 0 < x < 65536. + // If HostNetwork is specified, this must match ContainerPort. + // Most containers do not need this. + // +optional + hostPort?: int32 @go(HostPort) @protobuf(2,varint,opt) + + // Number of port to expose on the pod's IP address. + // This must be a valid port number, 0 < x < 65536. + containerPort: int32 @go(ContainerPort) @protobuf(3,varint,opt) + + // Protocol for port. Must be UDP, TCP, or SCTP. + // Defaults to "TCP". + // +optional + // +default="TCP" + protocol?: #Protocol @go(Protocol) @protobuf(4,bytes,opt,casttype=Protocol) + + // What host IP to bind the external port to. + // +optional + hostIP?: string @go(HostIP) @protobuf(5,bytes,opt) +} + +// VolumeMount describes a mounting of a Volume within a container. +#VolumeMount: { + // This must match the Name of a Volume. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Mounted read-only if true, read-write otherwise (false or unspecified). + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt) + + // Path within the container at which the volume should be mounted. Must + // not contain ':'. + mountPath: string @go(MountPath) @protobuf(3,bytes,opt) + + // Path within the volume from which the container's volume should be mounted. + // Defaults to "" (volume's root). + // +optional + subPath?: string @go(SubPath) @protobuf(4,bytes,opt) + + // mountPropagation determines how mounts are propagated from the host + // to container and the other way around. + // When not set, MountPropagationNone is used. + // This field is beta in 1.10. + // +optional + mountPropagation?: null | #MountPropagationMode @go(MountPropagation,*MountPropagationMode) @protobuf(5,bytes,opt,casttype=MountPropagationMode) + + // Expanded path within the volume from which the container's volume should be mounted. + // Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + // Defaults to "" (volume's root). + // SubPathExpr and SubPath are mutually exclusive. + // +optional + subPathExpr?: string @go(SubPathExpr) @protobuf(6,bytes,opt) +} + +// MountPropagationMode describes mount propagation. +// +enum +#MountPropagationMode: string // #enumMountPropagationMode + +#enumMountPropagationMode: + #MountPropagationNone | + #MountPropagationHostToContainer | + #MountPropagationBidirectional + +// MountPropagationNone means that the volume in a container will +// not receive new mounts from the host or other containers, and filesystems +// mounted inside the container won't be propagated to the host or other +// containers. +// Note that this mode corresponds to "private" in Linux terminology. +#MountPropagationNone: #MountPropagationMode & "None" + +// MountPropagationHostToContainer means that the volume in a container will +// receive new mounts from the host or other containers, but filesystems +// mounted inside the container won't be propagated to the host or other +// containers. +// Note that this mode is recursively applied to all mounts in the volume +// ("rslave" in Linux terminology). +#MountPropagationHostToContainer: #MountPropagationMode & "HostToContainer" + +// MountPropagationBidirectional means that the volume in a container will +// receive new mounts from the host or other containers, and its own mounts +// will be propagated from the container to the host or other containers. +// Note that this mode is recursively applied to all mounts in the volume +// ("rshared" in Linux terminology). +#MountPropagationBidirectional: #MountPropagationMode & "Bidirectional" + +// volumeDevice describes a mapping of a raw block device within a container. +#VolumeDevice: { + // name must match the name of a persistentVolumeClaim in the pod + name: string @go(Name) @protobuf(1,bytes,opt) + + // devicePath is the path inside of the container that the device will be mapped to. + devicePath: string @go(DevicePath) @protobuf(2,bytes,opt) +} + +// EnvVar represents an environment variable present in a Container. +#EnvVar: { + // Name of the environment variable. Must be a C_IDENTIFIER. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Variable references $(VAR_NAME) are expanded + // using the previously defined environment variables in the container and + // any service environment variables. If a variable cannot be resolved, + // the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + // "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + // Escaped references will never be expanded, regardless of whether the variable + // exists or not. + // Defaults to "". + // +optional + value?: string @go(Value) @protobuf(2,bytes,opt) + + // Source for the environment variable's value. Cannot be used if value is not empty. + // +optional + valueFrom?: null | #EnvVarSource @go(ValueFrom,*EnvVarSource) @protobuf(3,bytes,opt) +} + +// EnvVarSource represents a source for the value of an EnvVar. +#EnvVarSource: { + // Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + // spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + // +optional + fieldRef?: null | #ObjectFieldSelector @go(FieldRef,*ObjectFieldSelector) @protobuf(1,bytes,opt) + + // Selects a resource of the container: only resources limits and requests + // (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + // +optional + resourceFieldRef?: null | #ResourceFieldSelector @go(ResourceFieldRef,*ResourceFieldSelector) @protobuf(2,bytes,opt) + + // Selects a key of a ConfigMap. + // +optional + configMapKeyRef?: null | #ConfigMapKeySelector @go(ConfigMapKeyRef,*ConfigMapKeySelector) @protobuf(3,bytes,opt) + + // Selects a key of a secret in the pod's namespace + // +optional + secretKeyRef?: null | #SecretKeySelector @go(SecretKeyRef,*SecretKeySelector) @protobuf(4,bytes,opt) +} + +// ObjectFieldSelector selects an APIVersioned field of an object. +// +structType=atomic +#ObjectFieldSelector: { + // Version of the schema the FieldPath is written in terms of, defaults to "v1". + // +optional + apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt) + + // Path of the field to select in the specified API version. + fieldPath: string @go(FieldPath) @protobuf(2,bytes,opt) +} + +// ResourceFieldSelector represents container resources (cpu, memory) and their output format +// +structType=atomic +#ResourceFieldSelector: { + // Container name: required for volumes, optional for env vars + // +optional + containerName?: string @go(ContainerName) @protobuf(1,bytes,opt) + + // Required: resource to select + "resource": string @go(Resource) @protobuf(2,bytes,opt) + + // Specifies the output format of the exposed resources, defaults to "1" + // +optional + divisor?: resource.#Quantity @go(Divisor) @protobuf(3,bytes,opt) +} + +// Selects a key from a ConfigMap. +// +structType=atomic +#ConfigMapKeySelector: { + #LocalObjectReference + + // The key to select. + key: string @go(Key) @protobuf(2,bytes,opt) + + // Specify whether the ConfigMap or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(3,varint,opt) +} + +// SecretKeySelector selects a key of a Secret. +// +structType=atomic +#SecretKeySelector: { + #LocalObjectReference + + // The key of the secret to select from. Must be a valid secret key. + key: string @go(Key) @protobuf(2,bytes,opt) + + // Specify whether the Secret or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(3,varint,opt) +} + +// EnvFromSource represents the source of a set of ConfigMaps +#EnvFromSource: { + // An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + // +optional + prefix?: string @go(Prefix) @protobuf(1,bytes,opt) + + // The ConfigMap to select from + // +optional + configMapRef?: null | #ConfigMapEnvSource @go(ConfigMapRef,*ConfigMapEnvSource) @protobuf(2,bytes,opt) + + // The Secret to select from + // +optional + secretRef?: null | #SecretEnvSource @go(SecretRef,*SecretEnvSource) @protobuf(3,bytes,opt) +} + +// ConfigMapEnvSource selects a ConfigMap to populate the environment +// variables with. +// +// The contents of the target ConfigMap's Data field will represent the +// key-value pairs as environment variables. +#ConfigMapEnvSource: { + #LocalObjectReference + + // Specify whether the ConfigMap must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(2,varint,opt) +} + +// SecretEnvSource selects a Secret to populate the environment +// variables with. +// +// The contents of the target Secret's Data field will represent the +// key-value pairs as environment variables. +#SecretEnvSource: { + #LocalObjectReference + + // Specify whether the Secret must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(2,varint,opt) +} + +// HTTPHeader describes a custom header to be used in HTTP probes +#HTTPHeader: { + // The header field name. + // This will be canonicalized upon output, so case-variant names will be understood as the same header. + name: string @go(Name) @protobuf(1,bytes,opt) + + // The header field value + value: string @go(Value) @protobuf(2,bytes,opt) +} + +// HTTPGetAction describes an action based on HTTP Get requests. +#HTTPGetAction: { + // Path to access on the HTTP server. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // Name or number of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port: intstr.#IntOrString @go(Port) @protobuf(2,bytes,opt) + + // Host name to connect to, defaults to the pod IP. You probably want to set + // "Host" in httpHeaders instead. + // +optional + host?: string @go(Host) @protobuf(3,bytes,opt) + + // Scheme to use for connecting to the host. + // Defaults to HTTP. + // +optional + scheme?: #URIScheme @go(Scheme) @protobuf(4,bytes,opt,casttype=URIScheme) + + // Custom headers to set in the request. HTTP allows repeated headers. + // +optional + httpHeaders?: [...#HTTPHeader] @go(HTTPHeaders,[]HTTPHeader) @protobuf(5,bytes,rep) +} + +// URIScheme identifies the scheme used for connection to a host for Get actions +// +enum +#URIScheme: string // #enumURIScheme + +#enumURIScheme: + #URISchemeHTTP | + #URISchemeHTTPS + +// URISchemeHTTP means that the scheme used will be http:// +#URISchemeHTTP: #URIScheme & "HTTP" + +// URISchemeHTTPS means that the scheme used will be https:// +#URISchemeHTTPS: #URIScheme & "HTTPS" + +// TCPSocketAction describes an action based on opening a socket +#TCPSocketAction: { + // Number or name of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port: intstr.#IntOrString @go(Port) @protobuf(1,bytes,opt) + + // Optional: Host name to connect to, defaults to the pod IP. + // +optional + host?: string @go(Host) @protobuf(2,bytes,opt) +} + +#GRPCAction: { + // Port number of the gRPC service. Number must be in the range 1 to 65535. + port: int32 @go(Port) @protobuf(1,bytes,opt) + + // Service is the name of the service to place in the gRPC HealthCheckRequest + // (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + // + // If this is not specified, the default behavior is defined by gRPC. + // +optional + // +default="" + service?: null | string @go(Service,*string) @protobuf(2,bytes,opt) +} + +// ExecAction describes a "run in container" action. +#ExecAction: { + // Command is the command line to execute inside the container, the working directory for the + // command is root ('/') in the container's filesystem. The command is simply exec'd, it is + // not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + // a shell, you need to explicitly call out to that shell. + // Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + // +optional + command?: [...string] @go(Command,[]string) @protobuf(1,bytes,rep) +} + +// Probe describes a health check to be performed against a container to determine whether it is +// alive or ready to receive traffic. +#Probe: { + #ProbeHandler + + // Number of seconds after the container has started before liveness probes are initiated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + initialDelaySeconds?: int32 @go(InitialDelaySeconds) @protobuf(2,varint,opt) + + // Number of seconds after which the probe times out. + // Defaults to 1 second. Minimum value is 1. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + timeoutSeconds?: int32 @go(TimeoutSeconds) @protobuf(3,varint,opt) + + // How often (in seconds) to perform the probe. + // Default to 10 seconds. Minimum value is 1. + // +optional + periodSeconds?: int32 @go(PeriodSeconds) @protobuf(4,varint,opt) + + // Minimum consecutive successes for the probe to be considered successful after having failed. + // Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + // +optional + successThreshold?: int32 @go(SuccessThreshold) @protobuf(5,varint,opt) + + // Minimum consecutive failures for the probe to be considered failed after having succeeded. + // Defaults to 3. Minimum value is 1. + // +optional + failureThreshold?: int32 @go(FailureThreshold) @protobuf(6,varint,opt) + + // Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + // The grace period is the duration in seconds after the processes running in the pod are sent + // a termination signal and the time when the processes are forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your process. + // If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + // value overrides the value provided by the pod spec. + // Value must be non-negative integer. The value zero indicates stop immediately via + // the kill signal (no opportunity to shut down). + // This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + // Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + // +optional + terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) @protobuf(7,varint,opt) +} + +// PullPolicy describes a policy for if/when to pull a container image +// +enum +#PullPolicy: string // #enumPullPolicy + +#enumPullPolicy: + #PullAlways | + #PullNever | + #PullIfNotPresent + +// PullAlways means that kubelet always attempts to pull the latest image. Container will fail If the pull fails. +#PullAlways: #PullPolicy & "Always" + +// PullNever means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present +#PullNever: #PullPolicy & "Never" + +// PullIfNotPresent means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails. +#PullIfNotPresent: #PullPolicy & "IfNotPresent" + +// ResourceResizeRestartPolicy specifies how to handle container resource resize. +#ResourceResizeRestartPolicy: string // #enumResourceResizeRestartPolicy + +#enumResourceResizeRestartPolicy: + #NotRequired | + #RestartContainer + +// 'NotRequired' means Kubernetes will try to resize the container +// without restarting it, if possible. Kubernetes may however choose to +// restart the container if it is unable to actuate resize without a +// restart. For e.g. the runtime doesn't support restart-free resizing. +#NotRequired: #ResourceResizeRestartPolicy & "NotRequired" + +// 'RestartContainer' means Kubernetes will resize the container in-place +// by stopping and starting the container when new resources are applied. +// This is needed for legacy applications. For e.g. java apps using the +// -xmxN flag which are unable to use resized memory without restarting. +#RestartContainer: #ResourceResizeRestartPolicy & "RestartContainer" + +// ContainerResizePolicy represents resource resize policy for the container. +#ContainerResizePolicy: { + // Name of the resource to which this resource resize policy applies. + // Supported values: cpu, memory. + resourceName: #ResourceName @go(ResourceName) @protobuf(1,bytes,opt,casttype=ResourceName) + + // Restart policy to apply when specified resource is resized. + // If not specified, it defaults to NotRequired. + restartPolicy: #ResourceResizeRestartPolicy @go(RestartPolicy) @protobuf(2,bytes,opt,casttype=ResourceResizeRestartPolicy) +} + +// PreemptionPolicy describes a policy for if/when to preempt a pod. +// +enum +#PreemptionPolicy: string // #enumPreemptionPolicy + +#enumPreemptionPolicy: + #PreemptLowerPriority | + #PreemptNever + +// PreemptLowerPriority means that pod can preempt other pods with lower priority. +#PreemptLowerPriority: #PreemptionPolicy & "PreemptLowerPriority" + +// PreemptNever means that pod never preempts other pods with lower priority. +#PreemptNever: #PreemptionPolicy & "Never" + +// TerminationMessagePolicy describes how termination messages are retrieved from a container. +// +enum +#TerminationMessagePolicy: string // #enumTerminationMessagePolicy + +#enumTerminationMessagePolicy: + #TerminationMessageReadFile | + #TerminationMessageFallbackToLogsOnError + +// TerminationMessageReadFile is the default behavior and will set the container status message to +// the contents of the container's terminationMessagePath when the container exits. +#TerminationMessageReadFile: #TerminationMessagePolicy & "File" + +// TerminationMessageFallbackToLogsOnError will read the most recent contents of the container logs +// for the container status message when the container exits with an error and the +// terminationMessagePath has no contents. +#TerminationMessageFallbackToLogsOnError: #TerminationMessagePolicy & "FallbackToLogsOnError" + +// Capability represent POSIX capabilities type +#Capability: string + +// Adds and removes POSIX capabilities from running containers. +#Capabilities: { + // Added capabilities + // +optional + add?: [...#Capability] @go(Add,[]Capability) @protobuf(1,bytes,rep,casttype=Capability) + + // Removed capabilities + // +optional + drop?: [...#Capability] @go(Drop,[]Capability) @protobuf(2,bytes,rep,casttype=Capability) +} + +// ResourceRequirements describes the compute resource requirements. +#ResourceRequirements: { + // Limits describes the maximum amount of compute resources allowed. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + limits?: #ResourceList @go(Limits) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Requests describes the minimum amount of compute resources required. + // If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + // otherwise to an implementation-defined value. Requests cannot exceed Limits. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + requests?: #ResourceList @go(Requests) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Claims lists the names of resources, defined in spec.resourceClaims, + // that are used by this container. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. It can only be set for containers. + // + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + claims?: [...#ResourceClaim] @go(Claims,[]ResourceClaim) @protobuf(3,bytes,opt) +} + +// ResourceClaim references one entry in PodSpec.ResourceClaims. +#ResourceClaim: { + // Name must match the name of one entry in pod.spec.resourceClaims of + // the Pod where this field is used. It makes that resource available + // inside a container. + name: string @go(Name) @protobuf(1,bytes,opt) +} + +// TerminationMessagePathDefault means the default path to capture the application termination message running in a container +#TerminationMessagePathDefault: "/dev/termination-log" + +// A single application container that you want to run within a pod. +#Container: { + // Name of the container specified as a DNS_LABEL. + // Each container in a pod must have a unique name (DNS_LABEL). + // Cannot be updated. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Container image name. + // More info: https://kubernetes.io/docs/concepts/containers/images + // This field is optional to allow higher level config management to default or override + // container images in workload controllers like Deployments and StatefulSets. + // +optional + image?: string @go(Image) @protobuf(2,bytes,opt) + + // Entrypoint array. Not executed within a shell. + // The container image's ENTRYPOINT is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + command?: [...string] @go(Command,[]string) @protobuf(3,bytes,rep) + + // Arguments to the entrypoint. + // The container image's CMD is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + args?: [...string] @go(Args,[]string) @protobuf(4,bytes,rep) + + // Container's working directory. + // If not specified, the container runtime's default will be used, which + // might be configured in the container image. + // Cannot be updated. + // +optional + workingDir?: string @go(WorkingDir) @protobuf(5,bytes,opt) + + // List of ports to expose from the container. Not specifying a port here + // DOES NOT prevent that port from being exposed. Any port which is + // listening on the default "0.0.0.0" address inside a container will be + // accessible from the network. + // Modifying this array with strategic merge patch may corrupt the data. + // For more information See https://github.com/kubernetes/kubernetes/issues/108255. + // Cannot be updated. + // +optional + // +patchMergeKey=containerPort + // +patchStrategy=merge + // +listType=map + // +listMapKey=containerPort + // +listMapKey=protocol + ports?: [...#ContainerPort] @go(Ports,[]ContainerPort) @protobuf(6,bytes,rep) + + // List of sources to populate environment variables in the container. + // The keys defined within a source must be a C_IDENTIFIER. All invalid keys + // will be reported as an event when the container is starting. When a key exists in multiple + // sources, the value associated with the last source will take precedence. + // Values defined by an Env with a duplicate key will take precedence. + // Cannot be updated. + // +optional + envFrom?: [...#EnvFromSource] @go(EnvFrom,[]EnvFromSource) @protobuf(19,bytes,rep) + + // List of environment variables to set in the container. + // Cannot be updated. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + env?: [...#EnvVar] @go(Env,[]EnvVar) @protobuf(7,bytes,rep) + + // Compute Resources required by this container. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(8,bytes,opt) + + // Resources resize policy for the container. + // +featureGate=InPlacePodVerticalScaling + // +optional + // +listType=atomic + resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep) + + // RestartPolicy defines the restart behavior of individual containers in a pod. + // This field may only be set for init containers, and the only allowed value is "Always". + // For non-init containers or when this field is not specified, + // the restart behavior is defined by the Pod's restart policy and the container type. + // Setting the RestartPolicy as "Always" for the init container will have the following effect: + // this init container will be continually restarted on + // exit until all regular containers have terminated. Once all regular + // containers have completed, all init containers with restartPolicy "Always" + // will be shut down. This lifecycle differs from normal init containers and + // is often referred to as a "sidecar" container. Although this init + // container still starts in the init container sequence, it does not wait + // for the container to complete before proceeding to the next init + // container. Instead, the next init container starts immediately after this + // init container is started, or after any startupProbe has successfully + // completed. + // +featureGate=SidecarContainers + // +optional + restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy) + + // Pod volumes to mount into the container's filesystem. + // Cannot be updated. + // +optional + // +patchMergeKey=mountPath + // +patchStrategy=merge + volumeMounts?: [...#VolumeMount] @go(VolumeMounts,[]VolumeMount) @protobuf(9,bytes,rep) + + // volumeDevices is the list of block devices to be used by the container. + // +patchMergeKey=devicePath + // +patchStrategy=merge + // +optional + volumeDevices?: [...#VolumeDevice] @go(VolumeDevices,[]VolumeDevice) @protobuf(21,bytes,rep) + + // Periodic probe of container liveness. + // Container will be restarted if the probe fails. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + livenessProbe?: null | #Probe @go(LivenessProbe,*Probe) @protobuf(10,bytes,opt) + + // Periodic probe of container service readiness. + // Container will be removed from service endpoints if the probe fails. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + readinessProbe?: null | #Probe @go(ReadinessProbe,*Probe) @protobuf(11,bytes,opt) + + // StartupProbe indicates that the Pod has successfully initialized. + // If specified, no other probes are executed until this completes successfully. + // If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. + // This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, + // when it might take a long time to load data or warm a cache, than during steady-state operation. + // This cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + startupProbe?: null | #Probe @go(StartupProbe,*Probe) @protobuf(22,bytes,opt) + + // Actions that the management system should take in response to container lifecycle events. + // Cannot be updated. + // +optional + lifecycle?: null | #Lifecycle @go(Lifecycle,*Lifecycle) @protobuf(12,bytes,opt) + + // Optional: Path at which the file to which the container's termination message + // will be written is mounted into the container's filesystem. + // Message written is intended to be brief final status, such as an assertion failure message. + // Will be truncated by the node if greater than 4096 bytes. The total message length across + // all containers will be limited to 12kb. + // Defaults to /dev/termination-log. + // Cannot be updated. + // +optional + terminationMessagePath?: string @go(TerminationMessagePath) @protobuf(13,bytes,opt) + + // Indicate how the termination message should be populated. File will use the contents of + // terminationMessagePath to populate the container status message on both success and failure. + // FallbackToLogsOnError will use the last chunk of container log output if the termination + // message file is empty and the container exited with an error. + // The log output is limited to 2048 bytes or 80 lines, whichever is smaller. + // Defaults to File. + // Cannot be updated. + // +optional + terminationMessagePolicy?: #TerminationMessagePolicy @go(TerminationMessagePolicy) @protobuf(20,bytes,opt,casttype=TerminationMessagePolicy) + + // Image pull policy. + // One of Always, Never, IfNotPresent. + // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + // +optional + imagePullPolicy?: #PullPolicy @go(ImagePullPolicy) @protobuf(14,bytes,opt,casttype=PullPolicy) + + // SecurityContext defines the security options the container should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + // +optional + securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt) + + // Whether this container should allocate a buffer for stdin in the container runtime. If this + // is not set, reads from stdin in the container will always result in EOF. + // Default is false. + // +optional + stdin?: bool @go(Stdin) @protobuf(16,varint,opt) + + // Whether the container runtime should close the stdin channel after it has been opened by + // a single attach. When stdin is true the stdin stream will remain open across multiple attach + // sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the + // first client attaches to stdin, and then remains open and accepts data until the client disconnects, + // at which time stdin is closed and remains closed until the container is restarted. If this + // flag is false, a container processes that reads from stdin will never receive an EOF. + // Default is false + // +optional + stdinOnce?: bool @go(StdinOnce) @protobuf(17,varint,opt) + + // Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. + // Default is false. + // +optional + tty?: bool @go(TTY) @protobuf(18,varint,opt) +} + +// ProbeHandler defines a specific action that should be taken in a probe. +// One and only one of the fields must be specified. +#ProbeHandler: { + // Exec specifies the action to take. + // +optional + exec?: null | #ExecAction @go(Exec,*ExecAction) @protobuf(1,bytes,opt) + + // HTTPGet specifies the http request to perform. + // +optional + httpGet?: null | #HTTPGetAction @go(HTTPGet,*HTTPGetAction) @protobuf(2,bytes,opt) + + // TCPSocket specifies an action involving a TCP port. + // +optional + tcpSocket?: null | #TCPSocketAction @go(TCPSocket,*TCPSocketAction) @protobuf(3,bytes,opt) + + // GRPC specifies an action involving a GRPC port. + // +optional + grpc?: null | #GRPCAction @go(GRPC,*GRPCAction) @protobuf(4,bytes,opt) +} + +// LifecycleHandler defines a specific action that should be taken in a lifecycle +// hook. One and only one of the fields, except TCPSocket must be specified. +#LifecycleHandler: { + // Exec specifies the action to take. + // +optional + exec?: null | #ExecAction @go(Exec,*ExecAction) @protobuf(1,bytes,opt) + + // HTTPGet specifies the http request to perform. + // +optional + httpGet?: null | #HTTPGetAction @go(HTTPGet,*HTTPGetAction) @protobuf(2,bytes,opt) + + // Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + // for the backward compatibility. There are no validation of this field and + // lifecycle hooks will fail in runtime when tcp handler is specified. + // +optional + tcpSocket?: null | #TCPSocketAction @go(TCPSocket,*TCPSocketAction) @protobuf(3,bytes,opt) +} + +// Lifecycle describes actions that the management system should take in response to container lifecycle +// events. For the PostStart and PreStop lifecycle handlers, management of the container blocks +// until the action is complete, unless the container process fails, in which case the handler is aborted. +#Lifecycle: { + // PostStart is called immediately after a container is created. If the handler fails, + // the container is terminated and restarted according to its restart policy. + // Other management of the container blocks until the hook completes. + // More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + // +optional + postStart?: null | #LifecycleHandler @go(PostStart,*LifecycleHandler) @protobuf(1,bytes,opt) + + // PreStop is called immediately before a container is terminated due to an + // API request or management event such as liveness/startup probe failure, + // preemption, resource contention, etc. The handler is not called if the + // container crashes or exits. The Pod's termination grace period countdown begins before the + // PreStop hook is executed. Regardless of the outcome of the handler, the + // container will eventually terminate within the Pod's termination grace + // period (unless delayed by finalizers). Other management of the container blocks until the hook completes + // or until the termination grace period is reached. + // More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + // +optional + preStop?: null | #LifecycleHandler @go(PreStop,*LifecycleHandler) @protobuf(2,bytes,opt) +} + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// ContainerStateWaiting is a waiting state of a container. +#ContainerStateWaiting: { + // (brief) reason the container is not yet running. + // +optional + reason?: string @go(Reason) @protobuf(1,bytes,opt) + + // Message regarding why the container is not yet running. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) +} + +// ContainerStateRunning is a running state of a container. +#ContainerStateRunning: { + // Time at which the container was last (re-)started + // +optional + startedAt?: metav1.#Time @go(StartedAt) @protobuf(1,bytes,opt) +} + +// ContainerStateTerminated is a terminated state of a container. +#ContainerStateTerminated: { + // Exit status from the last termination of the container + exitCode: int32 @go(ExitCode) @protobuf(1,varint,opt) + + // Signal from the last termination of the container + // +optional + signal?: int32 @go(Signal) @protobuf(2,varint,opt) + + // (brief) reason from the last termination of the container + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // Message regarding the last termination of the container + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) + + // Time at which previous execution of the container started + // +optional + startedAt?: metav1.#Time @go(StartedAt) @protobuf(5,bytes,opt) + + // Time at which the container last terminated + // +optional + finishedAt?: metav1.#Time @go(FinishedAt) @protobuf(6,bytes,opt) + + // Container's ID in the format '://' + // +optional + containerID?: string @go(ContainerID) @protobuf(7,bytes,opt) +} + +// ContainerState holds a possible state of container. +// Only one of its members may be specified. +// If none of them is specified, the default one is ContainerStateWaiting. +#ContainerState: { + // Details about a waiting container + // +optional + waiting?: null | #ContainerStateWaiting @go(Waiting,*ContainerStateWaiting) @protobuf(1,bytes,opt) + + // Details about a running container + // +optional + running?: null | #ContainerStateRunning @go(Running,*ContainerStateRunning) @protobuf(2,bytes,opt) + + // Details about a terminated container + // +optional + terminated?: null | #ContainerStateTerminated @go(Terminated,*ContainerStateTerminated) @protobuf(3,bytes,opt) +} + +// ContainerStatus contains details for the current status of this container. +#ContainerStatus: { + // Name is a DNS_LABEL representing the unique name of the container. + // Each container in a pod must have a unique name across all container types. + // Cannot be updated. + name: string @go(Name) @protobuf(1,bytes,opt) + + // State holds details about the container's current condition. + // +optional + state?: #ContainerState @go(State) @protobuf(2,bytes,opt) + + // LastTerminationState holds the last termination state of the container to + // help debug container crashes and restarts. This field is not + // populated if the container is still running and RestartCount is 0. + // +optional + lastState?: #ContainerState @go(LastTerminationState) @protobuf(3,bytes,opt) + + // Ready specifies whether the container is currently passing its readiness check. + // The value will change as readiness probes keep executing. If no readiness + // probes are specified, this field defaults to true once the container is + // fully started (see Started field). + // + // The value is typically used to determine whether a container is ready to + // accept traffic. + ready: bool @go(Ready) @protobuf(4,varint,opt) + + // RestartCount holds the number of times the container has been restarted. + // Kubelet makes an effort to always increment the value, but there + // are cases when the state may be lost due to node restarts and then the value + // may be reset to 0. The value is never negative. + restartCount: int32 @go(RestartCount) @protobuf(5,varint,opt) + + // Image is the name of container image that the container is running. + // The container image may not match the image used in the PodSpec, + // as it may have been resolved by the runtime. + // More info: https://kubernetes.io/docs/concepts/containers/images. + image: string @go(Image) @protobuf(6,bytes,opt) + + // ImageID is the image ID of the container's image. The image ID may not + // match the image ID of the image used in the PodSpec, as it may have been + // resolved by the runtime. + imageID: string @go(ImageID) @protobuf(7,bytes,opt) + + // ContainerID is the ID of the container in the format '://'. + // Where type is a container runtime identifier, returned from Version call of CRI API + // (for example "containerd"). + // +optional + containerID?: string @go(ContainerID) @protobuf(8,bytes,opt) + + // Started indicates whether the container has finished its postStart lifecycle hook + // and passed its startup probe. + // Initialized as false, becomes true after startupProbe is considered + // successful. Resets to false when the container is restarted, or if kubelet + // loses state temporarily. In both cases, startup probes will run again. + // Is always true when no startupProbe is defined and container is running and + // has passed the postStart lifecycle hook. The null value must be treated the + // same as false. + // +optional + started?: null | bool @go(Started,*bool) @protobuf(9,varint,opt) + + // AllocatedResources represents the compute resources allocated for this container by the + // node. Kubelet sets this value to Container.Resources.Requests upon successful pod admission + // and after successfully admitting desired pod resize. + // +featureGate=InPlacePodVerticalScaling + // +optional + allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(10,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Resources represents the compute resource requests and limits that have been successfully + // enacted on the running container after it has been started or has been successfully resized. + // +featureGate=InPlacePodVerticalScaling + // +optional + resources?: null | #ResourceRequirements @go(Resources,*ResourceRequirements) @protobuf(11,bytes,opt) +} + +// PodPhase is a label for the condition of a pod at the current time. +// +enum +#PodPhase: string // #enumPodPhase + +#enumPodPhase: + #PodPending | + #PodRunning | + #PodSucceeded | + #PodFailed | + #PodUnknown + +// PodPending means the pod has been accepted by the system, but one or more of the containers +// has not been started. This includes time before being bound to a node, as well as time spent +// pulling images onto the host. +#PodPending: #PodPhase & "Pending" + +// PodRunning means the pod has been bound to a node and all of the containers have been started. +// At least one container is still running or is in the process of being restarted. +#PodRunning: #PodPhase & "Running" + +// PodSucceeded means that all containers in the pod have voluntarily terminated +// with a container exit code of 0, and the system is not going to restart any of these containers. +#PodSucceeded: #PodPhase & "Succeeded" + +// PodFailed means that all containers in the pod have terminated, and at least one container has +// terminated in a failure (exited with a non-zero exit code or was stopped by the system). +#PodFailed: #PodPhase & "Failed" + +// PodUnknown means that for some reason the state of the pod could not be obtained, typically due +// to an error in communicating with the host of the pod. +// Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095) +#PodUnknown: #PodPhase & "Unknown" + +// PodConditionType is a valid value for PodCondition.Type +#PodConditionType: string // #enumPodConditionType + +#enumPodConditionType: + #ContainersReady | + #PodInitialized | + #PodReady | + #PodScheduled | + #DisruptionTarget + +// ContainersReady indicates whether all containers in the pod are ready. +#ContainersReady: #PodConditionType & "ContainersReady" + +// PodInitialized means that all init containers in the pod have started successfully. +#PodInitialized: #PodConditionType & "Initialized" + +// PodReady means the pod is able to service requests and should be added to the +// load balancing pools of all matching services. +#PodReady: #PodConditionType & "Ready" + +// PodScheduled represents status of the scheduling process for this pod. +#PodScheduled: #PodConditionType & "PodScheduled" + +// DisruptionTarget indicates the pod is about to be terminated due to a +// disruption (such as preemption, eviction API or garbage-collection). +#DisruptionTarget: #PodConditionType & "DisruptionTarget" + +// PodReasonUnschedulable reason in PodScheduled PodCondition means that the scheduler +// can't schedule the pod right now, for example due to insufficient resources in the cluster. +#PodReasonUnschedulable: "Unschedulable" + +// PodReasonSchedulingGated reason in PodScheduled PodCondition means that the scheduler +// skips scheduling the pod because one or more scheduling gates are still present. +#PodReasonSchedulingGated: "SchedulingGated" + +// PodReasonSchedulerError reason in PodScheduled PodCondition means that some internal error happens +// during scheduling, for example due to nodeAffinity parsing errors. +#PodReasonSchedulerError: "SchedulerError" + +// TerminationByKubelet reason in DisruptionTarget pod condition indicates that the termination +// is initiated by kubelet +#PodReasonTerminationByKubelet: "TerminationByKubelet" + +// PodReasonPreemptionByScheduler reason in DisruptionTarget pod condition indicates that the +// disruption was initiated by scheduler's preemption. +#PodReasonPreemptionByScheduler: "PreemptionByScheduler" + +// PodCondition contains details for the current condition of this pod. +#PodCondition: { + // Type is the type of the condition. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + type: #PodConditionType @go(Type) @protobuf(1,bytes,opt,casttype=PodConditionType) + + // Status is the status of the condition. + // Can be True, False, Unknown. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Last time we probed the condition. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // Last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // Unique, one-word, CamelCase reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// PodResizeStatus shows status of desired resize of a pod's containers. +#PodResizeStatus: string // #enumPodResizeStatus + +#enumPodResizeStatus: + #PodResizeStatusProposed | + #PodResizeStatusInProgress | + #PodResizeStatusDeferred | + #PodResizeStatusInfeasible + +// Pod resources resize has been requested and will be evaluated by node. +#PodResizeStatusProposed: #PodResizeStatus & "Proposed" + +// Pod resources resize has been accepted by node and is being actuated. +#PodResizeStatusInProgress: #PodResizeStatus & "InProgress" + +// Node cannot resize the pod at this time and will keep retrying. +#PodResizeStatusDeferred: #PodResizeStatus & "Deferred" + +// Requested pod resize is not feasible and will not be re-evaluated. +#PodResizeStatusInfeasible: #PodResizeStatus & "Infeasible" + +// RestartPolicy describes how the container should be restarted. +// Only one of the following restart policies may be specified. +// If none of the following policies is specified, the default one +// is RestartPolicyAlways. +// +enum +#RestartPolicy: string // #enumRestartPolicy + +#enumRestartPolicy: + #RestartPolicyAlways | + #RestartPolicyOnFailure | + #RestartPolicyNever + +#RestartPolicyAlways: #RestartPolicy & "Always" +#RestartPolicyOnFailure: #RestartPolicy & "OnFailure" +#RestartPolicyNever: #RestartPolicy & "Never" + +// ContainerRestartPolicy is the restart policy for a single container. +// This may only be set for init containers and only allowed value is "Always". +#ContainerRestartPolicy: string // #enumContainerRestartPolicy + +#enumContainerRestartPolicy: + #ContainerRestartPolicyAlways + +#ContainerRestartPolicyAlways: #ContainerRestartPolicy & "Always" + +// DNSPolicy defines how a pod's DNS will be configured. +// +enum +#DNSPolicy: string // #enumDNSPolicy + +#enumDNSPolicy: + #DNSClusterFirstWithHostNet | + #DNSClusterFirst | + #DNSDefault | + #DNSNone + +// DNSClusterFirstWithHostNet indicates that the pod should use cluster DNS +// first, if it is available, then fall back on the default +// (as determined by kubelet) DNS settings. +#DNSClusterFirstWithHostNet: #DNSPolicy & "ClusterFirstWithHostNet" + +// DNSClusterFirst indicates that the pod should use cluster DNS +// first unless hostNetwork is true, if it is available, then +// fall back on the default (as determined by kubelet) DNS settings. +#DNSClusterFirst: #DNSPolicy & "ClusterFirst" + +// DNSDefault indicates that the pod should use the default (as +// determined by kubelet) DNS settings. +#DNSDefault: #DNSPolicy & "Default" + +// DNSNone indicates that the pod should use empty DNS settings. DNS +// parameters such as nameservers and search paths should be defined via +// DNSConfig. +#DNSNone: #DNSPolicy & "None" + +// DefaultTerminationGracePeriodSeconds indicates the default duration in +// seconds a pod needs to terminate gracefully. +#DefaultTerminationGracePeriodSeconds: 30 + +// A node selector represents the union of the results of one or more label queries +// over a set of nodes; that is, it represents the OR of the selectors represented +// by the node selector terms. +// +structType=atomic +#NodeSelector: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms: [...#NodeSelectorTerm] @go(NodeSelectorTerms,[]NodeSelectorTerm) @protobuf(1,bytes,rep) +} + +// A null or empty node selector term matches no objects. The requirements of +// them are ANDed. +// The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. +// +structType=atomic +#NodeSelectorTerm: { + // A list of node selector requirements by node's labels. + // +optional + matchExpressions?: [...#NodeSelectorRequirement] @go(MatchExpressions,[]NodeSelectorRequirement) @protobuf(1,bytes,rep) + + // A list of node selector requirements by node's fields. + // +optional + matchFields?: [...#NodeSelectorRequirement] @go(MatchFields,[]NodeSelectorRequirement) @protobuf(2,bytes,rep) +} + +// A node selector requirement is a selector that contains values, a key, and an operator +// that relates the key and values. +#NodeSelectorRequirement: { + // The label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + operator: #NodeSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=NodeSelectorOperator) + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, the values + // array must have a single element, which will be interpreted as an integer. + // This array is replaced during a strategic merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A node selector operator is the set of operators that can be used in +// a node selector requirement. +// +enum +#NodeSelectorOperator: string // #enumNodeSelectorOperator + +#enumNodeSelectorOperator: + #NodeSelectorOpIn | + #NodeSelectorOpNotIn | + #NodeSelectorOpExists | + #NodeSelectorOpDoesNotExist | + #NodeSelectorOpGt | + #NodeSelectorOpLt + +#NodeSelectorOpIn: #NodeSelectorOperator & "In" +#NodeSelectorOpNotIn: #NodeSelectorOperator & "NotIn" +#NodeSelectorOpExists: #NodeSelectorOperator & "Exists" +#NodeSelectorOpDoesNotExist: #NodeSelectorOperator & "DoesNotExist" +#NodeSelectorOpGt: #NodeSelectorOperator & "Gt" +#NodeSelectorOpLt: #NodeSelectorOperator & "Lt" + +// A topology selector term represents the result of label queries. +// A null or empty topology selector term matches no objects. +// The requirements of them are ANDed. +// It provides a subset of functionality as NodeSelectorTerm. +// This is an alpha feature and may change in the future. +// +structType=atomic +#TopologySelectorTerm: { + // A list of topology selector requirements by labels. + // +optional + matchLabelExpressions?: [...#TopologySelectorLabelRequirement] @go(MatchLabelExpressions,[]TopologySelectorLabelRequirement) @protobuf(1,bytes,rep) +} + +// A topology selector requirement is a selector that matches given label. +// This is an alpha feature and may change in the future. +#TopologySelectorLabelRequirement: { + // The label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // An array of string values. One value must match the label to be selected. + // Each entry in Values is ORed. + values: [...string] @go(Values,[]string) @protobuf(2,bytes,rep) +} + +// Affinity is a group of affinity scheduling rules. +#Affinity: { + // Describes node affinity scheduling rules for the pod. + // +optional + nodeAffinity?: null | #NodeAffinity @go(NodeAffinity,*NodeAffinity) @protobuf(1,bytes,opt) + + // Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + // +optional + podAffinity?: null | #PodAffinity @go(PodAffinity,*PodAffinity) @protobuf(2,bytes,opt) + + // Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + // +optional + podAntiAffinity?: null | #PodAntiAffinity @go(PodAntiAffinity,*PodAntiAffinity) @protobuf(3,bytes,opt) +} + +// Pod affinity is a group of inter pod affinity scheduling rules. +#PodAffinity: { + // If the affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to a pod label update), the + // system may or may not try to eventually evict the pod from its node. + // When there are multiple elements, the lists of nodes corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be satisfied. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: [...#PodAffinityTerm] @go(RequiredDuringSchedulingIgnoredDuringExecution,[]PodAffinityTerm) @protobuf(1,bytes,rep) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#WeightedPodAffinityTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]WeightedPodAffinityTerm) @protobuf(2,bytes,rep) +} + +// Pod anti affinity is a group of inter pod anti affinity scheduling rules. +#PodAntiAffinity: { + // If the anti-affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to a pod label update), the + // system may or may not try to eventually evict the pod from its node. + // When there are multiple elements, the lists of nodes corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be satisfied. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: [...#PodAffinityTerm] @go(RequiredDuringSchedulingIgnoredDuringExecution,[]PodAffinityTerm) @protobuf(1,bytes,rep) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the anti-affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling anti-affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#WeightedPodAffinityTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]WeightedPodAffinityTerm) @protobuf(2,bytes,rep) +} + +// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) +#WeightedPodAffinityTerm: { + // weight associated with matching the corresponding podAffinityTerm, + // in the range 1-100. + weight: int32 @go(Weight) @protobuf(1,varint,opt) + + // Required. A pod affinity term, associated with the corresponding weight. + podAffinityTerm: #PodAffinityTerm @go(PodAffinityTerm) @protobuf(2,bytes,opt) +} + +// Defines a set of pods (namely those matching the labelSelector +// relative to the given namespace(s)) that this pod should be +// co-located (affinity) or not co-located (anti-affinity) with, +// where co-located is defined as running on a node whose value of +// the label with key matches that of any node on which +// a pod of the set of pods is running +#PodAffinityTerm: { + // A label query over a set of resources, in this case pods. + // +optional + labelSelector?: null | metav1.#LabelSelector @go(LabelSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // namespaces specifies a static list of namespace names that the term applies to. + // The term is applied to the union of the namespaces listed in this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means "this pod's namespace". + // +optional + namespaces?: [...string] @go(Namespaces,[]string) @protobuf(2,bytes,rep) + + // This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located is defined as running on a node + // whose value of the label with key topologyKey matches that of any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey: string @go(TopologyKey) @protobuf(3,bytes,opt) + + // A label query over the set of namespaces that the term applies to. + // The term is applied to the union of the namespaces selected by this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this pod's namespace". + // An empty selector ({}) matches all namespaces. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(4,bytes,opt) +} + +// Node affinity is a group of node affinity scheduling rules. +#NodeAffinity: { + // If the affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to an update), the system + // may or may not try to eventually evict the pod from its node. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: null | #NodeSelector @go(RequiredDuringSchedulingIgnoredDuringExecution,*NodeSelector) @protobuf(1,bytes,opt) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node matches the corresponding matchExpressions; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#PreferredSchedulingTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]PreferredSchedulingTerm) @protobuf(2,bytes,rep) +} + +// An empty preferred scheduling term matches all objects with implicit weight 0 +// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). +#PreferredSchedulingTerm: { + // Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + weight: int32 @go(Weight) @protobuf(1,varint,opt) + + // A node selector term, associated with the corresponding weight. + preference: #NodeSelectorTerm @go(Preference) @protobuf(2,bytes,opt) +} + +// The node this Taint is attached to has the "effect" on +// any pod that does not tolerate the Taint. +#Taint: { + // Required. The taint key to be applied to a node. + key: string @go(Key) @protobuf(1,bytes,opt) + + // The taint value corresponding to the taint key. + // +optional + value?: string @go(Value) @protobuf(2,bytes,opt) + + // Required. The effect of the taint on pods + // that do not tolerate the taint. + // Valid effects are NoSchedule, PreferNoSchedule and NoExecute. + effect: #TaintEffect @go(Effect) @protobuf(3,bytes,opt,casttype=TaintEffect) + + // TimeAdded represents the time at which the taint was added. + // It is only written for NoExecute taints. + // +optional + timeAdded?: null | metav1.#Time @go(TimeAdded,*metav1.Time) @protobuf(4,bytes,opt) +} + +// +enum +#TaintEffect: string // #enumTaintEffect + +#enumTaintEffect: + #TaintEffectNoSchedule | + #TaintEffectPreferNoSchedule | + #TaintEffectNoExecute + +// Do not allow new pods to schedule onto the node unless they tolerate the taint, +// but allow all pods submitted to Kubelet without going through the scheduler +// to start, and allow all already-running pods to continue running. +// Enforced by the scheduler. +#TaintEffectNoSchedule: #TaintEffect & "NoSchedule" + +// Like TaintEffectNoSchedule, but the scheduler tries not to schedule +// new pods onto the node, rather than prohibiting new pods from scheduling +// onto the node entirely. Enforced by the scheduler. +#TaintEffectPreferNoSchedule: #TaintEffect & "PreferNoSchedule" + +// Evict any already-running pods that do not tolerate the taint. +// Currently enforced by NodeController. +#TaintEffectNoExecute: #TaintEffect & "NoExecute" + +// The pod this Toleration is attached to tolerates any taint that matches +// the triple using the matching operator . +#Toleration: { + // Key is the taint key that the toleration applies to. Empty means match all taint keys. + // If the key is empty, operator must be Exists; this combination means to match all values and all keys. + // +optional + key?: string @go(Key) @protobuf(1,bytes,opt) + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + // +optional + operator?: #TolerationOperator @go(Operator) @protobuf(2,bytes,opt,casttype=TolerationOperator) + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise just a regular string. + // +optional + value?: string @go(Value) @protobuf(3,bytes,opt) + + // Effect indicates the taint effect to match. Empty means match all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + // +optional + effect?: #TaintEffect @go(Effect) @protobuf(4,bytes,opt,casttype=TaintEffect) + + // TolerationSeconds represents the period of time the toleration (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + // it is not set, which means tolerate the taint forever (do not evict). Zero and + // negative values will be treated as 0 (evict immediately) by the system. + // +optional + tolerationSeconds?: null | int64 @go(TolerationSeconds,*int64) @protobuf(5,varint,opt) +} + +// A toleration operator is the set of operators that can be used in a toleration. +// +enum +#TolerationOperator: string // #enumTolerationOperator + +#enumTolerationOperator: + #TolerationOpExists | + #TolerationOpEqual + +#TolerationOpExists: #TolerationOperator & "Exists" +#TolerationOpEqual: #TolerationOperator & "Equal" + +// PodReadinessGate contains the reference to a pod condition +#PodReadinessGate: { + // ConditionType refers to a condition in the pod's condition list with matching type. + conditionType: #PodConditionType @go(ConditionType) @protobuf(1,bytes,opt,casttype=PodConditionType) +} + +// PodSpec is a description of a pod. +#PodSpec: { + // List of volumes that can be mounted by containers belonging to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes + // +optional + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + volumes?: [...#Volume] @go(Volumes,[]Volume) @protobuf(1,bytes,rep) + + // List of initialization containers belonging to the pod. + // Init containers are executed in order prior to containers being started. If any + // init container fails, the pod is considered to have failed and is handled according + // to its restartPolicy. The name for an init container or normal container must be + // unique among all containers. + // Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. + // The resourceRequirements of an init container are taken into account during scheduling + // by finding the highest request/limit for each resource type, and then using the max of + // of that value or the sum of the normal containers. Limits are applied to init containers + // in a similar fashion. + // Init containers cannot currently be added or removed. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + // +patchMergeKey=name + // +patchStrategy=merge + initContainers?: [...#Container] @go(InitContainers,[]Container) @protobuf(20,bytes,rep) + + // List of containers belonging to the pod. + // Containers cannot currently be added or removed. + // There must be at least one container in a Pod. + // Cannot be updated. + // +patchMergeKey=name + // +patchStrategy=merge + containers: [...#Container] @go(Containers,[]Container) @protobuf(2,bytes,rep) + + // List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing + // pod to perform user-initiated actions such as debugging. This list cannot be specified when + // creating a pod, and it cannot be modified by updating the pod spec. In order to add an + // ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + ephemeralContainers?: [...#EphemeralContainer] @go(EphemeralContainers,[]EphemeralContainer) @protobuf(34,bytes,rep) + + // Restart policy for all containers within the pod. + // One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. + // Default to Always. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy + // +optional + restartPolicy?: #RestartPolicy @go(RestartPolicy) @protobuf(3,bytes,opt,casttype=RestartPolicy) + + // Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. + // Value must be non-negative integer. The value zero indicates stop immediately via + // the kill signal (no opportunity to shut down). + // If this value is nil, the default grace period will be used instead. + // The grace period is the duration in seconds after the processes running in the pod are sent + // a termination signal and the time when the processes are forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your process. + // Defaults to 30 seconds. + // +optional + terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) @protobuf(4,varint,opt) + + // Optional duration in seconds the pod may be active on the node relative to + // StartTime before the system will actively try to mark it failed and kill associated containers. + // Value must be a positive integer. + // +optional + activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(5,varint,opt) + + // Set DNS policy for the pod. + // Defaults to "ClusterFirst". + // Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. + // DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. + // To have DNS options set along with hostNetwork, you have to specify DNS policy + // explicitly to 'ClusterFirstWithHostNet'. + // +optional + dnsPolicy?: #DNSPolicy @go(DNSPolicy) @protobuf(6,bytes,opt,casttype=DNSPolicy) + + // NodeSelector is a selector which must be true for the pod to fit on a node. + // Selector which must match a node's labels for the pod to be scheduled on that node. + // More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + // +optional + // +mapType=atomic + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(7,bytes,rep) + + // ServiceAccountName is the name of the ServiceAccount to use to run this pod. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + // +optional + serviceAccountName?: string @go(ServiceAccountName) @protobuf(8,bytes,opt) + + // DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. + // Deprecated: Use serviceAccountName instead. + // +k8s:conversion-gen=false + // +optional + serviceAccount?: string @go(DeprecatedServiceAccount) @protobuf(9,bytes,opt) + + // AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. + // +optional + automountServiceAccountToken?: null | bool @go(AutomountServiceAccountToken,*bool) @protobuf(21,varint,opt) + + // NodeName is a request to schedule this pod onto a specific node. If it is non-empty, + // the scheduler simply schedules this pod onto that node, assuming that it fits resource + // requirements. + // +optional + nodeName?: string @go(NodeName) @protobuf(10,bytes,opt) + + // Host networking requested for this pod. Use the host's network namespace. + // If this option is set, the ports that will be used must be specified. + // Default to false. + // +k8s:conversion-gen=false + // +optional + hostNetwork?: bool @go(HostNetwork) @protobuf(11,varint,opt) + + // Use the host's pid namespace. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + hostPID?: bool @go(HostPID) @protobuf(12,varint,opt) + + // Use the host's ipc namespace. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + hostIPC?: bool @go(HostIPC) @protobuf(13,varint,opt) + + // Share a single process namespace between all of the containers in a pod. + // When this is set containers will be able to view and signal processes from other containers + // in the same pod, and the first process in each container will not be assigned PID 1. + // HostPID and ShareProcessNamespace cannot both be set. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + shareProcessNamespace?: null | bool @go(ShareProcessNamespace,*bool) @protobuf(27,varint,opt) + + // SecurityContext holds pod-level security attributes and common container settings. + // Optional: Defaults to empty. See type description for default values of each field. + // +optional + securityContext?: null | #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt) + + // ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. + // If specified, these secrets will be passed to individual puller implementations for them to use. + // More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + imagePullSecrets?: [...#LocalObjectReference] @go(ImagePullSecrets,[]LocalObjectReference) @protobuf(15,bytes,rep) + + // Specifies the hostname of the Pod + // If not specified, the pod's hostname will be set to a system-defined value. + // +optional + hostname?: string @go(Hostname) @protobuf(16,bytes,opt) + + // If specified, the fully qualified Pod hostname will be "...svc.". + // If not specified, the pod will not have a domainname at all. + // +optional + subdomain?: string @go(Subdomain) @protobuf(17,bytes,opt) + + // If specified, the pod's scheduling constraints + // +optional + affinity?: null | #Affinity @go(Affinity,*Affinity) @protobuf(18,bytes,opt) + + // If specified, the pod will be dispatched by specified scheduler. + // If not specified, the pod will be dispatched by default scheduler. + // +optional + schedulerName?: string @go(SchedulerName) @protobuf(19,bytes,opt) + + // If specified, the pod's tolerations. + // +optional + tolerations?: [...#Toleration] @go(Tolerations,[]Toleration) @protobuf(22,bytes,opt) + + // HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts + // file if specified. This is only valid for non-hostNetwork pods. + // +optional + // +patchMergeKey=ip + // +patchStrategy=merge + hostAliases?: [...#HostAlias] @go(HostAliases,[]HostAlias) @protobuf(23,bytes,rep) + + // If specified, indicates the pod's priority. "system-node-critical" and + // "system-cluster-critical" are two special keywords which indicate the + // highest priorities with the former being the highest priority. Any other + // name must be defined by creating a PriorityClass object with that name. + // If not specified, the pod priority will be default or zero if there is no + // default. + // +optional + priorityClassName?: string @go(PriorityClassName) @protobuf(24,bytes,opt) + + // The priority value. Various system components use this field to find the + // priority of the pod. When Priority Admission Controller is enabled, it + // prevents users from setting this field. The admission controller populates + // this field from PriorityClassName. + // The higher the value, the higher the priority. + // +optional + priority?: null | int32 @go(Priority,*int32) @protobuf(25,bytes,opt) + + // Specifies the DNS parameters of a pod. + // Parameters specified here will be merged to the generated DNS + // configuration based on DNSPolicy. + // +optional + dnsConfig?: null | #PodDNSConfig @go(DNSConfig,*PodDNSConfig) @protobuf(26,bytes,opt) + + // If specified, all readiness gates will be evaluated for pod readiness. + // A pod is ready when all its containers are ready AND + // all conditions specified in the readiness gates have status equal to "True" + // More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates + // +optional + readinessGates?: [...#PodReadinessGate] @go(ReadinessGates,[]PodReadinessGate) @protobuf(28,bytes,opt) + + // RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used + // to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. + // If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an + // empty definition that uses the default runtime handler. + // More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class + // +optional + runtimeClassName?: null | string @go(RuntimeClassName,*string) @protobuf(29,bytes,opt) + + // EnableServiceLinks indicates whether information about services should be injected into pod's + // environment variables, matching the syntax of Docker links. + // Optional: Defaults to true. + // +optional + enableServiceLinks?: null | bool @go(EnableServiceLinks,*bool) @protobuf(30,varint,opt) + + // PreemptionPolicy is the Policy for preempting pods with lower priority. + // One of Never, PreemptLowerPriority. + // Defaults to PreemptLowerPriority if unset. + // +optional + preemptionPolicy?: null | #PreemptionPolicy @go(PreemptionPolicy,*PreemptionPolicy) @protobuf(31,bytes,opt) + + // Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. + // This field will be autopopulated at admission time by the RuntimeClass admission controller. If + // the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. + // The RuntimeClass admission controller will reject Pod create requests which have the overhead already + // set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value + // defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. + // More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md + // +optional + overhead?: #ResourceList @go(Overhead) @protobuf(32,bytes,opt) + + // TopologySpreadConstraints describes how a group of pods ought to spread across topology + // domains. Scheduler will schedule pods in a way which abides by the constraints. + // All topologySpreadConstraints are ANDed. + // +optional + // +patchMergeKey=topologyKey + // +patchStrategy=merge + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + topologySpreadConstraints?: [...#TopologySpreadConstraint] @go(TopologySpreadConstraints,[]TopologySpreadConstraint) @protobuf(33,bytes,opt) + + // If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). + // In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). + // In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters to FQDN. + // If a pod does not have FQDN, this has no effect. + // Default to false. + // +optional + setHostnameAsFQDN?: null | bool @go(SetHostnameAsFQDN,*bool) @protobuf(35,varint,opt) + + // Specifies the OS of the containers in the pod. + // Some pod and container fields are restricted if this is set. + // + // If the OS field is set to linux, the following fields must be unset: + // -securityContext.windowsOptions + // + // If the OS field is set to windows, following fields must be unset: + // - spec.hostPID + // - spec.hostIPC + // - spec.hostUsers + // - spec.securityContext.seLinuxOptions + // - spec.securityContext.seccompProfile + // - spec.securityContext.fsGroup + // - spec.securityContext.fsGroupChangePolicy + // - spec.securityContext.sysctls + // - spec.shareProcessNamespace + // - spec.securityContext.runAsUser + // - spec.securityContext.runAsGroup + // - spec.securityContext.supplementalGroups + // - spec.containers[*].securityContext.seLinuxOptions + // - spec.containers[*].securityContext.seccompProfile + // - spec.containers[*].securityContext.capabilities + // - spec.containers[*].securityContext.readOnlyRootFilesystem + // - spec.containers[*].securityContext.privileged + // - spec.containers[*].securityContext.allowPrivilegeEscalation + // - spec.containers[*].securityContext.procMount + // - spec.containers[*].securityContext.runAsUser + // - spec.containers[*].securityContext.runAsGroup + // +optional + os?: null | #PodOS @go(OS,*PodOS) @protobuf(36,bytes,opt) + + // Use the host's user namespace. + // Optional: Default to true. + // If set to true or not present, the pod will be run in the host user namespace, useful + // for when the pod needs a feature only available to the host user namespace, such as + // loading a kernel module with CAP_SYS_MODULE. + // When set to false, a new userns is created for the pod. Setting false is useful for + // mitigating container breakout vulnerabilities even allowing users to run their + // containers as root without actually having root privileges on the host. + // This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature. + // +k8s:conversion-gen=false + // +optional + hostUsers?: null | bool @go(HostUsers,*bool) @protobuf(37,bytes,opt) + + // SchedulingGates is an opaque list of values that if specified will block scheduling the pod. + // If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the + // scheduler will not attempt to schedule the pod. + // + // SchedulingGates can only be set at pod creation time, and be removed only afterwards. + // + // This is a beta feature enabled by the PodSchedulingReadiness feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=PodSchedulingReadiness + // +optional + schedulingGates?: [...#PodSchedulingGate] @go(SchedulingGates,[]PodSchedulingGate) @protobuf(38,bytes,opt) + + // ResourceClaims defines which ResourceClaims must be allocated + // and reserved before the Pod is allowed to start. The resources + // will be made available to those containers which consume them + // by name. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. + // + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + resourceClaims?: [...#PodResourceClaim] @go(ResourceClaims,[]PodResourceClaim) @protobuf(39,bytes,rep) +} + +// PodResourceClaim references exactly one ResourceClaim through a ClaimSource. +// It adds a name to it that uniquely identifies the ResourceClaim inside the Pod. +// Containers that need access to the ResourceClaim reference it with this name. +#PodResourceClaim: { + // Name uniquely identifies this resource claim inside the pod. + // This must be a DNS_LABEL. + name: string @go(Name) @protobuf(1,bytes) + + // Source describes where to find the ResourceClaim. + source?: #ClaimSource @go(Source) @protobuf(2,bytes) +} + +// ClaimSource describes a reference to a ResourceClaim. +// +// Exactly one of these fields should be set. Consumers of this type must +// treat an empty object as if it has an unknown value. +#ClaimSource: { + // ResourceClaimName is the name of a ResourceClaim object in the same + // namespace as this pod. + resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(1,bytes,opt) + + // ResourceClaimTemplateName is the name of a ResourceClaimTemplate + // object in the same namespace as this pod. + // + // The template will be used to create a new ResourceClaim, which will + // be bound to this pod. When this pod is deleted, the ResourceClaim + // will also be deleted. The pod name and resource name, along with a + // generated component, will be used to form a unique name for the + // ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. + // + // This field is immutable and no changes will be made to the + // corresponding ResourceClaim by the control plane after creating the + // ResourceClaim. + resourceClaimTemplateName?: null | string @go(ResourceClaimTemplateName,*string) @protobuf(2,bytes,opt) +} + +// PodResourceClaimStatus is stored in the PodStatus for each PodResourceClaim +// which references a ResourceClaimTemplate. It stores the generated name for +// the corresponding ResourceClaim. +#PodResourceClaimStatus: { + // Name uniquely identifies this resource claim inside the pod. + // This must match the name of an entry in pod.spec.resourceClaims, + // which implies that the string must be a DNS_LABEL. + name: string @go(Name) @protobuf(1,bytes) + + // ResourceClaimName is the name of the ResourceClaim that was + // generated for the Pod in the namespace of the Pod. It this is + // unset, then generating a ResourceClaim was not necessary. The + // pod.spec.resourceClaims entry can be ignored in this case. + // + // +optional + resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(2,bytes,opt) +} + +// OSName is the set of OS'es that can be used in OS. +#OSName: string // #enumOSName + +#enumOSName: + #Linux | + #Windows + +#Linux: #OSName & "linux" +#Windows: #OSName & "windows" + +// PodOS defines the OS parameters of a pod. +#PodOS: { + // Name is the name of the operating system. The currently supported values are linux and windows. + // Additional value may be defined in future and can be one of: + // https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + // Clients should expect to handle additional values and treat unrecognized values in this field as os: null + name: #OSName @go(Name) @protobuf(1,bytes,opt) +} + +// PodSchedulingGate is associated to a Pod to guard its scheduling. +#PodSchedulingGate: { + // Name of the scheduling gate. + // Each scheduling gate must have a unique name field. + name: string @go(Name) @protobuf(1,bytes,opt) +} + +// +enum +#UnsatisfiableConstraintAction: string // #enumUnsatisfiableConstraintAction + +#enumUnsatisfiableConstraintAction: + #DoNotSchedule | + #ScheduleAnyway + +// DoNotSchedule instructs the scheduler not to schedule the pod +// when constraints are not satisfied. +#DoNotSchedule: #UnsatisfiableConstraintAction & "DoNotSchedule" + +// ScheduleAnyway instructs the scheduler to schedule the pod +// even if constraints are not satisfied. +#ScheduleAnyway: #UnsatisfiableConstraintAction & "ScheduleAnyway" + +// NodeInclusionPolicy defines the type of node inclusion policy +// +enum +#NodeInclusionPolicy: string // #enumNodeInclusionPolicy + +#enumNodeInclusionPolicy: + #NodeInclusionPolicyIgnore | + #NodeInclusionPolicyHonor + +// NodeInclusionPolicyIgnore means ignore this scheduling directive when calculating pod topology spread skew. +#NodeInclusionPolicyIgnore: #NodeInclusionPolicy & "Ignore" + +// NodeInclusionPolicyHonor means use this scheduling directive when calculating pod topology spread skew. +#NodeInclusionPolicyHonor: #NodeInclusionPolicy & "Honor" + +// TopologySpreadConstraint specifies how to spread matching pods among the given topology. +#TopologySpreadConstraint: { + // MaxSkew describes the degree to which pods may be unevenly distributed. + // When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + // between the number of matching pods in the target topology and the global minimum. + // The global minimum is the minimum number of matching pods in an eligible domain + // or zero if the number of eligible domains is less than MinDomains. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + // labelSelector spread as 2/2/1: + // In this case, the global minimum is 1. + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P | P P | P | + // +-------+-------+-------+ + // - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + // scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + // violate MaxSkew(1). + // - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + // When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + // to topologies that satisfy it. + // It's a required field. Default value is 1 and 0 is not allowed. + maxSkew: int32 @go(MaxSkew) @protobuf(1,varint,opt) + + // TopologyKey is the key of node labels. Nodes that have a label with this key + // and identical values are considered to be in the same topology. + // We consider each as a "bucket", and try to put balanced number + // of pods into each bucket. + // We define a domain as a particular instance of a topology. + // Also, we define an eligible domain as a domain whose nodes meet the requirements of + // nodeAffinityPolicy and nodeTaintsPolicy. + // e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + // And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + // It's a required field. + topologyKey: string @go(TopologyKey) @protobuf(2,bytes,opt) + + // WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + // the spread constraint. + // - DoNotSchedule (default) tells the scheduler not to schedule it. + // - ScheduleAnyway tells the scheduler to schedule the pod in any location, + // but giving higher precedence to topologies that would help reduce the + // skew. + // A constraint is considered "Unsatisfiable" for an incoming pod + // if and only if every possible node assignment for that pod would violate + // "MaxSkew" on some topology. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + // labelSelector spread as 3/1/1: + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P P | P | P | + // +-------+-------+-------+ + // If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + // to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + // MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + // won't make it *more* imbalanced. + // It's a required field. + whenUnsatisfiable: #UnsatisfiableConstraintAction @go(WhenUnsatisfiable) @protobuf(3,bytes,opt,casttype=UnsatisfiableConstraintAction) + + // LabelSelector is used to find matching pods. + // Pods that match this label selector are counted to determine the number of pods + // in their corresponding topology domain. + // +optional + labelSelector?: null | metav1.#LabelSelector @go(LabelSelector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // MinDomains indicates a minimum number of eligible domains. + // When the number of eligible domains with matching topology keys is less than minDomains, + // Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + // And when the number of eligible domains with matching topology keys equals or greater than minDomains, + // this value has no effect on scheduling. + // As a result, when the number of eligible domains is less than minDomains, + // scheduler won't schedule more than maxSkew Pods to those domains. + // If value is nil, the constraint behaves as if MinDomains is equal to 1. + // Valid values are integers greater than 0. + // When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + // + // For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + // labelSelector spread as 2/2/2: + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P | P P | P P | + // +-------+-------+-------+ + // The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + // In this situation, new pod with the same labelSelector cannot be scheduled, + // because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + // it will violate MaxSkew. + // + // This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). + // +optional + minDomains?: null | int32 @go(MinDomains,*int32) @protobuf(5,varint,opt) + + // NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + // when calculating pod topology spread skew. Options are: + // - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + // - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + // + // If this value is nil, the behavior is equivalent to the Honor policy. + // This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + // +optional + nodeAffinityPolicy?: null | #NodeInclusionPolicy @go(NodeAffinityPolicy,*NodeInclusionPolicy) @protobuf(6,bytes,opt) + + // NodeTaintsPolicy indicates how we will treat node taints when calculating + // pod topology spread skew. Options are: + // - Honor: nodes without taints, along with tainted nodes for which the incoming pod + // has a toleration, are included. + // - Ignore: node taints are ignored. All nodes are included. + // + // If this value is nil, the behavior is equivalent to the Ignore policy. + // This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + // +optional + nodeTaintsPolicy?: null | #NodeInclusionPolicy @go(NodeTaintsPolicy,*NodeInclusionPolicy) @protobuf(7,bytes,opt) + + // MatchLabelKeys is a set of pod label keys to select the pods over which + // spreading will be calculated. The keys are used to lookup values from the + // incoming pod labels, those key-value labels are ANDed with labelSelector + // to select the group of existing pods over which spreading will be calculated + // for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + // MatchLabelKeys cannot be set when LabelSelector isn't set. + // Keys that don't exist in the incoming pod labels will + // be ignored. A null or empty list means only match against labelSelector. + // + // This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + // +listType=atomic + // +optional + matchLabelKeys?: [...string] @go(MatchLabelKeys,[]string) @protobuf(8,bytes,opt) +} + +// The default value for enableServiceLinks attribute. +#DefaultEnableServiceLinks: true + +// HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the +// pod's hosts file. +#HostAlias: { + // IP address of the host file entry. + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // Hostnames for the above IP address. + hostnames?: [...string] @go(Hostnames,[]string) @protobuf(2,bytes,rep) +} + +// PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume +// when volume is mounted. +// +enum +#PodFSGroupChangePolicy: string // #enumPodFSGroupChangePolicy + +#enumPodFSGroupChangePolicy: + #FSGroupChangeOnRootMismatch | + #FSGroupChangeAlways + +// FSGroupChangeOnRootMismatch indicates that volume's ownership and permissions will be changed +// only when permission and ownership of root directory does not match with expected +// permissions on the volume. This can help shorten the time it takes to change +// ownership and permissions of a volume. +#FSGroupChangeOnRootMismatch: #PodFSGroupChangePolicy & "OnRootMismatch" + +// FSGroupChangeAlways indicates that volume's ownership and permissions +// should always be changed whenever volume is mounted inside a Pod. This the default +// behavior. +#FSGroupChangeAlways: #PodFSGroupChangePolicy & "Always" + +// PodSecurityContext holds pod-level security attributes and common container settings. +// Some fields are also present in container.securityContext. Field values of +// container.securityContext take precedence over field values of PodSecurityContext. +#PodSecurityContext: { + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seLinuxOptions?: null | #SELinuxOptions @go(SELinuxOptions,*SELinuxOptions) @protobuf(1,bytes,opt) + + // The Windows specific settings applied to all containers. + // If unspecified, the options within a container's SecurityContext will be used. + // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + // +optional + windowsOptions?: null | #WindowsSecurityContextOptions @go(WindowsOptions,*WindowsSecurityContextOptions) @protobuf(8,bytes,opt) + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsUser?: null | int64 @go(RunAsUser,*int64) @protobuf(2,varint,opt) + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsGroup?: null | int64 @go(RunAsGroup,*int64) @protobuf(6,varint,opt) + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to ensure that it + // does not run as UID 0 (root) and fail to start the container if it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsNonRoot?: null | bool @go(RunAsNonRoot,*bool) @protobuf(3,varint,opt) + + // A list of groups applied to the first process run in each container, in addition + // to the container's primary GID, the fsGroup (if specified), and group memberships + // defined in the container image for the uid of the container process. If unspecified, + // no additional groups are added to any container. Note that group memberships + // defined in the container image for the uid of the container process are still effective, + // even if they are not included in this list. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + supplementalGroups?: [...int64] @go(SupplementalGroups,[]int64) @protobuf(4,varint,rep) + + // A special supplemental group that applies to all containers in a pod. + // Some volume types allow the Kubelet to change the ownership of that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and permissions of any volume. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + fsGroup?: null | int64 @go(FSGroup,*int64) @protobuf(5,varint,opt) + + // Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + sysctls?: [...#Sysctl] @go(Sysctls,[]Sysctl) @protobuf(7,bytes,rep) + + // fsGroupChangePolicy defines behavior of changing ownership and permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and permissions). + // It will have no effect on ephemeral volume types such as: secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + fsGroupChangePolicy?: null | #PodFSGroupChangePolicy @go(FSGroupChangePolicy,*PodFSGroupChangePolicy) @protobuf(9,bytes,opt) + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seccompProfile?: null | #SeccompProfile @go(SeccompProfile,*SeccompProfile) @protobuf(10,bytes,opt) +} + +// SeccompProfile defines a pod/container's seccomp profile settings. +// Only one profile source may be set. +// +union +#SeccompProfile: { + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be used. + // RuntimeDefault - the container runtime default profile should be used. + // Unconfined - no profile should be applied. + // +unionDiscriminator + type: #SeccompProfileType @go(Type) @protobuf(1,bytes,opt,casttype=SeccompProfileType) + + // localhostProfile indicates a profile defined in a file on the node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any other type. + // +optional + localhostProfile?: null | string @go(LocalhostProfile,*string) @protobuf(2,bytes,opt) +} + +// SeccompProfileType defines the supported seccomp profile types. +// +enum +#SeccompProfileType: string // #enumSeccompProfileType + +#enumSeccompProfileType: + #SeccompProfileTypeUnconfined | + #SeccompProfileTypeRuntimeDefault | + #SeccompProfileTypeLocalhost + +// SeccompProfileTypeUnconfined indicates no seccomp profile is applied (A.K.A. unconfined). +#SeccompProfileTypeUnconfined: #SeccompProfileType & "Unconfined" + +// SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile. +#SeccompProfileTypeRuntimeDefault: #SeccompProfileType & "RuntimeDefault" + +// SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used. +// The file's location relative to /seccomp. +#SeccompProfileTypeLocalhost: #SeccompProfileType & "Localhost" + +// PodQOSClass defines the supported qos classes of Pods. +// +enum +#PodQOSClass: string // #enumPodQOSClass + +#enumPodQOSClass: + #PodQOSGuaranteed | + #PodQOSBurstable | + #PodQOSBestEffort + +// PodQOSGuaranteed is the Guaranteed qos class. +#PodQOSGuaranteed: #PodQOSClass & "Guaranteed" + +// PodQOSBurstable is the Burstable qos class. +#PodQOSBurstable: #PodQOSClass & "Burstable" + +// PodQOSBestEffort is the BestEffort qos class. +#PodQOSBestEffort: #PodQOSClass & "BestEffort" + +// PodDNSConfig defines the DNS parameters of a pod in addition to +// those generated from DNSPolicy. +#PodDNSConfig: { + // A list of DNS name server IP addresses. + // This will be appended to the base nameservers generated from DNSPolicy. + // Duplicated nameservers will be removed. + // +optional + nameservers?: [...string] @go(Nameservers,[]string) @protobuf(1,bytes,rep) + + // A list of DNS search domains for host-name lookup. + // This will be appended to the base search paths generated from DNSPolicy. + // Duplicated search paths will be removed. + // +optional + searches?: [...string] @go(Searches,[]string) @protobuf(2,bytes,rep) + + // A list of DNS resolver options. + // This will be merged with the base options generated from DNSPolicy. + // Duplicated entries will be removed. Resolution options given in Options + // will override those that appear in the base DNSPolicy. + // +optional + options?: [...#PodDNSConfigOption] @go(Options,[]PodDNSConfigOption) @protobuf(3,bytes,rep) +} + +// PodDNSConfigOption defines DNS resolver options of a pod. +#PodDNSConfigOption: { + // Required. + name?: string @go(Name) @protobuf(1,bytes,opt) + + // +optional + value?: null | string @go(Value,*string) @protobuf(2,bytes,opt) +} + +// PodIP represents a single IP address allocated to the pod. +#PodIP: { + // IP is the IP address assigned to the pod + ip?: string @go(IP) @protobuf(1,bytes,opt) +} + +// HostIP represents a single IP address allocated to the host. +#HostIP: { + // IP is the IP address assigned to the host + ip?: string @go(IP) @protobuf(1,bytes,opt) +} + +// EphemeralContainerCommon is a copy of all fields in Container to be inlined in +// EphemeralContainer. This separate type allows easy conversion from EphemeralContainer +// to Container and allows separate documentation for the fields of EphemeralContainer. +// When a new field is added to Container it must be added here as well. +#EphemeralContainerCommon: { + // Name of the ephemeral container specified as a DNS_LABEL. + // This name must be unique among all containers, init containers and ephemeral containers. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Container image name. + // More info: https://kubernetes.io/docs/concepts/containers/images + image?: string @go(Image) @protobuf(2,bytes,opt) + + // Entrypoint array. Not executed within a shell. + // The image's ENTRYPOINT is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + command?: [...string] @go(Command,[]string) @protobuf(3,bytes,rep) + + // Arguments to the entrypoint. + // The image's CMD is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + args?: [...string] @go(Args,[]string) @protobuf(4,bytes,rep) + + // Container's working directory. + // If not specified, the container runtime's default will be used, which + // might be configured in the container image. + // Cannot be updated. + // +optional + workingDir?: string @go(WorkingDir) @protobuf(5,bytes,opt) + + // Ports are not allowed for ephemeral containers. + // +optional + // +patchMergeKey=containerPort + // +patchStrategy=merge + // +listType=map + // +listMapKey=containerPort + // +listMapKey=protocol + ports?: [...#ContainerPort] @go(Ports,[]ContainerPort) @protobuf(6,bytes,rep) + + // List of sources to populate environment variables in the container. + // The keys defined within a source must be a C_IDENTIFIER. All invalid keys + // will be reported as an event when the container is starting. When a key exists in multiple + // sources, the value associated with the last source will take precedence. + // Values defined by an Env with a duplicate key will take precedence. + // Cannot be updated. + // +optional + envFrom?: [...#EnvFromSource] @go(EnvFrom,[]EnvFromSource) @protobuf(19,bytes,rep) + + // List of environment variables to set in the container. + // Cannot be updated. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + env?: [...#EnvVar] @go(Env,[]EnvVar) @protobuf(7,bytes,rep) + + // Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources + // already allocated to the pod. + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(8,bytes,opt) + + // Resources resize policy for the container. + // +featureGate=InPlacePodVerticalScaling + // +optional + // +listType=atomic + resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep) + + // Restart policy for the container to manage the restart behavior of each + // container within a pod. + // This may only be set for init containers. You cannot set this field on + // ephemeral containers. + // +featureGate=SidecarContainers + // +optional + restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy) + + // Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers. + // Cannot be updated. + // +optional + // +patchMergeKey=mountPath + // +patchStrategy=merge + volumeMounts?: [...#VolumeMount] @go(VolumeMounts,[]VolumeMount) @protobuf(9,bytes,rep) + + // volumeDevices is the list of block devices to be used by the container. + // +patchMergeKey=devicePath + // +patchStrategy=merge + // +optional + volumeDevices?: [...#VolumeDevice] @go(VolumeDevices,[]VolumeDevice) @protobuf(21,bytes,rep) + + // Probes are not allowed for ephemeral containers. + // +optional + livenessProbe?: null | #Probe @go(LivenessProbe,*Probe) @protobuf(10,bytes,opt) + + // Probes are not allowed for ephemeral containers. + // +optional + readinessProbe?: null | #Probe @go(ReadinessProbe,*Probe) @protobuf(11,bytes,opt) + + // Probes are not allowed for ephemeral containers. + // +optional + startupProbe?: null | #Probe @go(StartupProbe,*Probe) @protobuf(22,bytes,opt) + + // Lifecycle is not allowed for ephemeral containers. + // +optional + lifecycle?: null | #Lifecycle @go(Lifecycle,*Lifecycle) @protobuf(12,bytes,opt) + + // Optional: Path at which the file to which the container's termination message + // will be written is mounted into the container's filesystem. + // Message written is intended to be brief final status, such as an assertion failure message. + // Will be truncated by the node if greater than 4096 bytes. The total message length across + // all containers will be limited to 12kb. + // Defaults to /dev/termination-log. + // Cannot be updated. + // +optional + terminationMessagePath?: string @go(TerminationMessagePath) @protobuf(13,bytes,opt) + + // Indicate how the termination message should be populated. File will use the contents of + // terminationMessagePath to populate the container status message on both success and failure. + // FallbackToLogsOnError will use the last chunk of container log output if the termination + // message file is empty and the container exited with an error. + // The log output is limited to 2048 bytes or 80 lines, whichever is smaller. + // Defaults to File. + // Cannot be updated. + // +optional + terminationMessagePolicy?: #TerminationMessagePolicy @go(TerminationMessagePolicy) @protobuf(20,bytes,opt,casttype=TerminationMessagePolicy) + + // Image pull policy. + // One of Always, Never, IfNotPresent. + // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + // +optional + imagePullPolicy?: #PullPolicy @go(ImagePullPolicy) @protobuf(14,bytes,opt,casttype=PullPolicy) + + // Optional: SecurityContext defines the security options the ephemeral container should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + // +optional + securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt) + + // Whether this container should allocate a buffer for stdin in the container runtime. If this + // is not set, reads from stdin in the container will always result in EOF. + // Default is false. + // +optional + stdin?: bool @go(Stdin) @protobuf(16,varint,opt) + + // Whether the container runtime should close the stdin channel after it has been opened by + // a single attach. When stdin is true the stdin stream will remain open across multiple attach + // sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the + // first client attaches to stdin, and then remains open and accepts data until the client disconnects, + // at which time stdin is closed and remains closed until the container is restarted. If this + // flag is false, a container processes that reads from stdin will never receive an EOF. + // Default is false + // +optional + stdinOnce?: bool @go(StdinOnce) @protobuf(17,varint,opt) + + // Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. + // Default is false. + // +optional + tty?: bool @go(TTY) @protobuf(18,varint,opt) +} + +// An EphemeralContainer is a temporary container that you may add to an existing Pod for +// user-initiated activities such as debugging. Ephemeral containers have no resource or +// scheduling guarantees, and they will not be restarted when they exit or when a Pod is +// removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the +// Pod to exceed its resource allocation. +// +// To add an ephemeral container, use the ephemeralcontainers subresource of an existing +// Pod. Ephemeral containers may not be removed or restarted. +#EphemeralContainer: { + #EphemeralContainerCommon + + // If set, the name of the container from PodSpec that this ephemeral container targets. + // The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. + // If not set then the ephemeral container uses the namespaces configured in the Pod spec. + // + // The container runtime must implement support for this feature. If the runtime does not + // support namespace targeting then the result of setting this field is undefined. + // +optional + targetContainerName?: string @go(TargetContainerName) @protobuf(2,bytes,opt) +} + +// PodStatus represents information about the status of a pod. Status may trail the actual +// state of a system, especially if the node that hosts the pod cannot contact the control +// plane. +#PodStatus: { + // The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. + // The conditions array, the reason and message fields, and the individual container status + // arrays contain more detail about the pod's status. + // There are five possible phase values: + // + // Pending: The pod has been accepted by the Kubernetes system, but one or more of the + // container images has not been created. This includes time before being scheduled as + // well as time spent downloading images over the network, which could take a while. + // Running: The pod has been bound to a node, and all of the containers have been created. + // At least one container is still running, or is in the process of starting or restarting. + // Succeeded: All containers in the pod have terminated in success, and will not be restarted. + // Failed: All containers in the pod have terminated, and at least one container has + // terminated in failure. The container either exited with non-zero status or was terminated + // by the system. + // Unknown: For some reason the state of the pod could not be obtained, typically due to an + // error in communicating with the host of the pod. + // + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase + // +optional + phase?: #PodPhase @go(Phase) @protobuf(1,bytes,opt,casttype=PodPhase) + + // Current service state of pod. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#PodCondition] @go(Conditions,[]PodCondition) @protobuf(2,bytes,rep) + + // A human readable message indicating details about why the pod is in this condition. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // A brief CamelCase message indicating details about why the pod is in this state. + // e.g. 'Evicted' + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be + // scheduled right away as preemption victims receive their graceful termination periods. + // This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide + // to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to + // give the resources on this node to a higher priority pod that is created after preemption. + // As a result, this field may be different than PodSpec.nodeName when the pod is + // scheduled. + // +optional + nominatedNodeName?: string @go(NominatedNodeName) @protobuf(11,bytes,opt) + + // hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet. + // A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will + // not be updated even if there is a node is assigned to pod + // +optional + hostIP?: string @go(HostIP) @protobuf(5,bytes,opt) + + // hostIPs holds the IP addresses allocated to the host. If this field is specified, the first entry must + // match the hostIP field. This list is empty if the pod has not started yet. + // A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will + // not be updated even if there is a node is assigned to this pod. + // +optional + // +patchStrategy=merge + // +patchMergeKey=ip + // +listType=atomic + hostIPs?: [...#HostIP] @go(HostIPs,[]HostIP) @protobuf(16,bytes,rep) + + // podIP address allocated to the pod. Routable at least within the cluster. + // Empty if not yet allocated. + // +optional + podIP?: string @go(PodIP) @protobuf(6,bytes,opt) + + // podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must + // match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list + // is empty if no IPs have been allocated yet. + // +optional + // +patchStrategy=merge + // +patchMergeKey=ip + podIPs?: [...#PodIP] @go(PodIPs,[]PodIP) @protobuf(12,bytes,rep) + + // RFC 3339 date and time at which the object was acknowledged by the Kubelet. + // This is before the Kubelet pulled the container image(s) for the pod. + // +optional + startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(7,bytes,opt) + + // The list has one entry per init container in the manifest. The most recent successful + // init container will have ready = true, the most recently started container will have + // startTime set. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status + initContainerStatuses?: [...#ContainerStatus] @go(InitContainerStatuses,[]ContainerStatus) @protobuf(10,bytes,rep) + + // The list has one entry per container in the manifest. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status + // +optional + containerStatuses?: [...#ContainerStatus] @go(ContainerStatuses,[]ContainerStatus) @protobuf(8,bytes,rep) + + // The Quality of Service (QOS) classification assigned to the pod based on resource requirements + // See PodQOSClass type for available QOS classes + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes + // +optional + qosClass?: #PodQOSClass @go(QOSClass) @protobuf(9,bytes,rep) + + // Status for any ephemeral containers that have run in this pod. + // +optional + ephemeralContainerStatuses?: [...#ContainerStatus] @go(EphemeralContainerStatuses,[]ContainerStatus) @protobuf(13,bytes,rep) + + // Status of resources resize desired for pod's containers. + // It is empty if no resources resize is pending. + // Any changes to container resources will automatically set this to "Proposed" + // +featureGate=InPlacePodVerticalScaling + // +optional + resize?: #PodResizeStatus @go(Resize) @protobuf(14,bytes,opt,casttype=PodResizeStatus) + + // Status of resource claims. + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + resourceClaimStatuses?: [...#PodResourceClaimStatus] @go(ResourceClaimStatuses,[]PodResourceClaimStatus) @protobuf(15,bytes,rep) +} + +// PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded +#PodStatusResult: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Most recently observed status of the pod. + // This data may not be up to date. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #PodStatus @go(Status) @protobuf(2,bytes,opt) +} + +// Pod is a collection of containers that can run on a host. This resource is created +// by clients and scheduled onto hosts. +#Pod: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the pod. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #PodSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the pod. + // This data may not be up to date. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #PodStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodList is a list of Pods. +#PodList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of pods. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + items: [...#Pod] @go(Items,[]Pod) @protobuf(2,bytes,rep) +} + +// PodTemplateSpec describes the data a pod should have when created from a template +#PodTemplateSpec: { + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the pod. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #PodSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// PodTemplate describes a template for creating copies of a predefined pod. +#PodTemplate: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Template defines the pods that will be created from this pod template. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + template?: #PodTemplateSpec @go(Template) @protobuf(2,bytes,opt) +} + +// PodTemplateList is a list of PodTemplates. +#PodTemplateList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of pod templates + items: [...#PodTemplate] @go(Items,[]PodTemplate) @protobuf(2,bytes,rep) +} + +// ReplicationControllerSpec is the specification of a replication controller. +#ReplicationControllerSpec: { + // Replicas is the number of desired replicas. + // This is a pointer to distinguish between explicit zero and unspecified. + // Defaults to 1. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing, for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt) + + // Selector is a label query over pods that should match the Replicas count. + // If Selector is empty, it is defaulted to the labels present on the Pod template. + // Label keys and values that must match in order to be controlled by this replication + // controller, if empty defaulted to labels on Pod template. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + // +optional + // +mapType=atomic + selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep) + + // Template is the object that describes the pod that will be created if + // insufficient replicas are detected. This takes precedence over a TemplateRef. + // The only allowed template.spec.restartPolicy value is "Always". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template + // +optional + template?: null | #PodTemplateSpec @go(Template,*PodTemplateSpec) @protobuf(3,bytes,opt) +} + +// ReplicationControllerStatus represents the current status of a replication +// controller. +#ReplicationControllerStatus: { + // Replicas is the most recently observed number of replicas. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // The number of pods that have labels matching the labels of the pod template of the replication controller. + // +optional + fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt) + + // The number of ready replicas for this replication controller. + // +optional + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt) + + // The number of available replicas (ready for at least minReadySeconds) for this replication controller. + // +optional + availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt) + + // ObservedGeneration reflects the generation of the most recently observed replication controller. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // Represents the latest available observations of a replication controller's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ReplicationControllerCondition] @go(Conditions,[]ReplicationControllerCondition) @protobuf(6,bytes,rep) +} + +#ReplicationControllerConditionType: string // #enumReplicationControllerConditionType + +#enumReplicationControllerConditionType: + #ReplicationControllerReplicaFailure + +// ReplicationControllerReplicaFailure is added in a replication controller when one of its pods +// fails to be created due to insufficient quota, limit ranges, pod security policy, node selectors, +// etc. or deleted due to kubelet being down or finalizers are failing. +#ReplicationControllerReplicaFailure: #ReplicationControllerConditionType & "ReplicaFailure" + +// ReplicationControllerCondition describes the state of a replication controller at a certain point. +#ReplicationControllerCondition: { + // Type of replication controller condition. + type: #ReplicationControllerConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicationControllerConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // The last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ReplicationController represents the configuration of a replication controller. +#ReplicationController: { + metav1.#TypeMeta + + // If the Labels of a ReplicationController are empty, they are defaulted to + // be the same as the Pod(s) that the replication controller manages. + // Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the specification of the desired behavior of the replication controller. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ReplicationControllerSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is the most recently observed status of the replication controller. + // This data may be out of date by some window of time. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ReplicationControllerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ReplicationControllerList is a collection of replication controllers. +#ReplicationControllerList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of replication controllers. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller + items: [...#ReplicationController] @go(Items,[]ReplicationController) @protobuf(2,bytes,rep) +} + +// Session Affinity Type string +// +enum +#ServiceAffinity: string // #enumServiceAffinity + +#enumServiceAffinity: + #ServiceAffinityClientIP | + #ServiceAffinityNone + +// ServiceAffinityClientIP is the Client IP based. +#ServiceAffinityClientIP: #ServiceAffinity & "ClientIP" + +// ServiceAffinityNone - no session affinity. +#ServiceAffinityNone: #ServiceAffinity & "None" + +#DefaultClientIPServiceAffinitySeconds: int32 & 10800 + +// SessionAffinityConfig represents the configurations of session affinity. +#SessionAffinityConfig: { + // clientIP contains the configurations of Client IP based session affinity. + // +optional + clientIP?: null | #ClientIPConfig @go(ClientIP,*ClientIPConfig) @protobuf(1,bytes,opt) +} + +// ClientIPConfig represents the configurations of Client IP based session affinity. +#ClientIPConfig: { + // timeoutSeconds specifies the seconds of ClientIP type session sticky time. + // The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". + // Default value is 10800(for 3 hours). + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(1,varint,opt) +} + +// Service Type string describes ingress methods for a service +// +enum +#ServiceType: string // #enumServiceType + +#enumServiceType: + #ServiceTypeClusterIP | + #ServiceTypeNodePort | + #ServiceTypeLoadBalancer | + #ServiceTypeExternalName + +// ServiceTypeClusterIP means a service will only be accessible inside the +// cluster, via the cluster IP. +#ServiceTypeClusterIP: #ServiceType & "ClusterIP" + +// ServiceTypeNodePort means a service will be exposed on one port of +// every node, in addition to 'ClusterIP' type. +#ServiceTypeNodePort: #ServiceType & "NodePort" + +// ServiceTypeLoadBalancer means a service will be exposed via an +// external load balancer (if the cloud provider supports it), in addition +// to 'NodePort' type. +#ServiceTypeLoadBalancer: #ServiceType & "LoadBalancer" + +// ServiceTypeExternalName means a service consists of only a reference to +// an external name that kubedns or equivalent will return as a CNAME +// record, with no exposing or proxying of any pods involved. +#ServiceTypeExternalName: #ServiceType & "ExternalName" + +// ServiceInternalTrafficPolicy describes how nodes distribute service traffic they +// receive on the ClusterIP. +// +enum +#ServiceInternalTrafficPolicy: string // #enumServiceInternalTrafficPolicy + +#enumServiceInternalTrafficPolicy: + #ServiceInternalTrafficPolicyCluster | + #ServiceInternalTrafficPolicyLocal + +// ServiceInternalTrafficPolicyCluster routes traffic to all endpoints. +#ServiceInternalTrafficPolicyCluster: #ServiceInternalTrafficPolicy & "Cluster" + +// ServiceInternalTrafficPolicyLocal routes traffic only to endpoints on the same +// node as the client pod (dropping the traffic if there are no local endpoints). +#ServiceInternalTrafficPolicyLocal: #ServiceInternalTrafficPolicy & "Local" + +// for backwards compat +// +enum +#ServiceInternalTrafficPolicyType: #ServiceInternalTrafficPolicy // #enumServiceInternalTrafficPolicyType + +#enumServiceInternalTrafficPolicyType: + #ServiceInternalTrafficPolicyCluster | + #ServiceInternalTrafficPolicyLocal + +// ServiceExternalTrafficPolicy describes how nodes distribute service traffic they +// receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, +// and LoadBalancer IPs. +// +enum +#ServiceExternalTrafficPolicy: string // #enumServiceExternalTrafficPolicy + +#enumServiceExternalTrafficPolicy: + #ServiceExternalTrafficPolicyCluster | + #ServiceExternalTrafficPolicyLocal | + #ServiceExternalTrafficPolicyTypeLocal | + #ServiceExternalTrafficPolicyTypeCluster + +// ServiceExternalTrafficPolicyCluster routes traffic to all endpoints. +#ServiceExternalTrafficPolicyCluster: #ServiceExternalTrafficPolicy & "Cluster" + +// ServiceExternalTrafficPolicyLocal preserves the source IP of the traffic by +// routing only to endpoints on the same node as the traffic was received on +// (dropping the traffic if there are no local endpoints). +#ServiceExternalTrafficPolicyLocal: #ServiceExternalTrafficPolicy & "Local" + +// for backwards compat +// +enum +#ServiceExternalTrafficPolicyType: #ServiceExternalTrafficPolicy // #enumServiceExternalTrafficPolicyType + +#enumServiceExternalTrafficPolicyType: + #ServiceExternalTrafficPolicyCluster | + #ServiceExternalTrafficPolicyLocal | + #ServiceExternalTrafficPolicyTypeLocal | + #ServiceExternalTrafficPolicyTypeCluster + +#ServiceExternalTrafficPolicyTypeLocal: #ServiceExternalTrafficPolicy & "Local" +#ServiceExternalTrafficPolicyTypeCluster: #ServiceExternalTrafficPolicy & "Cluster" + +// LoadBalancerPortsError represents the condition of the requested ports +// on the cloud load balancer instance. +#LoadBalancerPortsError: "LoadBalancerPortsError" + +// LoadBalancerPortsErrorReason reason in ServiceStatus condition LoadBalancerPortsError +// means the LoadBalancer was not able to be configured correctly. +#LoadBalancerPortsErrorReason: "LoadBalancerMixedProtocolNotSupported" + +// ServiceStatus represents the current status of a service. +#ServiceStatus: { + // LoadBalancer contains the current status of the load-balancer, + // if one is present. + // +optional + loadBalancer?: #LoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt) + + // Current service state + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(2,bytes,rep) +} + +// LoadBalancerStatus represents the status of a load-balancer. +#LoadBalancerStatus: { + // Ingress is a list containing ingress points for the load-balancer. + // Traffic intended for the service should be sent to these ingress points. + // +optional + ingress?: [...#LoadBalancerIngress] @go(Ingress,[]LoadBalancerIngress) @protobuf(1,bytes,rep) +} + +// LoadBalancerIngress represents the status of a load-balancer ingress point: +// traffic intended for the service should be sent to an ingress point. +#LoadBalancerIngress: { + // IP is set for load-balancer ingress points that are IP based + // (typically GCE or OpenStack load-balancers) + // +optional + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // Hostname is set for load-balancer ingress points that are DNS based + // (typically AWS load-balancers) + // +optional + hostname?: string @go(Hostname) @protobuf(2,bytes,opt) + + // Ports is a list of records of service ports + // If used, every port defined in the service should have an entry in it + // +listType=atomic + // +optional + ports?: [...#PortStatus] @go(Ports,[]PortStatus) @protobuf(4,bytes,rep) +} + +// IPFamily represents the IP Family (IPv4 or IPv6). This type is used +// to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). +// +enum +#IPFamily: string // #enumIPFamily + +#enumIPFamily: + #IPv4Protocol | + #IPv6Protocol + +// IPv4Protocol indicates that this IP is IPv4 protocol +#IPv4Protocol: #IPFamily & "IPv4" + +// IPv6Protocol indicates that this IP is IPv6 protocol +#IPv6Protocol: #IPFamily & "IPv6" + +// IPFamilyPolicy represents the dual-stack-ness requested or required by a Service +// +enum +#IPFamilyPolicy: string // #enumIPFamilyPolicy + +#enumIPFamilyPolicy: + #IPFamilyPolicySingleStack | + #IPFamilyPolicyPreferDualStack | + #IPFamilyPolicyRequireDualStack + +// IPFamilyPolicySingleStack indicates that this service is required to have a single IPFamily. +// The IPFamily assigned is based on the default IPFamily used by the cluster +// or as identified by service.spec.ipFamilies field +#IPFamilyPolicySingleStack: #IPFamilyPolicy & "SingleStack" + +// IPFamilyPolicyPreferDualStack indicates that this service prefers dual-stack when +// the cluster is configured for dual-stack. If the cluster is not configured +// for dual-stack the service will be assigned a single IPFamily. If the IPFamily is not +// set in service.spec.ipFamilies then the service will be assigned the default IPFamily +// configured on the cluster +#IPFamilyPolicyPreferDualStack: #IPFamilyPolicy & "PreferDualStack" + +// IPFamilyPolicyRequireDualStack indicates that this service requires dual-stack. Using +// IPFamilyPolicyRequireDualStack on a single stack cluster will result in validation errors. The +// IPFamilies (and their order) assigned to this service is based on service.spec.ipFamilies. If +// service.spec.ipFamilies was not provided then it will be assigned according to how they are +// configured on the cluster. If service.spec.ipFamilies has only one entry then the alternative +// IPFamily will be added by apiserver +#IPFamilyPolicyRequireDualStack: #IPFamilyPolicy & "RequireDualStack" + +// for backwards compat +// +enum +#IPFamilyPolicyType: #IPFamilyPolicy // #enumIPFamilyPolicyType + +#enumIPFamilyPolicyType: + #IPFamilyPolicySingleStack | + #IPFamilyPolicyPreferDualStack | + #IPFamilyPolicyRequireDualStack + +// ServiceSpec describes the attributes that a user creates on a service. +#ServiceSpec: { + // The list of ports that are exposed by this service. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +patchMergeKey=port + // +patchStrategy=merge + // +listType=map + // +listMapKey=port + // +listMapKey=protocol + ports?: [...#ServicePort] @go(Ports,[]ServicePort) @protobuf(1,bytes,rep) + + // Route service traffic to pods with label keys and values matching this + // selector. If empty or not present, the service is assumed to have an + // external process managing its endpoints, which Kubernetes will not + // modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. + // Ignored if type is ExternalName. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/ + // +optional + // +mapType=atomic + selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep) + + // clusterIP is the IP address of the service and is usually assigned + // randomly. If an address is specified manually, is in-range (as per + // system configuration), and is not in use, it will be allocated to the + // service; otherwise creation of the service will fail. This field may not + // be changed through updates unless the type field is also being changed + // to ExternalName (which requires this field to be blank) or the type + // field is being changed from ExternalName (in which case this field may + // optionally be specified, as describe above). Valid values are "None", + // empty string (""), or a valid IP address. Setting this to "None" makes a + // "headless service" (no virtual IP), which is useful when direct endpoint + // connections are preferred and proxying is not required. Only applies to + // types ClusterIP, NodePort, and LoadBalancer. If this field is specified + // when creating a Service of type ExternalName, creation will fail. This + // field will be wiped when updating a Service to type ExternalName. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +optional + clusterIP?: string @go(ClusterIP) @protobuf(3,bytes,opt) + + // ClusterIPs is a list of IP addresses assigned to this service, and are + // usually assigned randomly. If an address is specified manually, is + // in-range (as per system configuration), and is not in use, it will be + // allocated to the service; otherwise creation of the service will fail. + // This field may not be changed through updates unless the type field is + // also being changed to ExternalName (which requires this field to be + // empty) or the type field is being changed from ExternalName (in which + // case this field may optionally be specified, as describe above). Valid + // values are "None", empty string (""), or a valid IP address. Setting + // this to "None" makes a "headless service" (no virtual IP), which is + // useful when direct endpoint connections are preferred and proxying is + // not required. Only applies to types ClusterIP, NodePort, and + // LoadBalancer. If this field is specified when creating a Service of type + // ExternalName, creation will fail. This field will be wiped when updating + // a Service to type ExternalName. If this field is not specified, it will + // be initialized from the clusterIP field. If this field is specified, + // clients must ensure that clusterIPs[0] and clusterIP have the same + // value. + // + // This field may hold a maximum of two entries (dual-stack IPs, in either order). + // These IPs must correspond to the values of the ipFamilies field. Both + // clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +listType=atomic + // +optional + clusterIPs?: [...string] @go(ClusterIPs,[]string) @protobuf(18,bytes,opt) + + // type determines how the Service is exposed. Defaults to ClusterIP. Valid + // options are ExternalName, ClusterIP, NodePort, and LoadBalancer. + // "ClusterIP" allocates a cluster-internal IP address for load-balancing + // to endpoints. Endpoints are determined by the selector or if that is not + // specified, by manual construction of an Endpoints object or + // EndpointSlice objects. If clusterIP is "None", no virtual IP is + // allocated and the endpoints are published as a set of endpoints rather + // than a virtual IP. + // "NodePort" builds on ClusterIP and allocates a port on every node which + // routes to the same endpoints as the clusterIP. + // "LoadBalancer" builds on NodePort and creates an external load-balancer + // (if supported in the current cloud) which routes to the same endpoints + // as the clusterIP. + // "ExternalName" aliases this service to the specified externalName. + // Several other fields do not apply to ExternalName services. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + // +optional + type?: #ServiceType @go(Type) @protobuf(4,bytes,opt,casttype=ServiceType) + + // externalIPs is a list of IP addresses for which nodes in the cluster + // will also accept traffic for this service. These IPs are not managed by + // Kubernetes. The user is responsible for ensuring that traffic arrives + // at a node with this IP. A common example is external load-balancers + // that are not part of the Kubernetes system. + // +optional + externalIPs?: [...string] @go(ExternalIPs,[]string) @protobuf(5,bytes,rep) + + // Supports "ClientIP" and "None". Used to maintain session affinity. + // Enable client IP based session affinity. + // Must be ClientIP or None. + // Defaults to None. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +optional + sessionAffinity?: #ServiceAffinity @go(SessionAffinity) @protobuf(7,bytes,opt,casttype=ServiceAffinity) + + // Only applies to Service Type: LoadBalancer. + // This feature depends on whether the underlying cloud-provider supports specifying + // the loadBalancerIP when a load balancer is created. + // This field will be ignored if the cloud-provider does not support the feature. + // Deprecated: This field was under-specified and its meaning varies across implementations. + // Using it is non-portable and it may not support dual-stack. + // Users are encouraged to use implementation-specific annotations when available. + // +optional + loadBalancerIP?: string @go(LoadBalancerIP) @protobuf(8,bytes,opt) + + // If specified and supported by the platform, this will restrict traffic through the cloud-provider + // load-balancer will be restricted to the specified client IPs. This field will be ignored if the + // cloud-provider does not support the feature." + // More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ + // +optional + loadBalancerSourceRanges?: [...string] @go(LoadBalancerSourceRanges,[]string) @protobuf(9,bytes,opt) + + // externalName is the external reference that discovery mechanisms will + // return as an alias for this service (e.g. a DNS CNAME record). No + // proxying will be involved. Must be a lowercase RFC-1123 hostname + // (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". + // +optional + externalName?: string @go(ExternalName) @protobuf(10,bytes,opt) + + // externalTrafficPolicy describes how nodes distribute service traffic they + // receive on one of the Service's "externally-facing" addresses (NodePorts, + // ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure + // the service in a way that assumes that external load balancers will take care + // of balancing the service traffic between nodes, and so each node will deliver + // traffic only to the node-local endpoints of the service, without masquerading + // the client source IP. (Traffic mistakenly sent to a node with no endpoints will + // be dropped.) The default value, "Cluster", uses the standard behavior of + // routing to all endpoints evenly (possibly modified by topology and other + // features). Note that traffic sent to an External IP or LoadBalancer IP from + // within the cluster will always get "Cluster" semantics, but clients sending to + // a NodePort from within the cluster may need to take traffic policy into account + // when picking a node. + // +optional + externalTrafficPolicy?: #ServiceExternalTrafficPolicy @go(ExternalTrafficPolicy) @protobuf(11,bytes,opt) + + // healthCheckNodePort specifies the healthcheck nodePort for the service. + // This only applies when type is set to LoadBalancer and + // externalTrafficPolicy is set to Local. If a value is specified, is + // in-range, and is not in use, it will be used. If not specified, a value + // will be automatically allocated. External systems (e.g. load-balancers) + // can use this port to determine if a given node holds endpoints for this + // service or not. If this field is specified when creating a Service + // which does not need it, creation will fail. This field will be wiped + // when updating a Service to no longer need it (e.g. changing type). + // This field cannot be updated once set. + // +optional + healthCheckNodePort?: int32 @go(HealthCheckNodePort) @protobuf(12,bytes,opt) + + // publishNotReadyAddresses indicates that any agent which deals with endpoints for this + // Service should disregard any indications of ready/not-ready. + // The primary use case for setting this field is for a StatefulSet's Headless Service to + // propagate SRV DNS records for its Pods for the purpose of peer discovery. + // The Kubernetes controllers that generate Endpoints and EndpointSlice resources for + // Services interpret this to mean that all endpoints are considered "ready" even if the + // Pods themselves are not. Agents which consume only Kubernetes generated endpoints + // through the Endpoints or EndpointSlice resources can safely assume this behavior. + // +optional + publishNotReadyAddresses?: bool @go(PublishNotReadyAddresses) @protobuf(13,varint,opt) + + // sessionAffinityConfig contains the configurations of session affinity. + // +optional + sessionAffinityConfig?: null | #SessionAffinityConfig @go(SessionAffinityConfig,*SessionAffinityConfig) @protobuf(14,bytes,opt) + + // IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this + // service. This field is usually assigned automatically based on cluster + // configuration and the ipFamilyPolicy field. If this field is specified + // manually, the requested family is available in the cluster, + // and ipFamilyPolicy allows it, it will be used; otherwise creation of + // the service will fail. This field is conditionally mutable: it allows + // for adding or removing a secondary IP family, but it does not allow + // changing the primary IP family of the Service. Valid values are "IPv4" + // and "IPv6". This field only applies to Services of types ClusterIP, + // NodePort, and LoadBalancer, and does apply to "headless" services. + // This field will be wiped when updating a Service to type ExternalName. + // + // This field may hold a maximum of two entries (dual-stack families, in + // either order). These families must correspond to the values of the + // clusterIPs field, if specified. Both clusterIPs and ipFamilies are + // governed by the ipFamilyPolicy field. + // +listType=atomic + // +optional + ipFamilies?: [...#IPFamily] @go(IPFamilies,[]IPFamily) @protobuf(19,bytes,opt,casttype=IPFamily) + + // IPFamilyPolicy represents the dual-stack-ness requested or required by + // this Service. If there is no value provided, then this field will be set + // to SingleStack. Services can be "SingleStack" (a single IP family), + // "PreferDualStack" (two IP families on dual-stack configured clusters or + // a single IP family on single-stack clusters), or "RequireDualStack" + // (two IP families on dual-stack configured clusters, otherwise fail). The + // ipFamilies and clusterIPs fields depend on the value of this field. This + // field will be wiped when updating a service to type ExternalName. + // +optional + ipFamilyPolicy?: null | #IPFamilyPolicy @go(IPFamilyPolicy,*IPFamilyPolicy) @protobuf(17,bytes,opt,casttype=IPFamilyPolicy) + + // allocateLoadBalancerNodePorts defines if NodePorts will be automatically + // allocated for services with type LoadBalancer. Default is "true". It + // may be set to "false" if the cluster load-balancer does not rely on + // NodePorts. If the caller requests specific NodePorts (by specifying a + // value), those requests will be respected, regardless of this field. + // This field may only be set for services with type LoadBalancer and will + // be cleared if the type is changed to any other type. + // +optional + allocateLoadBalancerNodePorts?: null | bool @go(AllocateLoadBalancerNodePorts,*bool) @protobuf(20,bytes,opt) + + // loadBalancerClass is the class of the load balancer implementation this Service belongs to. + // If specified, the value of this field must be a label-style identifier, with an optional prefix, + // e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. + // This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load + // balancer implementation is used, today this is typically done through the cloud provider integration, + // but should apply for any default implementation. If set, it is assumed that a load balancer + // implementation is watching for Services with a matching class. Any default load balancer + // implementation (e.g. cloud providers) should ignore Services that set this field. + // This field can only be set when creating or updating a Service to type 'LoadBalancer'. + // Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. + // +optional + loadBalancerClass?: null | string @go(LoadBalancerClass,*string) @protobuf(21,bytes,opt) + + // InternalTrafficPolicy describes how nodes distribute service traffic they + // receive on the ClusterIP. If set to "Local", the proxy will assume that pods + // only want to talk to endpoints of the service on the same node as the pod, + // dropping the traffic if there are no local endpoints. The default value, + // "Cluster", uses the standard behavior of routing to all endpoints evenly + // (possibly modified by topology and other features). + // +optional + internalTrafficPolicy?: null | #ServiceInternalTrafficPolicy @go(InternalTrafficPolicy,*ServiceInternalTrafficPolicy) @protobuf(22,bytes,opt) +} + +// ServicePort contains information on service's port. +#ServicePort: { + // The name of this port within the service. This must be a DNS_LABEL. + // All ports within a ServiceSpec must have unique names. When considering + // the endpoints for a Service, this must match the 'name' field in the + // EndpointPort. + // Optional if only one ServicePort is defined on this service. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". + // Default is TCP. + // +default="TCP" + // +optional + protocol?: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(6,bytes,opt) + + // The port that will be exposed by this service. + port: int32 @go(Port) @protobuf(3,varint,opt) + + // Number or name of the port to access on the pods targeted by the service. + // Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + // If this is a string, it will be looked up as a named port in the + // target Pod's container ports. If this is not specified, the value + // of the 'port' field is used (an identity map). + // This field is ignored for services with clusterIP=None, and should be + // omitted or set equal to the 'port' field. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + // +optional + targetPort?: intstr.#IntOrString @go(TargetPort) @protobuf(4,bytes,opt) + + // The port on each node on which this service is exposed when type is + // NodePort or LoadBalancer. Usually assigned by the system. If a value is + // specified, in-range, and not in use it will be used, otherwise the + // operation will fail. If not specified, a port will be allocated if this + // Service requires one. If this field is specified when creating a + // Service which does not need it, creation will fail. This field will be + // wiped when updating a Service to no longer need it (e.g. changing type + // from NodePort to ClusterIP). + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + // +optional + nodePort?: int32 @go(NodePort) @protobuf(5,varint,opt) +} + +// Service is a named abstraction of software service (for example, mysql) consisting of local port +// (for example 3306) that the proxy listens on, and the selector that determines which pods +// will answer requests sent through the proxy. +#Service: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of a service. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ServiceSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the service. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ServiceStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ClusterIPNone - do not assign a cluster IP +// no proxying required and no environment variables should be created for pods +#ClusterIPNone: "None" + +// ServiceList holds a list of services. +#ServiceList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of services + items: [...#Service] @go(Items,[]Service) @protobuf(2,bytes,rep) +} + +// ServiceAccount binds together: +// * a name, understood by users, and perhaps by peripheral systems, for an identity +// * a principal that can be authenticated and authorized +// * a set of secrets +#ServiceAccount: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. + // Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true". + // This field should not be used to find auto-generated service account token secrets for use outside of pods. + // Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. + // More info: https://kubernetes.io/docs/concepts/configuration/secret + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + secrets?: [...#ObjectReference] @go(Secrets,[]ObjectReference) @protobuf(2,bytes,rep) + + // ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images + // in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets + // can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. + // More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + // +optional + imagePullSecrets?: [...#LocalObjectReference] @go(ImagePullSecrets,[]LocalObjectReference) @protobuf(3,bytes,rep) + + // AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. + // Can be overridden at the pod level. + // +optional + automountServiceAccountToken?: null | bool @go(AutomountServiceAccountToken,*bool) @protobuf(4,varint,opt) +} + +// ServiceAccountList is a list of ServiceAccount objects +#ServiceAccountList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ServiceAccounts. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + items: [...#ServiceAccount] @go(Items,[]ServiceAccount) @protobuf(2,bytes,rep) +} + +// Endpoints is a collection of endpoints that implement the actual service. Example: +// +// Name: "mysvc", +// Subsets: [ +// { +// Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}], +// Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}] +// }, +// { +// Addresses: [{"ip": "10.10.3.3"}], +// Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}] +// }, +// ] +#Endpoints: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The set of all endpoints is the union of all subsets. Addresses are placed into + // subsets according to the IPs they share. A single address with multiple ports, + // some of which are ready and some of which are not (because they come from + // different containers) will result in the address being displayed in different + // subsets for the different ports. No address will appear in both Addresses and + // NotReadyAddresses in the same subset. + // Sets of addresses and ports that comprise a service. + // +optional + subsets?: [...#EndpointSubset] @go(Subsets,[]EndpointSubset) @protobuf(2,bytes,rep) +} + +// EndpointSubset is a group of addresses with a common set of ports. The +// expanded set of endpoints is the Cartesian product of Addresses x Ports. +// For example, given: +// +// { +// Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}], +// Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}] +// } +// +// The resulting set of endpoints can be viewed as: +// +// a: [ 10.10.1.1:8675, 10.10.2.2:8675 ], +// b: [ 10.10.1.1:309, 10.10.2.2:309 ] +#EndpointSubset: { + // IP addresses which offer the related ports that are marked as ready. These endpoints + // should be considered safe for load balancers and clients to utilize. + // +optional + addresses?: [...#EndpointAddress] @go(Addresses,[]EndpointAddress) @protobuf(1,bytes,rep) + + // IP addresses which offer the related ports but are not currently marked as ready + // because they have not yet finished starting, have recently failed a readiness check, + // or have recently failed a liveness check. + // +optional + notReadyAddresses?: [...#EndpointAddress] @go(NotReadyAddresses,[]EndpointAddress) @protobuf(2,bytes,rep) + + // Port numbers available on the related IP addresses. + // +optional + ports?: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep) +} + +// EndpointAddress is a tuple that describes single IP address. +// +structType=atomic +#EndpointAddress: { + // The IP of this endpoint. + // May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), + // or link-local multicast (224.0.0.0/24 or ff02::/16). + ip: string @go(IP) @protobuf(1,bytes,opt) + + // The Hostname of this endpoint + // +optional + hostname?: string @go(Hostname) @protobuf(3,bytes,opt) + + // Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node. + // +optional + nodeName?: null | string @go(NodeName,*string) @protobuf(4,bytes,opt) + + // Reference to object providing the endpoint. + // +optional + targetRef?: null | #ObjectReference @go(TargetRef,*ObjectReference) @protobuf(2,bytes,opt) +} + +// EndpointPort is a tuple that describes a single port. +// +structType=atomic +#EndpointPort: { + // The name of this port. This must match the 'name' field in the + // corresponding ServicePort. + // Must be a DNS_LABEL. + // Optional only if one port is defined. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The port number of the endpoint. + port: int32 @go(Port) @protobuf(2,varint,opt) + + // The IP protocol for this port. + // Must be UDP, TCP, or SCTP. + // Default is TCP. + // +optional + protocol?: #Protocol @go(Protocol) @protobuf(3,bytes,opt,casttype=Protocol) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes,opt) +} + +// EndpointsList is a list of endpoints. +#EndpointsList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of endpoints. + items: [...#Endpoints] @go(Items,[]Endpoints) @protobuf(2,bytes,rep) +} + +// NodeSpec describes the attributes that a node is created with. +#NodeSpec: { + // PodCIDR represents the pod IP range assigned to the node. + // +optional + podCIDR?: string @go(PodCIDR) @protobuf(1,bytes,opt) + + // podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this + // field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for + // each of IPv4 and IPv6. + // +optional + // +patchStrategy=merge + podCIDRs?: [...string] @go(PodCIDRs,[]string) @protobuf(7,bytes,opt) + + // ID of the node assigned by the cloud provider in the format: :// + // +optional + providerID?: string @go(ProviderID) @protobuf(3,bytes,opt) + + // Unschedulable controls node schedulability of new pods. By default, node is schedulable. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration + // +optional + unschedulable?: bool @go(Unschedulable) @protobuf(4,varint,opt) + + // If specified, the node's taints. + // +optional + taints?: [...#Taint] @go(Taints,[]Taint) @protobuf(5,bytes,opt) + + // Deprecated: Previously used to specify the source of the node's configuration for the DynamicKubeletConfig feature. This feature is removed. + // +optional + configSource?: null | #NodeConfigSource @go(ConfigSource,*NodeConfigSource) @protobuf(6,bytes,opt) + + // Deprecated. Not all kubelets will set this field. Remove field after 1.13. + // see: https://issues.k8s.io/61966 + // +optional + externalID?: string @go(DoNotUseExternalID) @protobuf(2,bytes,opt) +} + +// NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. +// This API is deprecated since 1.22 +#NodeConfigSource: { + // ConfigMap is a reference to a Node's ConfigMap + configMap?: null | #ConfigMapNodeConfigSource @go(ConfigMap,*ConfigMapNodeConfigSource) @protobuf(2,bytes,opt) +} + +// ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node. +// This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration +#ConfigMapNodeConfigSource: { + // Namespace is the metadata.namespace of the referenced ConfigMap. + // This field is required in all cases. + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // Name is the metadata.name of the referenced ConfigMap. + // This field is required in all cases. + name: string @go(Name) @protobuf(2,bytes,opt) + + // UID is the metadata.UID of the referenced ConfigMap. + // This field is forbidden in Node.Spec, and required in Node.Status. + // +optional + uid?: types.#UID @go(UID) @protobuf(3,bytes,opt) + + // ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. + // This field is forbidden in Node.Spec, and required in Node.Status. + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(4,bytes,opt) + + // KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure + // This field is required in all cases. + kubeletConfigKey: string @go(KubeletConfigKey) @protobuf(5,bytes,opt) +} + +// DaemonEndpoint contains information about a single Daemon endpoint. +#DaemonEndpoint: { + // Port number of the given endpoint. + Port: int32 @protobuf(1,varint,opt) +} + +// NodeDaemonEndpoints lists ports opened by daemons running on the Node. +#NodeDaemonEndpoints: { + // Endpoint on which Kubelet is listening. + // +optional + kubeletEndpoint?: #DaemonEndpoint @go(KubeletEndpoint) @protobuf(1,bytes,opt) +} + +// NodeSystemInfo is a set of ids/uuids to uniquely identify the node. +#NodeSystemInfo: { + // MachineID reported by the node. For unique machine identification + // in the cluster this field is preferred. Learn more from man(5) + // machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html + machineID: string @go(MachineID) @protobuf(1,bytes,opt) + + // SystemUUID reported by the node. For unique machine identification + // MachineID is preferred. This field is specific to Red Hat hosts + // https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid + systemUUID: string @go(SystemUUID) @protobuf(2,bytes,opt) + + // Boot ID reported by the node. + bootID: string @go(BootID) @protobuf(3,bytes,opt) + + // Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64). + kernelVersion: string @go(KernelVersion) @protobuf(4,bytes,opt) + + // OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)). + osImage: string @go(OSImage) @protobuf(5,bytes,opt) + + // ContainerRuntime Version reported by the node through runtime remote API (e.g. containerd://1.4.2). + containerRuntimeVersion: string @go(ContainerRuntimeVersion) @protobuf(6,bytes,opt) + + // Kubelet Version reported by the node. + kubeletVersion: string @go(KubeletVersion) @protobuf(7,bytes,opt) + + // KubeProxy Version reported by the node. + kubeProxyVersion: string @go(KubeProxyVersion) @protobuf(8,bytes,opt) + + // The Operating System reported by the node + operatingSystem: string @go(OperatingSystem) @protobuf(9,bytes,opt) + + // The Architecture reported by the node + architecture: string @go(Architecture) @protobuf(10,bytes,opt) +} + +// NodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource. +#NodeConfigStatus: { + // Assigned reports the checkpointed config the node will try to use. + // When Node.Spec.ConfigSource is updated, the node checkpoints the associated + // config payload to local disk, along with a record indicating intended + // config. The node refers to this record to choose its config checkpoint, and + // reports this record in Assigned. Assigned only updates in the status after + // the record has been checkpointed to disk. When the Kubelet is restarted, + // it tries to make the Assigned config the Active config by loading and + // validating the checkpointed payload identified by Assigned. + // +optional + assigned?: null | #NodeConfigSource @go(Assigned,*NodeConfigSource) @protobuf(1,bytes,opt) + + // Active reports the checkpointed config the node is actively using. + // Active will represent either the current version of the Assigned config, + // or the current LastKnownGood config, depending on whether attempting to use the + // Assigned config results in an error. + // +optional + active?: null | #NodeConfigSource @go(Active,*NodeConfigSource) @protobuf(2,bytes,opt) + + // LastKnownGood reports the checkpointed config the node will fall back to + // when it encounters an error attempting to use the Assigned config. + // The Assigned config becomes the LastKnownGood config when the node determines + // that the Assigned config is stable and correct. + // This is currently implemented as a 10-minute soak period starting when the local + // record of Assigned config is updated. If the Assigned config is Active at the end + // of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is + // reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, + // because the local default config is always assumed good. + // You should not make assumptions about the node's method of determining config stability + // and correctness, as this may change or become configurable in the future. + // +optional + lastKnownGood?: null | #NodeConfigSource @go(LastKnownGood,*NodeConfigSource) @protobuf(3,bytes,opt) + + // Error describes any problems reconciling the Spec.ConfigSource to the Active config. + // Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned + // record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting + // to load or validate the Assigned config, etc. + // Errors may occur at different points while syncing config. Earlier errors (e.g. download or + // checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across + // Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in + // a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error + // by fixing the config assigned in Spec.ConfigSource. + // You can find additional information for debugging by searching the error message in the Kubelet log. + // Error is a human-readable description of the error state; machines can check whether or not Error + // is empty, but should not rely on the stability of the Error text across Kubelet versions. + // +optional + error?: string @go(Error) @protobuf(4,bytes,opt) +} + +// NodeStatus is information about the current status of a node. +#NodeStatus: { + // Capacity represents the total resources of a node. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Allocatable represents the resources of a node that are available for scheduling. + // Defaults to Capacity. + // +optional + allocatable?: #ResourceList @go(Allocatable) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // NodePhase is the recently observed lifecycle phase of the node. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#phase + // The field is never populated, and now is deprecated. + // +optional + phase?: #NodePhase @go(Phase) @protobuf(3,bytes,opt,casttype=NodePhase) + + // Conditions is an array of current observed node conditions. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#condition + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#NodeCondition] @go(Conditions,[]NodeCondition) @protobuf(4,bytes,rep) + + // List of addresses reachable to the node. + // Queried from cloud provider, if available. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses + // Note: This field is declared as mergeable, but the merge key is not sufficiently + // unique, which can cause data corruption when it is merged. Callers should instead + // use a full-replacement patch. See https://pr.k8s.io/79391 for an example. + // Consumers should assume that addresses can change during the + // lifetime of a Node. However, there are some exceptions where this may not + // be possible, such as Pods that inherit a Node's address in its own status or + // consumers of the downward API (status.hostIP). + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + addresses?: [...#NodeAddress] @go(Addresses,[]NodeAddress) @protobuf(5,bytes,rep) + + // Endpoints of daemons running on the Node. + // +optional + daemonEndpoints?: #NodeDaemonEndpoints @go(DaemonEndpoints) @protobuf(6,bytes,opt) + + // Set of ids/uuids to uniquely identify the node. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#info + // +optional + nodeInfo?: #NodeSystemInfo @go(NodeInfo) @protobuf(7,bytes,opt) + + // List of container images on this node + // +optional + images?: [...#ContainerImage] @go(Images,[]ContainerImage) @protobuf(8,bytes,rep) + + // List of attachable volumes in use (mounted) by the node. + // +optional + volumesInUse?: [...#UniqueVolumeName] @go(VolumesInUse,[]UniqueVolumeName) @protobuf(9,bytes,rep) + + // List of volumes that are attached to the node. + // +optional + volumesAttached?: [...#AttachedVolume] @go(VolumesAttached,[]AttachedVolume) @protobuf(10,bytes,rep) + + // Status of the config assigned to the node via the dynamic Kubelet config feature. + // +optional + config?: null | #NodeConfigStatus @go(Config,*NodeConfigStatus) @protobuf(11,bytes,opt) +} + +#UniqueVolumeName: string + +// AttachedVolume describes a volume attached to a node +#AttachedVolume: { + // Name of the attached volume + name: #UniqueVolumeName @go(Name) @protobuf(1,bytes,rep) + + // DevicePath represents the device path where the volume should be available + devicePath: string @go(DevicePath) @protobuf(2,bytes,rep) +} + +// AvoidPods describes pods that should avoid this node. This is the value for a +// Node annotation with key scheduler.alpha.kubernetes.io/preferAvoidPods and +// will eventually become a field of NodeStatus. +#AvoidPods: { + // Bounded-sized list of signatures of pods that should avoid this node, sorted + // in timestamp order from oldest to newest. Size of the slice is unspecified. + // +optional + preferAvoidPods?: [...#PreferAvoidPodsEntry] @go(PreferAvoidPods,[]PreferAvoidPodsEntry) @protobuf(1,bytes,rep) +} + +// Describes a class of pods that should avoid this node. +#PreferAvoidPodsEntry: { + // The class of pods. + podSignature: #PodSignature @go(PodSignature) @protobuf(1,bytes,opt) + + // Time at which this entry was added to the list. + // +optional + evictionTime?: metav1.#Time @go(EvictionTime) @protobuf(2,bytes,opt) + + // (brief) reason why this entry was added to the list. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // Human readable message indicating why this entry was added to the list. + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) +} + +// Describes the class of pods that should avoid this node. +// Exactly one field should be set. +#PodSignature: { + // Reference to controller whose pods should avoid this node. + // +optional + podController?: null | metav1.#OwnerReference @go(PodController,*metav1.OwnerReference) @protobuf(1,bytes,opt) +} + +// Describe a container image +#ContainerImage: { + // Names by which this image is known. + // e.g. ["kubernetes.example/hyperkube:v1.0.7", "cloud-vendor.registry.example/cloud-vendor/hyperkube:v1.0.7"] + // +optional + names: [...string] @go(Names,[]string) @protobuf(1,bytes,rep) + + // The size of the image in bytes. + // +optional + sizeBytes?: int64 @go(SizeBytes) @protobuf(2,varint,opt) +} + +// +enum +#NodePhase: string // #enumNodePhase + +#enumNodePhase: + #NodePending | + #NodeRunning | + #NodeTerminated + +// NodePending means the node has been created/added by the system, but not configured. +#NodePending: #NodePhase & "Pending" + +// NodeRunning means the node has been configured and has Kubernetes components running. +#NodeRunning: #NodePhase & "Running" + +// NodeTerminated means the node has been removed from the cluster. +#NodeTerminated: #NodePhase & "Terminated" + +#NodeConditionType: string // #enumNodeConditionType + +#enumNodeConditionType: + #NodeReady | + #NodeMemoryPressure | + #NodeDiskPressure | + #NodePIDPressure | + #NodeNetworkUnavailable + +// NodeReady means kubelet is healthy and ready to accept pods. +#NodeReady: #NodeConditionType & "Ready" + +// NodeMemoryPressure means the kubelet is under pressure due to insufficient available memory. +#NodeMemoryPressure: #NodeConditionType & "MemoryPressure" + +// NodeDiskPressure means the kubelet is under pressure due to insufficient available disk. +#NodeDiskPressure: #NodeConditionType & "DiskPressure" + +// NodePIDPressure means the kubelet is under pressure due to insufficient available PID. +#NodePIDPressure: #NodeConditionType & "PIDPressure" + +// NodeNetworkUnavailable means that network for the node is not correctly configured. +#NodeNetworkUnavailable: #NodeConditionType & "NetworkUnavailable" + +// NodeCondition contains condition information for a node. +#NodeCondition: { + // Type of node condition. + type: #NodeConditionType @go(Type) @protobuf(1,bytes,opt,casttype=NodeConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Last time we got an update on a given condition. + // +optional + lastHeartbeatTime?: metav1.#Time @go(LastHeartbeatTime) @protobuf(3,bytes,opt) + + // Last time the condition transit from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // (brief) reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +#NodeAddressType: string // #enumNodeAddressType + +#enumNodeAddressType: + #NodeHostName | + #NodeInternalIP | + #NodeExternalIP | + #NodeInternalDNS | + #NodeExternalDNS + +// NodeHostName identifies a name of the node. Although every node can be assumed +// to have a NodeAddress of this type, its exact syntax and semantics are not +// defined, and are not consistent between different clusters. +#NodeHostName: #NodeAddressType & "Hostname" + +// NodeInternalIP identifies an IP address which is assigned to one of the node's +// network interfaces. Every node should have at least one address of this type. +// +// An internal IP is normally expected to be reachable from every other node, but +// may not be visible to hosts outside the cluster. By default it is assumed that +// kube-apiserver can reach node internal IPs, though it is possible to configure +// clusters where this is not the case. +// +// NodeInternalIP is the default type of node IP, and does not necessarily imply +// that the IP is ONLY reachable internally. If a node has multiple internal IPs, +// no specific semantics are assigned to the additional IPs. +#NodeInternalIP: #NodeAddressType & "InternalIP" + +// NodeExternalIP identifies an IP address which is, in some way, intended to be +// more usable from outside the cluster then an internal IP, though no specific +// semantics are defined. It may be a globally routable IP, though it is not +// required to be. +// +// External IPs may be assigned directly to an interface on the node, like a +// NodeInternalIP, or alternatively, packets sent to the external IP may be NAT'ed +// to an internal node IP rather than being delivered directly (making the IP less +// efficient for node-to-node traffic than a NodeInternalIP). +#NodeExternalIP: #NodeAddressType & "ExternalIP" + +// NodeInternalDNS identifies a DNS name which resolves to an IP address which has +// the characteristics of a NodeInternalIP. The IP it resolves to may or may not +// be a listed NodeInternalIP address. +#NodeInternalDNS: #NodeAddressType & "InternalDNS" + +// NodeExternalDNS identifies a DNS name which resolves to an IP address which has +// the characteristics of a NodeExternalIP. The IP it resolves to may or may not +// be a listed NodeExternalIP address. +#NodeExternalDNS: #NodeAddressType & "ExternalDNS" + +// NodeAddress contains information for the node's address. +#NodeAddress: { + // Node address type, one of Hostname, ExternalIP or InternalIP. + type: #NodeAddressType @go(Type) @protobuf(1,bytes,opt,casttype=NodeAddressType) + + // The node address. + address: string @go(Address) @protobuf(2,bytes,opt) +} + +// ResourceName is the name identifying various resources in a ResourceList. +#ResourceName: string // #enumResourceName + +#enumResourceName: + #ResourceCPU | + #ResourceMemory | + #ResourceStorage | + #ResourceEphemeralStorage | + #ResourcePods | + #ResourceServices | + #ResourceReplicationControllers | + #ResourceQuotas | + #ResourceSecrets | + #ResourceConfigMaps | + #ResourcePersistentVolumeClaims | + #ResourceServicesNodePorts | + #ResourceServicesLoadBalancers | + #ResourceRequestsCPU | + #ResourceRequestsMemory | + #ResourceRequestsStorage | + #ResourceRequestsEphemeralStorage | + #ResourceLimitsCPU | + #ResourceLimitsMemory | + #ResourceLimitsEphemeralStorage + +// CPU, in cores. (500m = .5 cores) +#ResourceCPU: #ResourceName & "cpu" + +// Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceMemory: #ResourceName & "memory" + +// Volume size, in bytes (e,g. 5Gi = 5GiB = 5 * 1024 * 1024 * 1024) +#ResourceStorage: #ResourceName & "storage" + +// Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +// The resource name for ResourceEphemeralStorage is alpha and it can change across releases. +#ResourceEphemeralStorage: #ResourceName & "ephemeral-storage" + +// Default namespace prefix. +#ResourceDefaultNamespacePrefix: "kubernetes.io/" + +// Name prefix for huge page resources (alpha). +#ResourceHugePagesPrefix: "hugepages-" + +// Name prefix for storage resource limits +#ResourceAttachableVolumesPrefix: "attachable-volumes-" + +// ResourceList is a set of (resource name, quantity) pairs. +#ResourceList: {[string]: resource.#Quantity} + +// Node is a worker node in Kubernetes. +// Each node will have a unique identifier in the cache (i.e. in etcd). +#Node: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of a node. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #NodeSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the node. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #NodeStatus @go(Status) @protobuf(3,bytes,opt) +} + +// NodeList is the whole list of all Nodes which have been registered with master. +#NodeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of nodes + items: [...#Node] @go(Items,[]Node) @protobuf(2,bytes,rep) +} + +// FinalizerName is the name identifying a finalizer during namespace lifecycle. +#FinalizerName: string // #enumFinalizerName + +#enumFinalizerName: + #FinalizerKubernetes + +#FinalizerKubernetes: #FinalizerName & "kubernetes" + +// NamespaceSpec describes the attributes on a Namespace. +#NamespaceSpec: { + // Finalizers is an opaque list of values that must be empty to permanently remove object from storage. + // More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/ + // +optional + finalizers?: [...#FinalizerName] @go(Finalizers,[]FinalizerName) @protobuf(1,bytes,rep,casttype=FinalizerName) +} + +// NamespaceStatus is information about the current status of a Namespace. +#NamespaceStatus: { + // Phase is the current lifecycle phase of the namespace. + // More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/ + // +optional + phase?: #NamespacePhase @go(Phase) @protobuf(1,bytes,opt,casttype=NamespacePhase) + + // Represents the latest available observations of a namespace's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#NamespaceCondition] @go(Conditions,[]NamespaceCondition) @protobuf(2,bytes,rep) +} + +// +enum +#NamespacePhase: string // #enumNamespacePhase + +#enumNamespacePhase: + #NamespaceActive | + #NamespaceTerminating + +// NamespaceActive means the namespace is available for use in the system +#NamespaceActive: #NamespacePhase & "Active" + +// NamespaceTerminating means the namespace is undergoing graceful termination +#NamespaceTerminating: #NamespacePhase & "Terminating" + +// NamespaceTerminatingCause is returned as a defaults.cause item when a change is +// forbidden due to the namespace being terminated. +#NamespaceTerminatingCause: metav1.#CauseType & "NamespaceTerminating" + +#NamespaceConditionType: string // #enumNamespaceConditionType + +#enumNamespaceConditionType: + #NamespaceDeletionDiscoveryFailure | + #NamespaceDeletionContentFailure | + #NamespaceDeletionGVParsingFailure | + #NamespaceContentRemaining | + #NamespaceFinalizersRemaining + +// NamespaceDeletionDiscoveryFailure contains information about namespace deleter errors during resource discovery. +#NamespaceDeletionDiscoveryFailure: #NamespaceConditionType & "NamespaceDeletionDiscoveryFailure" + +// NamespaceDeletionContentFailure contains information about namespace deleter errors during deletion of resources. +#NamespaceDeletionContentFailure: #NamespaceConditionType & "NamespaceDeletionContentFailure" + +// NamespaceDeletionGVParsingFailure contains information about namespace deleter errors parsing GV for legacy types. +#NamespaceDeletionGVParsingFailure: #NamespaceConditionType & "NamespaceDeletionGroupVersionParsingFailure" + +// NamespaceContentRemaining contains information about resources remaining in a namespace. +#NamespaceContentRemaining: #NamespaceConditionType & "NamespaceContentRemaining" + +// NamespaceFinalizersRemaining contains information about which finalizers are on resources remaining in a namespace. +#NamespaceFinalizersRemaining: #NamespaceConditionType & "NamespaceFinalizersRemaining" + +// NamespaceCondition contains details about state of namespace. +#NamespaceCondition: { + // Type of namespace controller condition. + type: #NamespaceConditionType @go(Type) @protobuf(1,bytes,opt,casttype=NamespaceConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// Namespace provides a scope for Names. +// Use of multiple namespaces is optional. +#Namespace: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of the Namespace. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #NamespaceSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status describes the current status of a Namespace. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #NamespaceStatus @go(Status) @protobuf(3,bytes,opt) +} + +// NamespaceList is a list of Namespaces. +#NamespaceList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of Namespace objects in the list. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + items: [...#Namespace] @go(Items,[]Namespace) @protobuf(2,bytes,rep) +} + +// Binding ties one object to another; for example, a pod is bound to a node by a scheduler. +// Deprecated in 1.7, please use the bindings subresource of pods instead. +#Binding: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The target object that you want to bind to the standard object. + target: #ObjectReference @go(Target) @protobuf(2,bytes,opt) +} + +// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out. +// +k8s:openapi-gen=false +#Preconditions: { + // Specifies the target UID. + // +optional + uid?: null | types.#UID @go(UID,*types.UID) @protobuf(1,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +// PodLogOptions is the query options for a Pod's logs REST call. +#PodLogOptions: { + metav1.#TypeMeta + + // The container for which to stream logs. Defaults to only container if there is one container in the pod. + // +optional + container?: string @go(Container) @protobuf(1,bytes,opt) + + // Follow the log stream of the pod. Defaults to false. + // +optional + follow?: bool @go(Follow) @protobuf(2,varint,opt) + + // Return previous terminated container logs. Defaults to false. + // +optional + previous?: bool @go(Previous) @protobuf(3,varint,opt) + + // A relative time in seconds before the current time from which to show logs. If this value + // precedes the time a pod was started, only logs since the pod start will be returned. + // If this value is in the future, no logs will be returned. + // Only one of sinceSeconds or sinceTime may be specified. + // +optional + sinceSeconds?: null | int64 @go(SinceSeconds,*int64) @protobuf(4,varint,opt) + + // An RFC3339 timestamp from which to show logs. If this value + // precedes the time a pod was started, only logs since the pod start will be returned. + // If this value is in the future, no logs will be returned. + // Only one of sinceSeconds or sinceTime may be specified. + // +optional + sinceTime?: null | metav1.#Time @go(SinceTime,*metav1.Time) @protobuf(5,bytes,opt) + + // If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line + // of log output. Defaults to false. + // +optional + timestamps?: bool @go(Timestamps) @protobuf(6,varint,opt) + + // If set, the number of lines from the end of the logs to show. If not specified, + // logs are shown from the creation of the container or sinceSeconds or sinceTime + // +optional + tailLines?: null | int64 @go(TailLines,*int64) @protobuf(7,varint,opt) + + // If set, the number of bytes to read from the server before terminating the + // log output. This may not display a complete final line of logging, and may return + // slightly more or slightly less than the specified limit. + // +optional + limitBytes?: null | int64 @go(LimitBytes,*int64) @protobuf(8,varint,opt) + + // insecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the + // serving certificate of the backend it is connecting to. This will make the HTTPS connection between the apiserver + // and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real + // kubelet. If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the + // connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept + // the actual log data coming from the real kubelet). + // +optional + insecureSkipTLSVerifyBackend?: bool @go(InsecureSkipTLSVerifyBackend) @protobuf(9,varint,opt) +} + +// PodAttachOptions is the query options to a Pod's remote attach call. +// --- +// TODO: merge w/ PodExecOptions below for stdin, stdout, etc +// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY +#PodAttachOptions: { + metav1.#TypeMeta + + // Stdin if true, redirects the standard input stream of the pod for this call. + // Defaults to false. + // +optional + stdin?: bool @go(Stdin) @protobuf(1,varint,opt) + + // Stdout if true indicates that stdout is to be redirected for the attach call. + // Defaults to true. + // +optional + stdout?: bool @go(Stdout) @protobuf(2,varint,opt) + + // Stderr if true indicates that stderr is to be redirected for the attach call. + // Defaults to true. + // +optional + stderr?: bool @go(Stderr) @protobuf(3,varint,opt) + + // TTY if true indicates that a tty will be allocated for the attach call. + // This is passed through the container runtime so the tty + // is allocated on the worker node by the container runtime. + // Defaults to false. + // +optional + tty?: bool @go(TTY) @protobuf(4,varint,opt) + + // The container in which to execute the command. + // Defaults to only container if there is only one container in the pod. + // +optional + container?: string @go(Container) @protobuf(5,bytes,opt) +} + +// PodExecOptions is the query options to a Pod's remote exec call. +// --- +// TODO: This is largely identical to PodAttachOptions above, make sure they stay in sync and see about merging +// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY +#PodExecOptions: { + metav1.#TypeMeta + + // Redirect the standard input stream of the pod for this call. + // Defaults to false. + // +optional + stdin?: bool @go(Stdin) @protobuf(1,varint,opt) + + // Redirect the standard output stream of the pod for this call. + // +optional + stdout?: bool @go(Stdout) @protobuf(2,varint,opt) + + // Redirect the standard error stream of the pod for this call. + // +optional + stderr?: bool @go(Stderr) @protobuf(3,varint,opt) + + // TTY if true indicates that a tty will be allocated for the exec call. + // Defaults to false. + // +optional + tty?: bool @go(TTY) @protobuf(4,varint,opt) + + // Container in which to execute the command. + // Defaults to only container if there is only one container in the pod. + // +optional + container?: string @go(Container) @protobuf(5,bytes,opt) + + // Command is the remote command to execute. argv array. Not executed within a shell. + command: [...string] @go(Command,[]string) @protobuf(6,bytes,rep) +} + +// PodPortForwardOptions is the query options to a Pod's port forward call +// when using WebSockets. +// The `port` query parameter must specify the port or +// ports (comma separated) to forward over. +// Port forwarding over SPDY does not use these options. It requires the port +// to be passed in the `port` header as part of request. +#PodPortForwardOptions: { + metav1.#TypeMeta + + // List of ports to forward + // Required when using WebSockets + // +optional + ports?: [...int32] @go(Ports,[]int32) @protobuf(1,varint,rep) +} + +// PodProxyOptions is the query options to a Pod's proxy call. +#PodProxyOptions: { + metav1.#TypeMeta + + // Path is the URL path to use for the current proxy request to pod. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// NodeProxyOptions is the query options to a Node's proxy call. +#NodeProxyOptions: { + metav1.#TypeMeta + + // Path is the URL path to use for the current proxy request to node. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// ServiceProxyOptions is the query options to a Service's proxy call. +#ServiceProxyOptions: { + metav1.#TypeMeta + + // Path is the part of URLs that include service endpoints, suffixes, + // and parameters to use for the current proxy request to service. + // For example, the whole request URL is + // http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. + // Path is _search?q=user:kimchy. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// ObjectReference contains enough information to let you inspect or modify the referred object. +// --- +// New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. +// 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. +// 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular +// restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". +// Those cannot be well described when embedded. +// 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. +// 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity +// during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple +// and the version of the actual struct is irrelevant. +// 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type +// will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. +// +// Instead of using this type, create a locally provided and used type that is well-focused on your reference. +// For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +structType=atomic +#ObjectReference: { + // Kind of the referent. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // Namespace of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + // +optional + namespace?: string @go(Namespace) @protobuf(2,bytes,opt) + + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + // +optional + name?: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // API version of the referent. + // +optional + apiVersion?: string @go(APIVersion) @protobuf(5,bytes,opt) + + // Specific resourceVersion to which this reference is made, if any. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(6,bytes,opt) + + // If referring to a piece of an object instead of an entire object, this string + // should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + // For example, if the object reference is to a container within a pod, this would take on a value like: + // "spec.containers{name}" (where "name" refers to the name of the container that triggered + // the event) or if no container name is specified "spec.containers[2]" (container with + // index 2 in this pod). This syntax is chosen only to have some well-defined way of + // referencing a part of an object. + // TODO: this design is not final and this field is subject to change in the future. + // +optional + fieldPath?: string @go(FieldPath) @protobuf(7,bytes,opt) +} + +// LocalObjectReference contains enough information to let you locate the +// referenced object inside the same namespace. +// +structType=atomic +#LocalObjectReference: { + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + // TODO: Add other useful fields. apiVersion, kind, uid? + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) +} + +// TypedLocalObjectReference contains enough information to let you locate the +// typed referenced object inside the same namespace. +// +structType=atomic +#TypedLocalObjectReference: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the core API group. + // For any other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) +} + +// SerializedReference is a reference to serialized object. +#SerializedReference: { + metav1.#TypeMeta + + // The reference to an object in the system. + // +optional + reference?: #ObjectReference @go(Reference) @protobuf(1,bytes,opt) +} + +// EventSource contains information for an event. +#EventSource: { + // Component from which the event is generated. + // +optional + component?: string @go(Component) @protobuf(1,bytes,opt) + + // Node name on which the event is generated. + // +optional + host?: string @go(Host) @protobuf(2,bytes,opt) +} + +// Information only and will not cause any problems +#EventTypeNormal: "Normal" + +// These events are to warn that something might go wrong +#EventTypeWarning: "Warning" + +// Event is a report of an event somewhere in the cluster. Events +// have a limited retention time and triggers and messages may evolve +// with time. Event consumers should not rely on the timing of an event +// with a given Reason reflecting a consistent underlying trigger, or the +// continued existence of events with that Reason. Events should be +// treated as informative, best-effort, supplemental data. +#Event: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The object that this event is about. + involvedObject: #ObjectReference @go(InvolvedObject) @protobuf(2,bytes,opt) + + // This should be a short, machine understandable string that gives the reason + // for the transition into the object's current status. + // TODO: provide exact specification for format. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // A human-readable description of the status of this operation. + // TODO: decide on maximum length. + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) + + // The component reporting this event. Should be a short machine understandable string. + // +optional + source?: #EventSource @go(Source) @protobuf(5,bytes,opt) + + // The time at which the event was first recorded. (Time of server receipt is in TypeMeta.) + // +optional + firstTimestamp?: metav1.#Time @go(FirstTimestamp) @protobuf(6,bytes,opt) + + // The time at which the most recent occurrence of this event was recorded. + // +optional + lastTimestamp?: metav1.#Time @go(LastTimestamp) @protobuf(7,bytes,opt) + + // The number of times this event has occurred. + // +optional + count?: int32 @go(Count) @protobuf(8,varint,opt) + + // Type of this event (Normal, Warning), new types could be added in the future + // +optional + type?: string @go(Type) @protobuf(9,bytes,opt) + + // Time when this Event was first observed. + // +optional + eventTime?: metav1.#MicroTime @go(EventTime) @protobuf(10,bytes,opt) + + // Data about the Event series this event represents or nil if it's a singleton Event. + // +optional + series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(11,bytes,opt) + + // What action was taken/failed regarding to the Regarding object. + // +optional + action?: string @go(Action) @protobuf(12,bytes,opt) + + // Optional secondary object for more complex actions. + // +optional + related?: null | #ObjectReference @go(Related,*ObjectReference) @protobuf(13,bytes,opt) + + // Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. + // +optional + reportingComponent: string @go(ReportingController) @protobuf(14,bytes,opt) + + // ID of the controller instance, e.g. `kubelet-xyzf`. + // +optional + reportingInstance: string @go(ReportingInstance) @protobuf(15,bytes,opt) +} + +// EventSeries contain information on series of events, i.e. thing that was/is happening +// continuously for some time. +#EventSeries: { + // Number of occurrences in this series up to the last heartbeat time + count?: int32 @go(Count) @protobuf(1,varint) + + // Time of the last occurrence observed + lastObservedTime?: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes) +} + +// EventList is a list of events. +#EventList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of events + items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep) +} + +// List holds a list of objects, which may not be known by the server. +#List: metav1.#List + +// LimitType is a type of object that is limited. It can be Pod, Container, PersistentVolumeClaim or +// a fully qualified resource name. +#LimitType: string // #enumLimitType + +#enumLimitType: + #LimitTypePod | + #LimitTypeContainer | + #LimitTypePersistentVolumeClaim + +// Limit that applies to all pods in a namespace +#LimitTypePod: #LimitType & "Pod" + +// Limit that applies to all containers in a namespace +#LimitTypeContainer: #LimitType & "Container" + +// Limit that applies to all persistent volume claims in a namespace +#LimitTypePersistentVolumeClaim: #LimitType & "PersistentVolumeClaim" + +// LimitRangeItem defines a min/max usage limit for any resource that matches on kind. +#LimitRangeItem: { + // Type of resource that this limit applies to. + type: #LimitType @go(Type) @protobuf(1,bytes,opt,casttype=LimitType) + + // Max usage constraints on this kind by resource name. + // +optional + max?: #ResourceList @go(Max) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Min usage constraints on this kind by resource name. + // +optional + min?: #ResourceList @go(Min) @protobuf(3,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Default resource requirement limit value by resource name if resource limit is omitted. + // +optional + default?: #ResourceList @go(Default) @protobuf(4,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // DefaultRequest is the default resource requirement request value by resource name if resource request is omitted. + // +optional + defaultRequest?: #ResourceList @go(DefaultRequest) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource. + // +optional + maxLimitRequestRatio?: #ResourceList @go(MaxLimitRequestRatio) @protobuf(6,bytes,rep,casttype=ResourceList,castkey=ResourceName) +} + +// LimitRangeSpec defines a min/max usage limit for resources that match on kind. +#LimitRangeSpec: { + // Limits is the list of LimitRangeItem objects that are enforced. + limits: [...#LimitRangeItem] @go(Limits,[]LimitRangeItem) @protobuf(1,bytes,rep) +} + +// LimitRange sets resource usage limits for each kind of resource in a Namespace. +#LimitRange: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the limits enforced. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #LimitRangeSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// LimitRangeList is a list of LimitRange items. +#LimitRangeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of LimitRange objects. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + items: [...#LimitRange] @go(Items,[]LimitRange) @protobuf(2,bytes,rep) +} + +// Pods, number +#ResourcePods: #ResourceName & "pods" + +// Services, number +#ResourceServices: #ResourceName & "services" + +// ReplicationControllers, number +#ResourceReplicationControllers: #ResourceName & "replicationcontrollers" + +// ResourceQuotas, number +#ResourceQuotas: #ResourceName & "resourcequotas" + +// ResourceSecrets, number +#ResourceSecrets: #ResourceName & "secrets" + +// ResourceConfigMaps, number +#ResourceConfigMaps: #ResourceName & "configmaps" + +// ResourcePersistentVolumeClaims, number +#ResourcePersistentVolumeClaims: #ResourceName & "persistentvolumeclaims" + +// ResourceServicesNodePorts, number +#ResourceServicesNodePorts: #ResourceName & "services.nodeports" + +// ResourceServicesLoadBalancers, number +#ResourceServicesLoadBalancers: #ResourceName & "services.loadbalancers" + +// CPU request, in cores. (500m = .5 cores) +#ResourceRequestsCPU: #ResourceName & "requests.cpu" + +// Memory request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceRequestsMemory: #ResourceName & "requests.memory" + +// Storage request, in bytes +#ResourceRequestsStorage: #ResourceName & "requests.storage" + +// Local ephemeral storage request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceRequestsEphemeralStorage: #ResourceName & "requests.ephemeral-storage" + +// CPU limit, in cores. (500m = .5 cores) +#ResourceLimitsCPU: #ResourceName & "limits.cpu" + +// Memory limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceLimitsMemory: #ResourceName & "limits.memory" + +// Local ephemeral storage limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceLimitsEphemeralStorage: #ResourceName & "limits.ephemeral-storage" + +// HugePages request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +// As burst is not supported for HugePages, we would only quota its request, and ignore the limit. +#ResourceRequestsHugePagesPrefix: "requests.hugepages-" + +// Default resource requests prefix +#DefaultResourceRequestsPrefix: "requests." + +// A ResourceQuotaScope defines a filter that must match each object tracked by a quota +// +enum +#ResourceQuotaScope: string // #enumResourceQuotaScope + +#enumResourceQuotaScope: + #ResourceQuotaScopeTerminating | + #ResourceQuotaScopeNotTerminating | + #ResourceQuotaScopeBestEffort | + #ResourceQuotaScopeNotBestEffort | + #ResourceQuotaScopePriorityClass | + #ResourceQuotaScopeCrossNamespacePodAffinity + +// Match all pod objects where spec.activeDeadlineSeconds >=0 +#ResourceQuotaScopeTerminating: #ResourceQuotaScope & "Terminating" + +// Match all pod objects where spec.activeDeadlineSeconds is nil +#ResourceQuotaScopeNotTerminating: #ResourceQuotaScope & "NotTerminating" + +// Match all pod objects that have best effort quality of service +#ResourceQuotaScopeBestEffort: #ResourceQuotaScope & "BestEffort" + +// Match all pod objects that do not have best effort quality of service +#ResourceQuotaScopeNotBestEffort: #ResourceQuotaScope & "NotBestEffort" + +// Match all pod objects that have priority class mentioned +#ResourceQuotaScopePriorityClass: #ResourceQuotaScope & "PriorityClass" + +// Match all pod objects that have cross-namespace pod (anti)affinity mentioned. +#ResourceQuotaScopeCrossNamespacePodAffinity: #ResourceQuotaScope & "CrossNamespacePodAffinity" + +// ResourceQuotaSpec defines the desired hard limits to enforce for Quota. +#ResourceQuotaSpec: { + // hard is the set of desired hard limits for each named resource. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + // +optional + hard?: #ResourceList @go(Hard) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // A collection of filters that must match each object tracked by a quota. + // If not specified, the quota matches all objects. + // +optional + scopes?: [...#ResourceQuotaScope] @go(Scopes,[]ResourceQuotaScope) @protobuf(2,bytes,rep,casttype=ResourceQuotaScope) + + // scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota + // but expressed using ScopeSelectorOperator in combination with possible values. + // For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. + // +optional + scopeSelector?: null | #ScopeSelector @go(ScopeSelector,*ScopeSelector) @protobuf(3,bytes,opt) +} + +// A scope selector represents the AND of the selectors represented +// by the scoped-resource selector requirements. +// +structType=atomic +#ScopeSelector: { + // A list of scope selector requirements by scope of the resources. + // +optional + matchExpressions?: [...#ScopedResourceSelectorRequirement] @go(MatchExpressions,[]ScopedResourceSelectorRequirement) @protobuf(1,bytes,rep) +} + +// A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator +// that relates the scope name and values. +#ScopedResourceSelectorRequirement: { + // The name of the scope that the selector applies to. + scopeName: #ResourceQuotaScope @go(ScopeName) @protobuf(1,bytes,opt) + + // Represents a scope's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. + operator: #ScopeSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=ScopedResourceSelectorOperator) + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. + // This array is replaced during a strategic merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A scope selector operator is the set of operators that can be used in +// a scope selector requirement. +// +enum +#ScopeSelectorOperator: string // #enumScopeSelectorOperator + +#enumScopeSelectorOperator: + #ScopeSelectorOpIn | + #ScopeSelectorOpNotIn | + #ScopeSelectorOpExists | + #ScopeSelectorOpDoesNotExist + +#ScopeSelectorOpIn: #ScopeSelectorOperator & "In" +#ScopeSelectorOpNotIn: #ScopeSelectorOperator & "NotIn" +#ScopeSelectorOpExists: #ScopeSelectorOperator & "Exists" +#ScopeSelectorOpDoesNotExist: #ScopeSelectorOperator & "DoesNotExist" + +// ResourceQuotaStatus defines the enforced hard limits and observed use. +#ResourceQuotaStatus: { + // Hard is the set of enforced hard limits for each named resource. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + // +optional + hard?: #ResourceList @go(Hard) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Used is the current observed total usage of the resource in the namespace. + // +optional + used?: #ResourceList @go(Used) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) +} + +// ResourceQuota sets aggregate quota restrictions enforced per namespace +#ResourceQuota: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the desired quota. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ResourceQuotaSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status defines the actual enforced quota and its current usage. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ResourceQuotaStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ResourceQuotaList is a list of ResourceQuota items. +#ResourceQuotaList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ResourceQuota objects. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + items: [...#ResourceQuota] @go(Items,[]ResourceQuota) @protobuf(2,bytes,rep) +} + +// Secret holds secret data of a certain type. The total bytes of the values in +// the Data field must be less than MaxSecretSize bytes. +#Secret: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Immutable, if set to true, ensures that data stored in the Secret cannot + // be updated (only object metadata can be modified). + // If not set to true, the field can be modified at any time. + // Defaulted to nil. + // +optional + immutable?: null | bool @go(Immutable,*bool) @protobuf(5,varint,opt) + + // Data contains the secret data. Each key must consist of alphanumeric + // characters, '-', '_' or '.'. The serialized form of the secret data is a + // base64 encoded string, representing the arbitrary (possibly non-string) + // data value here. Described in https://tools.ietf.org/html/rfc4648#section-4 + // +optional + data?: {[string]: bytes} @go(Data,map[string][]byte) @protobuf(2,bytes,rep) + + // stringData allows specifying non-binary secret data in string form. + // It is provided as a write-only input field for convenience. + // All keys and values are merged into the data field on write, overwriting any existing values. + // The stringData field is never output when reading from the API. + // +k8s:conversion-gen=false + // +optional + stringData?: {[string]: string} @go(StringData,map[string]string) @protobuf(4,bytes,rep) + + // Used to facilitate programmatic handling of secret data. + // More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types + // +optional + type?: #SecretType @go(Type) @protobuf(3,bytes,opt,casttype=SecretType) +} + +#MaxSecretSize: 1048576 + +#SecretType: string // #enumSecretType + +#enumSecretType: + #SecretTypeOpaque | + #SecretTypeServiceAccountToken | + #SecretTypeDockercfg | + #SecretTypeDockerConfigJson | + #SecretTypeBasicAuth | + #SecretTypeSSHAuth | + #SecretTypeTLS | + #SecretTypeBootstrapToken + +// SecretTypeOpaque is the default. Arbitrary user-defined data +#SecretTypeOpaque: #SecretType & "Opaque" + +// SecretTypeServiceAccountToken contains a token that identifies a service account to the API +// +// Required fields: +// - Secret.Annotations["kubernetes.io/service-account.name"] - the name of the ServiceAccount the token identifies +// - Secret.Annotations["kubernetes.io/service-account.uid"] - the UID of the ServiceAccount the token identifies +// - Secret.Data["token"] - a token that identifies the service account to the API +#SecretTypeServiceAccountToken: #SecretType & "kubernetes.io/service-account-token" + +// ServiceAccountNameKey is the key of the required annotation for SecretTypeServiceAccountToken secrets +#ServiceAccountNameKey: "kubernetes.io/service-account.name" + +// ServiceAccountUIDKey is the key of the required annotation for SecretTypeServiceAccountToken secrets +#ServiceAccountUIDKey: "kubernetes.io/service-account.uid" + +// ServiceAccountTokenKey is the key of the required data for SecretTypeServiceAccountToken secrets +#ServiceAccountTokenKey: "token" + +// ServiceAccountKubeconfigKey is the key of the optional kubeconfig data for SecretTypeServiceAccountToken secrets +#ServiceAccountKubeconfigKey: "kubernetes.kubeconfig" + +// ServiceAccountRootCAKey is the key of the optional root certificate authority for SecretTypeServiceAccountToken secrets +#ServiceAccountRootCAKey: "ca.crt" + +// ServiceAccountNamespaceKey is the key of the optional namespace to use as the default for namespaced API calls +#ServiceAccountNamespaceKey: "namespace" + +// SecretTypeDockercfg contains a dockercfg file that follows the same format rules as ~/.dockercfg +// +// Required fields: +// - Secret.Data[".dockercfg"] - a serialized ~/.dockercfg file +#SecretTypeDockercfg: #SecretType & "kubernetes.io/dockercfg" + +// DockerConfigKey is the key of the required data for SecretTypeDockercfg secrets +#DockerConfigKey: ".dockercfg" + +// SecretTypeDockerConfigJson contains a dockercfg file that follows the same format rules as ~/.docker/config.json +// +// Required fields: +// - Secret.Data[".dockerconfigjson"] - a serialized ~/.docker/config.json file +#SecretTypeDockerConfigJson: #SecretType & "kubernetes.io/dockerconfigjson" + +// DockerConfigJsonKey is the key of the required data for SecretTypeDockerConfigJson secrets +#DockerConfigJsonKey: ".dockerconfigjson" + +// SecretTypeBasicAuth contains data needed for basic authentication. +// +// Required at least one of fields: +// - Secret.Data["username"] - username used for authentication +// - Secret.Data["password"] - password or token needed for authentication +#SecretTypeBasicAuth: #SecretType & "kubernetes.io/basic-auth" + +// BasicAuthUsernameKey is the key of the username for SecretTypeBasicAuth secrets +#BasicAuthUsernameKey: "username" + +// BasicAuthPasswordKey is the key of the password or token for SecretTypeBasicAuth secrets +#BasicAuthPasswordKey: "password" + +// SecretTypeSSHAuth contains data needed for SSH authetication. +// +// Required field: +// - Secret.Data["ssh-privatekey"] - private SSH key needed for authentication +#SecretTypeSSHAuth: #SecretType & "kubernetes.io/ssh-auth" + +// SSHAuthPrivateKey is the key of the required SSH private key for SecretTypeSSHAuth secrets +#SSHAuthPrivateKey: "ssh-privatekey" + +// SecretTypeTLS contains information about a TLS client or server secret. It +// is primarily used with TLS termination of the Ingress resource, but may be +// used in other types. +// +// Required fields: +// - Secret.Data["tls.key"] - TLS private key. +// Secret.Data["tls.crt"] - TLS certificate. +// TODO: Consider supporting different formats, specifying CA/destinationCA. +#SecretTypeTLS: #SecretType & "kubernetes.io/tls" + +// TLSCertKey is the key for tls certificates in a TLS secret. +#TLSCertKey: "tls.crt" + +// TLSPrivateKeyKey is the key for the private key field in a TLS secret. +#TLSPrivateKeyKey: "tls.key" + +// SecretTypeBootstrapToken is used during the automated bootstrap process (first +// implemented by kubeadm). It stores tokens that are used to sign well known +// ConfigMaps. They are used for authn. +#SecretTypeBootstrapToken: #SecretType & "bootstrap.kubernetes.io/token" + +// SecretList is a list of Secret. +#SecretList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of secret objects. + // More info: https://kubernetes.io/docs/concepts/configuration/secret + items: [...#Secret] @go(Items,[]Secret) @protobuf(2,bytes,rep) +} + +// ConfigMap holds configuration data for pods to consume. +#ConfigMap: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Immutable, if set to true, ensures that data stored in the ConfigMap cannot + // be updated (only object metadata can be modified). + // If not set to true, the field can be modified at any time. + // Defaulted to nil. + // +optional + immutable?: null | bool @go(Immutable,*bool) @protobuf(4,varint,opt) + + // Data contains the configuration data. + // Each key must consist of alphanumeric characters, '-', '_' or '.'. + // Values with non-UTF-8 byte sequences must use the BinaryData field. + // The keys stored in Data must not overlap with the keys in + // the BinaryData field, this is enforced during validation process. + // +optional + data?: {[string]: string} @go(Data,map[string]string) @protobuf(2,bytes,rep) + + // BinaryData contains the binary data. + // Each key must consist of alphanumeric characters, '-', '_' or '.'. + // BinaryData can contain byte sequences that are not in the UTF-8 range. + // The keys stored in BinaryData must not overlap with the ones in + // the Data field, this is enforced during validation process. + // Using this field will require 1.10+ apiserver and + // kubelet. + // +optional + binaryData?: {[string]: bytes} @go(BinaryData,map[string][]byte) @protobuf(3,bytes,rep) +} + +// ConfigMapList is a resource containing a list of ConfigMap objects. +#ConfigMapList: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of ConfigMaps. + items: [...#ConfigMap] @go(Items,[]ConfigMap) @protobuf(2,bytes,rep) +} + +// Type and constants for component health validation. +#ComponentConditionType: string // #enumComponentConditionType + +#enumComponentConditionType: + #ComponentHealthy + +#ComponentHealthy: #ComponentConditionType & "Healthy" + +// Information about the condition of a component. +#ComponentCondition: { + // Type of condition for a component. + // Valid value: "Healthy" + type: #ComponentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ComponentConditionType) + + // Status of the condition for a component. + // Valid values for "Healthy": "True", "False", or "Unknown". + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Message about the condition for a component. + // For example, information about a health check. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // Condition error code for a component. + // For example, a health check error code. + // +optional + error?: string @go(Error) @protobuf(4,bytes,opt) +} + +// ComponentStatus (and ComponentStatusList) holds the cluster validation info. +// Deprecated: This API is deprecated in v1.19+ +#ComponentStatus: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // List of component conditions observed + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ComponentCondition] @go(Conditions,[]ComponentCondition) @protobuf(2,bytes,rep) +} + +// Status of all the conditions for the component as a list of ComponentStatus objects. +// Deprecated: This API is deprecated in v1.19+ +#ComponentStatusList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ComponentStatus objects. + items: [...#ComponentStatus] @go(Items,[]ComponentStatus) @protobuf(2,bytes,rep) +} + +// DownwardAPIVolumeSource represents a volume containing downward API info. +// Downward API volumes support ownership management and SELinux relabeling. +#DownwardAPIVolumeSource: { + // Items is a list of downward API volume file + // +optional + items?: [...#DownwardAPIVolumeFile] @go(Items,[]DownwardAPIVolumeFile) @protobuf(1,bytes,rep) + + // Optional: mode bits to use on created files by default. Must be a + // Optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(2,varint,opt) +} + +#DownwardAPIVolumeSourceDefaultMode: int32 & 0o644 + +// DownwardAPIVolumeFile represents information to create the file containing the pod field +#DownwardAPIVolumeFile: { + // Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..' + path: string @go(Path) @protobuf(1,bytes,opt) + + // Required: Selects a field of the pod: only annotations, labels, name and namespace are supported. + // +optional + fieldRef?: null | #ObjectFieldSelector @go(FieldRef,*ObjectFieldSelector) @protobuf(2,bytes,opt) + + // Selects a resource of the container: only resources limits and requests + // (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + // +optional + resourceFieldRef?: null | #ResourceFieldSelector @go(ResourceFieldRef,*ResourceFieldSelector) @protobuf(3,bytes,opt) + + // Optional: mode bits used to set permissions on this file, must be an octal value + // between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + mode?: null | int32 @go(Mode,*int32) @protobuf(4,varint,opt) +} + +// Represents downward API info for projecting into a projected volume. +// Note that this is identical to a downwardAPI volume source without the default +// mode. +#DownwardAPIProjection: { + // Items is a list of DownwardAPIVolume file + // +optional + items?: [...#DownwardAPIVolumeFile] @go(Items,[]DownwardAPIVolumeFile) @protobuf(1,bytes,rep) +} + +// SecurityContext holds security configuration that will be applied to a container. +// Some fields are present in both SecurityContext and PodSecurityContext. When both +// are set, the values in SecurityContext take precedence. +#SecurityContext: { + // The capabilities to add/drop when running containers. + // Defaults to the default set of capabilities granted by the container runtime. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + capabilities?: null | #Capabilities @go(Capabilities,*Capabilities) @protobuf(1,bytes,opt) + + // Run container in privileged mode. + // Processes in privileged containers are essentially equivalent to root on the host. + // Defaults to false. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + privileged?: null | bool @go(Privileged,*bool) @protobuf(2,varint,opt) + + // The SELinux context to be applied to the container. + // If unspecified, the container runtime will allocate a random SELinux context for each + // container. May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seLinuxOptions?: null | #SELinuxOptions @go(SELinuxOptions,*SELinuxOptions) @protobuf(3,bytes,opt) + + // The Windows specific settings applied to all containers. + // If unspecified, the options from the PodSecurityContext will be used. + // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + // +optional + windowsOptions?: null | #WindowsSecurityContextOptions @go(WindowsOptions,*WindowsSecurityContextOptions) @protobuf(10,bytes,opt) + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsUser?: null | int64 @go(RunAsUser,*int64) @protobuf(4,varint,opt) + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsGroup?: null | int64 @go(RunAsGroup,*int64) @protobuf(8,varint,opt) + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to ensure that it + // does not run as UID 0 (root) and fail to start the container if it does. + // If unset or false, no such validation will be performed. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsNonRoot?: null | bool @go(RunAsNonRoot,*bool) @protobuf(5,varint,opt) + + // Whether this container has a read-only root filesystem. + // Default is false. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + readOnlyRootFilesystem?: null | bool @go(ReadOnlyRootFilesystem,*bool) @protobuf(6,varint,opt) + + // AllowPrivilegeEscalation controls whether a process can gain more + // privileges than its parent process. This bool directly controls if + // the no_new_privs flag will be set on the container process. + // AllowPrivilegeEscalation is true always when the container is: + // 1) run as Privileged + // 2) has CAP_SYS_ADMIN + // Note that this field cannot be set when spec.os.name is windows. + // +optional + allowPrivilegeEscalation?: null | bool @go(AllowPrivilegeEscalation,*bool) @protobuf(7,varint,opt) + + // procMount denotes the type of proc mount to use for the containers. + // The default is DefaultProcMount which uses the container runtime defaults for + // readonly paths and masked paths. + // This requires the ProcMountType feature flag to be enabled. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + procMount?: null | #ProcMountType @go(ProcMount,*ProcMountType) @protobuf(9,bytes,opt) + + // The seccomp options to use by this container. If seccomp options are + // provided at both the pod & container level, the container options + // override the pod options. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seccompProfile?: null | #SeccompProfile @go(SeccompProfile,*SeccompProfile) @protobuf(11,bytes,opt) +} + +// +enum +#ProcMountType: string // #enumProcMountType + +#enumProcMountType: + #DefaultProcMount | + #UnmaskedProcMount + +// DefaultProcMount uses the container runtime defaults for readonly and masked +// paths for /proc. Most container runtimes mask certain paths in /proc to avoid +// accidental security exposure of special devices or information. +#DefaultProcMount: #ProcMountType & "Default" + +// UnmaskedProcMount bypasses the default masking behavior of the container +// runtime and ensures the newly created /proc the container stays in tact with +// no modifications. +#UnmaskedProcMount: #ProcMountType & "Unmasked" + +// SELinuxOptions are the labels to be applied to the container +#SELinuxOptions: { + // User is a SELinux user label that applies to the container. + // +optional + user?: string @go(User) @protobuf(1,bytes,opt) + + // Role is a SELinux role label that applies to the container. + // +optional + role?: string @go(Role) @protobuf(2,bytes,opt) + + // Type is a SELinux type label that applies to the container. + // +optional + type?: string @go(Type) @protobuf(3,bytes,opt) + + // Level is SELinux level label that applies to the container. + // +optional + level?: string @go(Level) @protobuf(4,bytes,opt) +} + +// WindowsSecurityContextOptions contain Windows-specific options and credentials. +#WindowsSecurityContextOptions: { + // GMSACredentialSpecName is the name of the GMSA credential spec to use. + // +optional + gmsaCredentialSpecName?: null | string @go(GMSACredentialSpecName,*string) @protobuf(1,bytes,opt) + + // GMSACredentialSpec is where the GMSA admission webhook + // (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + // GMSA credential spec named by the GMSACredentialSpecName field. + // +optional + gmsaCredentialSpec?: null | string @go(GMSACredentialSpec,*string) @protobuf(2,bytes,opt) + + // The UserName in Windows to run the entrypoint of the container process. + // Defaults to the user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsUserName?: null | string @go(RunAsUserName,*string) @protobuf(3,bytes,opt) + + // HostProcess determines if a container should be run as a 'Host Process' container. + // All of a Pod's containers must have the same effective HostProcess value + // (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + // In addition, if HostProcess is true then HostNetwork must also be set to true. + // +optional + hostProcess?: null | bool @go(HostProcess,*bool) @protobuf(4,bytes,opt) +} + +// RangeAllocation is not a public type. +#RangeAllocation: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Range is string that identifies the range represented by 'data'. + range: string @go(Range) @protobuf(2,bytes,opt) + + // Data is a bit array containing all allocated addresses in the previous segment. + data: bytes @go(Data,[]byte) @protobuf(3,bytes,opt) +} + +// DefaultSchedulerName defines the name of default scheduler. +#DefaultSchedulerName: "default-scheduler" + +// RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule +// corresponding to every RequiredDuringScheduling affinity rule. +// When the --hard-pod-affinity-weight scheduler flag is not specified, +// DefaultHardPodAffinityWeight defines the weight of the implicit PreferredDuringScheduling affinity rule. +#DefaultHardPodAffinitySymmetricWeight: int32 & 1 + +// Sysctl defines a kernel parameter to be set +#Sysctl: { + // Name of a property to set + name: string @go(Name) @protobuf(1,bytes,opt) + + // Value of a property to set + value: string @go(Value) @protobuf(2,bytes,opt) +} + +// NodeResources is an object for conveying resource information about a node. +// see https://kubernetes.io/docs/concepts/architecture/nodes/#capacity for more details. +#NodeResources: { + // Capacity represents the available resources of a node + Capacity: #ResourceList @protobuf(1,bytes,rep,name=capacity,casttype=ResourceList,castkey=ResourceName) +} + +// Enable stdin for remote command execution +#ExecStdinParam: "input" + +// Enable stdout for remote command execution +#ExecStdoutParam: "output" + +// Enable stderr for remote command execution +#ExecStderrParam: "error" + +// Enable TTY for remote command execution +#ExecTTYParam: "tty" + +// Command to run for remote command execution +#ExecCommandParam: "command" + +// Name of header that specifies stream type +#StreamType: "streamType" + +// Value for streamType header for stdin stream +#StreamTypeStdin: "stdin" + +// Value for streamType header for stdout stream +#StreamTypeStdout: "stdout" + +// Value for streamType header for stderr stream +#StreamTypeStderr: "stderr" + +// Value for streamType header for data stream +#StreamTypeData: "data" + +// Value for streamType header for error stream +#StreamTypeError: "error" + +// Value for streamType header for terminal resize stream +#StreamTypeResize: "resize" + +// Name of header that specifies the port being forwarded +#PortHeader: "port" + +// Name of header that specifies a request ID used to associate the error +// and data streams for a single forwarded connection +#PortForwardRequestIDHeader: "requestID" + +// MixedProtocolNotSupported error in PortStatus means that the cloud provider +// can't publish the port on the load balancer because mixed values of protocols +// on the same LoadBalancer type of Service are not supported by the cloud provider. +#MixedProtocolNotSupported: "MixedProtocolNotSupported" + +#PortStatus: { + // Port is the port number of the service port of which status is recorded here + port: int32 @go(Port) @protobuf(1,varint,opt) + + // Protocol is the protocol of the service port of which status is recorded here + // The supported values are: "TCP", "UDP", "SCTP" + protocol: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // Error is to record the problem with the service port + // The format of the error shall comply with the following rules: + // - built-in error values shall be specified in this file and those shall use + // CamelCase names + // - cloud provider specific error values must have names that comply with the + // format foo.example.com/CamelCase. + // --- + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +optional + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + error?: null | string @go(Error,*string) @protobuf(3,bytes,opt) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue new file mode 100644 index 000000000..2a1f060b6 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue @@ -0,0 +1,59 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +#LabelHostname: "kubernetes.io/hostname" + +// Label value is the network location of kube-apiserver stored as +// Stored in APIServer Identity lease objects to view what address is used for peer proxy +#AnnotationPeerAdvertiseAddress: "kubernetes.io/peer-advertise-address" +#LabelTopologyZone: "topology.kubernetes.io/zone" +#LabelTopologyRegion: "topology.kubernetes.io/region" + +// These label have been deprecated since 1.17, but will be supported for +// the foreseeable future, to accommodate things like long-lived PVs that +// use them. New users should prefer the "topology.kubernetes.io/*" +// equivalents. +#LabelFailureDomainBetaZone: "failure-domain.beta.kubernetes.io/zone" +#LabelFailureDomainBetaRegion: "failure-domain.beta.kubernetes.io/region" + +// Retained for compat when vendored. Do not use these consts in new code. +#LabelZoneFailureDomain: "failure-domain.beta.kubernetes.io/zone" +#LabelZoneRegion: "failure-domain.beta.kubernetes.io/region" +#LabelZoneFailureDomainStable: "topology.kubernetes.io/zone" +#LabelZoneRegionStable: "topology.kubernetes.io/region" +#LabelInstanceType: "beta.kubernetes.io/instance-type" +#LabelInstanceTypeStable: "node.kubernetes.io/instance-type" +#LabelOSStable: "kubernetes.io/os" +#LabelArchStable: "kubernetes.io/arch" + +// LabelWindowsBuild is used on Windows nodes to specify the Windows build number starting with v1.17.0. +// It's in the format MajorVersion.MinorVersion.BuildNumber (for ex: 10.0.17763) +#LabelWindowsBuild: "node.kubernetes.io/windows-build" + +// LabelNamespaceSuffixKubelet is an allowed label namespace suffix kubelets can self-set ([*.]kubelet.kubernetes.io/*) +#LabelNamespaceSuffixKubelet: "kubelet.kubernetes.io" + +// LabelNamespaceSuffixNode is an allowed label namespace suffix kubelets can self-set ([*.]node.kubernetes.io/*) +#LabelNamespaceSuffixNode: "node.kubernetes.io" + +// LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled +#LabelNamespaceNodeRestriction: "node-restriction.kubernetes.io" + +// IsHeadlessService is added by Controller to an Endpoint denoting if its parent +// Service is Headless. The existence of this label can be used further by other +// controllers and kube-proxy to check if the Endpoint objects should be replicated when +// using Headless Services +#IsHeadlessService: "service.kubernetes.io/headless" + +// LabelNodeExcludeBalancers specifies that the node should not be considered as a target +// for external load-balancers which use nodes as a second hop (e.g. many cloud LBs which only +// understand nodes). For services that use externalTrafficPolicy=Local, this may mean that +// any backends on excluded nodes are not reachable by those external load-balancers. +// Implementations of this exclusion may vary based on provider. +#LabelNodeExcludeBalancers: "node.kubernetes.io/exclude-from-external-load-balancers" + +// LabelMetadataName is the label name which, in-tree, is used to automatically label namespaces, so they can be selected easily by tools which require definitive labels +#LabelMetadataName: "kubernetes.io/metadata.name" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue new file mode 100644 index 000000000..b7c097336 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue @@ -0,0 +1,38 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +// TaintNodeNotReady will be added when node is not ready +// and removed when node becomes ready. +#TaintNodeNotReady: "node.kubernetes.io/not-ready" + +// TaintNodeUnreachable will be added when node becomes unreachable +// (corresponding to NodeReady status ConditionUnknown) +// and removed when node becomes reachable (NodeReady status ConditionTrue). +#TaintNodeUnreachable: "node.kubernetes.io/unreachable" + +// TaintNodeUnschedulable will be added when node becomes unschedulable +// and removed when node becomes schedulable. +#TaintNodeUnschedulable: "node.kubernetes.io/unschedulable" + +// TaintNodeMemoryPressure will be added when node has memory pressure +// and removed when node has enough memory. +#TaintNodeMemoryPressure: "node.kubernetes.io/memory-pressure" + +// TaintNodeDiskPressure will be added when node has disk pressure +// and removed when node has enough disk. +#TaintNodeDiskPressure: "node.kubernetes.io/disk-pressure" + +// TaintNodeNetworkUnavailable will be added when node's network is unavailable +// and removed when network becomes ready. +#TaintNodeNetworkUnavailable: "node.kubernetes.io/network-unavailable" + +// TaintNodePIDPressure will be added when node has pid pressure +// and removed when node has enough pid. +#TaintNodePIDPressure: "node.kubernetes.io/pid-pressure" + +// TaintNodeOutOfService can be added when node is out of service in case of +// a non-graceful shutdown +#TaintNodeOutOfService: "node.kubernetes.io/out-of-service" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue new file mode 100644 index 000000000..19a7d631a --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +#GroupName: "discovery.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue new file mode 100644 index 000000000..144ef53e7 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue @@ -0,0 +1,206 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" +) + +// EndpointSlice represents a subset of the endpoints that implement a service. +// For a given service there may be multiple EndpointSlice objects, selected by +// labels, which must be joined to produce the full set of endpoints. +#EndpointSlice: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // addressType specifies the type of address carried by this EndpointSlice. + // All addresses in this slice must be the same type. This field is + // immutable after creation. The following address types are currently + // supported: + // * IPv4: Represents an IPv4 Address. + // * IPv6: Represents an IPv6 Address. + // * FQDN: Represents a Fully Qualified Domain Name. + addressType: #AddressType @go(AddressType) @protobuf(4,bytes,rep) + + // endpoints is a list of unique endpoints in this slice. Each slice may + // include a maximum of 1000 endpoints. + // +listType=atomic + endpoints: [...#Endpoint] @go(Endpoints,[]Endpoint) @protobuf(2,bytes,rep) + + // ports specifies the list of network ports exposed by each endpoint in + // this slice. Each port must have a unique name. When ports is empty, it + // indicates that there are no defined ports. When a port is defined with a + // nil port value, it indicates "all ports". Each slice may include a + // maximum of 100 ports. + // +optional + // +listType=atomic + ports: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep) +} + +// AddressType represents the type of address referred to by an endpoint. +// +enum +#AddressType: string // #enumAddressType + +#enumAddressType: + #AddressTypeIPv4 | + #AddressTypeIPv6 | + #AddressTypeFQDN + +// AddressTypeIPv4 represents an IPv4 Address. +#AddressTypeIPv4: #AddressType & "IPv4" + +// AddressTypeIPv6 represents an IPv6 Address. +#AddressTypeIPv6: #AddressType & "IPv6" + +// AddressTypeFQDN represents a FQDN. +#AddressTypeFQDN: #AddressType & "FQDN" + +// Endpoint represents a single logical "backend" implementing a service. +#Endpoint: { + // addresses of this endpoint. The contents of this field are interpreted + // according to the corresponding EndpointSlice addressType field. Consumers + // must handle different types of addresses in the context of their own + // capabilities. This must contain at least one address but no more than + // 100. These are all assumed to be fungible and clients may choose to only + // use the first element. Refer to: https://issue.k8s.io/106267 + // +listType=set + addresses: [...string] @go(Addresses,[]string) @protobuf(1,bytes,rep) + + // conditions contains information about the current status of the endpoint. + conditions?: #EndpointConditions @go(Conditions) @protobuf(2,bytes,opt) + + // hostname of this endpoint. This field may be used by consumers of + // endpoints to distinguish endpoints from each other (e.g. in DNS names). + // Multiple endpoints which use the same hostname should be considered + // fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS + // Label (RFC 1123) validation. + // +optional + hostname?: null | string @go(Hostname,*string) @protobuf(3,bytes,opt) + + // targetRef is a reference to a Kubernetes object that represents this + // endpoint. + // +optional + targetRef?: null | v1.#ObjectReference @go(TargetRef,*v1.ObjectReference) @protobuf(4,bytes,opt) + + // deprecatedTopology contains topology information part of the v1beta1 + // API. This field is deprecated, and will be removed when the v1beta1 + // API is removed (no sooner than kubernetes v1.24). While this field can + // hold values, it is not writable through the v1 API, and any attempts to + // write to it will be silently ignored. Topology information can be found + // in the zone and nodeName fields instead. + // +optional + deprecatedTopology?: {[string]: string} @go(DeprecatedTopology,map[string]string) @protobuf(5,bytes,opt) + + // nodeName represents the name of the Node hosting this endpoint. This can + // be used to determine endpoints local to a Node. + // +optional + nodeName?: null | string @go(NodeName,*string) @protobuf(6,bytes,opt) + + // zone is the name of the Zone this endpoint exists in. + // +optional + zone?: null | string @go(Zone,*string) @protobuf(7,bytes,opt) + + // hints contains information associated with how an endpoint should be + // consumed. + // +optional + hints?: null | #EndpointHints @go(Hints,*EndpointHints) @protobuf(8,bytes,opt) +} + +// EndpointConditions represents the current condition of an endpoint. +#EndpointConditions: { + // ready indicates that this endpoint is prepared to receive traffic, + // according to whatever system is managing the endpoint. A nil value + // indicates an unknown state. In most cases consumers should interpret this + // unknown state as ready. For compatibility reasons, ready should never be + // "true" for terminating endpoints, except when the normal readiness + // behavior is being explicitly overridden, for example when the associated + // Service has set the publishNotReadyAddresses flag. + // +optional + ready?: null | bool @go(Ready,*bool) @protobuf(1,bytes) + + // serving is identical to ready except that it is set regardless of the + // terminating state of endpoints. This condition should be set to true for + // a ready endpoint that is terminating. If nil, consumers should defer to + // the ready condition. + // +optional + serving?: null | bool @go(Serving,*bool) @protobuf(2,bytes) + + // terminating indicates that this endpoint is terminating. A nil value + // indicates an unknown state. Consumers should interpret this unknown state + // to mean that the endpoint is not terminating. + // +optional + terminating?: null | bool @go(Terminating,*bool) @protobuf(3,bytes) +} + +// EndpointHints provides hints describing how an endpoint should be consumed. +#EndpointHints: { + // forZones indicates the zone(s) this endpoint should be consumed by to + // enable topology aware routing. + // +listType=atomic + forZones?: [...#ForZone] @go(ForZones,[]ForZone) @protobuf(1,bytes) +} + +// ForZone provides information about which zones should consume this endpoint. +#ForZone: { + // name represents the name of the zone. + name: string @go(Name) @protobuf(1,bytes) +} + +// EndpointPort represents a Port used by an EndpointSlice +// +structType=atomic +#EndpointPort: { + // name represents the name of this port. All ports in an EndpointSlice must have a unique name. + // If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. + // Name must either be an empty string or pass DNS_LABEL validation: + // * must be no more than 63 characters long. + // * must consist of lower case alphanumeric characters or '-'. + // * must start and end with an alphanumeric character. + // Default is empty string. + name?: null | string @go(Name,*string) @protobuf(1,bytes) + + // protocol represents the IP protocol for this port. + // Must be UDP, TCP, or SCTP. + // Default is TCP. + protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(2,bytes) + + // port represents the port number of the endpoint. + // If this is not specified, ports are not restricted and must be + // interpreted in the context of the specific consumer. + port?: null | int32 @go(Port,*int32) @protobuf(3,bytes,opt) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes) +} + +// EndpointSliceList represents a list of endpoint slices +#EndpointSliceList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of endpoint slices + items: [...#EndpointSlice] @go(Items,[]EndpointSlice) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue new file mode 100644 index 000000000..9c40d30e9 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue @@ -0,0 +1,20 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +// LabelServiceName is used to indicate the name of a Kubernetes service. +#LabelServiceName: "kubernetes.io/service-name" + +// LabelManagedBy is used to indicate the controller or entity that manages +// an EndpointSlice. This label aims to enable different EndpointSlice +// objects to be managed by different controllers or entities within the +// same cluster. It is highly recommended to configure this label for all +// EndpointSlices. +#LabelManagedBy: "endpointslice.kubernetes.io/managed-by" + +// LabelSkipMirror can be set to true on an Endpoints resource to indicate +// that the EndpointSliceMirroring controller should not mirror this +// resource with EndpointSlices. +#LabelSkipMirror: "endpointslice.kubernetes.io/skip-mirror" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue new file mode 100644 index 000000000..c4138c1c7 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/events/v1 + +package v1 + +#GroupName: "events.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue new file mode 100644 index 000000000..47acc8fc0 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue @@ -0,0 +1,111 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/events/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" +) + +// Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. +// Events have a limited retention time and triggers and messages may evolve +// with time. Event consumers should not rely on the timing of an event +// with a given Reason reflecting a consistent underlying trigger, or the +// continued existence of events with that Reason. Events should be +// treated as informative, best-effort, supplemental data. +#Event: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // eventTime is the time when this Event was first observed. It is required. + eventTime: metav1.#MicroTime @go(EventTime) @protobuf(2,bytes,opt) + + // series is data about the Event series this event represents or nil if it's a singleton Event. + // +optional + series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(3,bytes,opt) + + // reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. + // This field cannot be empty for new Events. + reportingController?: string @go(ReportingController) @protobuf(4,bytes,opt) + + // reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`. + // This field cannot be empty for new Events and it can have at most 128 characters. + reportingInstance?: string @go(ReportingInstance) @protobuf(5,bytes,opt) + + // action is what action was taken/failed regarding to the regarding object. It is machine-readable. + // This field cannot be empty for new Events and it can have at most 128 characters. + action?: string @go(Action) @protobuf(6,bytes) + + // reason is why the action was taken. It is human-readable. + // This field cannot be empty for new Events and it can have at most 128 characters. + reason?: string @go(Reason) @protobuf(7,bytes) + + // regarding contains the object this Event is about. In most cases it's an Object reporting controller + // implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because + // it acts on some changes in a ReplicaSet object. + // +optional + regarding?: corev1.#ObjectReference @go(Regarding) @protobuf(8,bytes,opt) + + // related is the optional secondary object for more complex actions. E.g. when regarding object triggers + // a creation or deletion of related object. + // +optional + related?: null | corev1.#ObjectReference @go(Related,*corev1.ObjectReference) @protobuf(9,bytes,opt) + + // note is a human-readable description of the status of this operation. + // Maximal length of the note is 1kB, but libraries should be prepared to + // handle values up to 64kB. + // +optional + note?: string @go(Note) @protobuf(10,bytes,opt) + + // type is the type of this event (Normal, Warning), new types could be added in the future. + // It is machine-readable. + // This field cannot be empty for new Events. + type?: string @go(Type) @protobuf(11,bytes,opt) + + // deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedSource?: corev1.#EventSource @go(DeprecatedSource) @protobuf(12,bytes,opt) + + // deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedFirstTimestamp?: metav1.#Time @go(DeprecatedFirstTimestamp) @protobuf(13,bytes,opt) + + // deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedLastTimestamp?: metav1.#Time @go(DeprecatedLastTimestamp) @protobuf(14,bytes,opt) + + // deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedCount?: int32 @go(DeprecatedCount) @protobuf(15,varint,opt) +} + +// EventSeries contain information on series of events, i.e. thing that was/is happening +// continuously for some time. How often to update the EventSeries is up to the event reporters. +// The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows +// how this struct is updated on heartbeats and can guide customized reporter implementations. +#EventSeries: { + // count is the number of occurrences in this series up to the last heartbeat time. + count: int32 @go(Count) @protobuf(1,varint,opt) + + // lastObservedTime is the time when last Event from the series was seen before last heartbeat. + lastObservedTime: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes,opt) +} + +// EventList is a list of Event objects. +#EventList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue new file mode 100644 index 000000000..f10426220 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +#GroupName: "networking.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue new file mode 100644 index 000000000..bbdc7f2b1 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue @@ -0,0 +1,588 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +// NetworkPolicy describes what network traffic is allowed for a set of Pods +#NetworkPolicy: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents the specification of the desired behavior for this NetworkPolicy. + // +optional + spec?: #NetworkPolicySpec @go(Spec) @protobuf(2,bytes,opt) +} + +// PolicyType string describes the NetworkPolicy type +// This type is beta-level in 1.8 +// +enum +#PolicyType: string // #enumPolicyType + +#enumPolicyType: + #PolicyTypeIngress | + #PolicyTypeEgress + +// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods +#PolicyTypeIngress: #PolicyType & "Ingress" + +// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods +#PolicyTypeEgress: #PolicyType & "Egress" + +// NetworkPolicySpec provides the specification of a NetworkPolicy +#NetworkPolicySpec: { + // podSelector selects the pods to which this NetworkPolicy object applies. + // The array of ingress rules is applied to any pods selected by this field. + // Multiple network policies can select the same set of pods. In this case, + // the ingress rules for each are combined additively. + // This field is NOT optional and follows standard label selector semantics. + // An empty podSelector matches all pods in this namespace. + podSelector: metav1.#LabelSelector @go(PodSelector) @protobuf(1,bytes,opt) + + // ingress is a list of ingress rules to be applied to the selected pods. + // Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod + // (and cluster policy otherwise allows the traffic), OR if the traffic source is + // the pod's local node, OR if the traffic matches at least one ingress rule + // across all of the NetworkPolicy objects whose podSelector matches the pod. If + // this field is empty then this NetworkPolicy does not allow any traffic (and serves + // solely to ensure that the pods it selects are isolated by default) + // +optional + ingress?: [...#NetworkPolicyIngressRule] @go(Ingress,[]NetworkPolicyIngressRule) @protobuf(2,bytes,rep) + + // egress is a list of egress rules to be applied to the selected pods. Outgoing traffic + // is allowed if there are no NetworkPolicies selecting the pod (and cluster policy + // otherwise allows the traffic), OR if the traffic matches at least one egress rule + // across all of the NetworkPolicy objects whose podSelector matches the pod. If + // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves + // solely to ensure that the pods it selects are isolated by default). + // This field is beta-level in 1.8 + // +optional + egress?: [...#NetworkPolicyEgressRule] @go(Egress,[]NetworkPolicyEgressRule) @protobuf(3,bytes,rep) + + // policyTypes is a list of rule types that the NetworkPolicy relates to. + // Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. + // If this field is not specified, it will default based on the existence of ingress or egress rules; + // policies that contain an egress section are assumed to affect egress, and all policies + // (whether or not they contain an ingress section) are assumed to affect ingress. + // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. + // Likewise, if you want to write a policy that specifies that no egress is allowed, + // you must specify a policyTypes value that include "Egress" (since such a policy would not include + // an egress section and would otherwise default to just [ "Ingress" ]). + // This field is beta-level in 1.8 + // +optional + policyTypes?: [...#PolicyType] @go(PolicyTypes,[]PolicyType) @protobuf(4,bytes,rep,casttype=PolicyType) +} + +// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods +// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. +#NetworkPolicyIngressRule: { + // ports is a list of ports which should be made accessible on the pods selected for + // this rule. Each item in this list is combined using a logical OR. If this field is + // empty or missing, this rule matches all ports (traffic not restricted by port). + // If this field is present and contains at least one item, then this rule allows + // traffic only if the traffic matches at least one port in the list. + // +optional + ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep) + + // from is a list of sources which should be able to access the pods selected for this rule. + // Items in this list are combined using a logical OR operation. If this field is + // empty or missing, this rule matches all sources (traffic not restricted by + // source). If this field is present and contains at least one item, this rule + // allows traffic only if the traffic matches at least one item in the from list. + // +optional + from?: [...#NetworkPolicyPeer] @go(From,[]NetworkPolicyPeer) @protobuf(2,bytes,rep) +} + +// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods +// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. +// This type is beta-level in 1.8 +#NetworkPolicyEgressRule: { + // ports is a list of destination ports for outgoing traffic. + // Each item in this list is combined using a logical OR. If this field is + // empty or missing, this rule matches all ports (traffic not restricted by port). + // If this field is present and contains at least one item, then this rule allows + // traffic only if the traffic matches at least one port in the list. + // +optional + ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep) + + // to is a list of destinations for outgoing traffic of pods selected for this rule. + // Items in this list are combined using a logical OR operation. If this field is + // empty or missing, this rule matches all destinations (traffic not restricted by + // destination). If this field is present and contains at least one item, this rule + // allows traffic only if the traffic matches at least one item in the to list. + // +optional + to?: [...#NetworkPolicyPeer] @go(To,[]NetworkPolicyPeer) @protobuf(2,bytes,rep) +} + +// NetworkPolicyPort describes a port to allow traffic on +#NetworkPolicyPort: { + // protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + // If not specified, this field defaults to TCP. + // +optional + protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.Protocol) + + // port represents the port on the given protocol. This can either be a numerical or named + // port on a pod. If this field is not provided, this matches all port names and + // numbers. + // If present, only traffic on the specified protocol AND port will be matched. + // +optional + port?: null | intstr.#IntOrString @go(Port,*intstr.IntOrString) @protobuf(2,bytes,opt) + + // endPort indicates that the range of ports from port to endPort if set, inclusive, + // should be allowed by the policy. This field cannot be defined if the port field + // is not defined or if the port field is defined as a named (string) port. + // The endPort must be equal or greater than port. + // +optional + endPort?: null | int32 @go(EndPort,*int32) @protobuf(3,bytes,opt) +} + +// IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed +// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs +// that should not be included within this rule. +#IPBlock: { + // cidr is a string representing the IPBlock + // Valid examples are "192.168.1.0/24" or "2001:db8::/64" + cidr: string @go(CIDR) @protobuf(1,bytes) + + // except is a slice of CIDRs that should not be included within an IPBlock + // Valid examples are "192.168.1.0/24" or "2001:db8::/64" + // Except values will be rejected if they are outside the cidr range + // +optional + except?: [...string] @go(Except,[]string) @protobuf(2,bytes,rep) +} + +// NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of +// fields are allowed +#NetworkPolicyPeer: { + // podSelector is a label selector which selects pods. This field follows standard label + // selector semantics; if present but empty, it selects all pods. + // + // If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + // the pods matching podSelector in the Namespaces selected by NamespaceSelector. + // Otherwise it selects the pods matching podSelector in the policy's own namespace. + // +optional + podSelector?: null | metav1.#LabelSelector @go(PodSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // namespaceSelector selects namespaces using cluster-scoped labels. This field follows + // standard label selector semantics; if present but empty, it selects all namespaces. + // + // If podSelector is also set, then the NetworkPolicyPeer as a whole selects + // the pods matching podSelector in the namespaces selected by namespaceSelector. + // Otherwise it selects all pods in the namespaces selected by namespaceSelector. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // ipBlock defines policy on a particular IPBlock. If this field is set then + // neither of the other fields can be. + // +optional + ipBlock?: null | #IPBlock @go(IPBlock,*IPBlock) @protobuf(3,bytes,rep) +} + +// NetworkPolicyList is a list of NetworkPolicy objects. +#NetworkPolicyList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#NetworkPolicy] @go(Items,[]NetworkPolicy) @protobuf(2,bytes,rep) +} + +// Ingress is a collection of rules that allow inbound connections to reach the +// endpoints defined by a backend. An Ingress can be configured to give services +// externally-reachable urls, load balance traffic, terminate SSL, offer name +// based virtual hosting etc. +#Ingress: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the desired state of the Ingress. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #IngressSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current state of the Ingress. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #IngressStatus @go(Status) @protobuf(3,bytes,opt) +} + +// IngressList is a collection of Ingress. +#IngressList: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of Ingress. + items: [...#Ingress] @go(Items,[]Ingress) @protobuf(2,bytes,rep) +} + +// IngressSpec describes the Ingress the user wishes to exist. +#IngressSpec: { + // ingressClassName is the name of an IngressClass cluster resource. Ingress + // controller implementations use this field to know whether they should be + // serving this Ingress resource, by a transitive connection + // (controller -> IngressClass -> Ingress resource). Although the + // `kubernetes.io/ingress.class` annotation (simple constant name) was never + // formally defined, it was widely supported by Ingress controllers to create + // a direct binding between Ingress controller and Ingress resources. Newly + // created Ingress resources should prefer using the field. However, even + // though the annotation is officially deprecated, for backwards compatibility + // reasons, ingress controllers should still honor that annotation if present. + // +optional + ingressClassName?: null | string @go(IngressClassName,*string) @protobuf(4,bytes,opt) + + // defaultBackend is the backend that should handle requests that don't + // match any rule. If Rules are not specified, DefaultBackend must be specified. + // If DefaultBackend is not set, the handling of requests that do not match any + // of the rules will be up to the Ingress controller. + // +optional + defaultBackend?: null | #IngressBackend @go(DefaultBackend,*IngressBackend) @protobuf(1,bytes,opt) + + // tls represents the TLS configuration. Currently the Ingress only supports a + // single TLS port, 443. If multiple members of this list specify different hosts, + // they will be multiplexed on the same port according to the hostname specified + // through the SNI TLS extension, if the ingress controller fulfilling the + // ingress supports SNI. + // +listType=atomic + // +optional + tls?: [...#IngressTLS] @go(TLS,[]IngressTLS) @protobuf(2,bytes,rep) + + // rules is a list of host rules used to configure the Ingress. If unspecified, + // or no rule matches, all traffic is sent to the default backend. + // +listType=atomic + // +optional + rules?: [...#IngressRule] @go(Rules,[]IngressRule) @protobuf(3,bytes,rep) +} + +// IngressTLS describes the transport layer security associated with an ingress. +#IngressTLS: { + // hosts is a list of hosts included in the TLS certificate. The values in + // this list must match the name/s used in the tlsSecret. Defaults to the + // wildcard host setting for the loadbalancer controller fulfilling this + // Ingress, if left unspecified. + // +listType=atomic + // +optional + hosts?: [...string] @go(Hosts,[]string) @protobuf(1,bytes,rep) + + // secretName is the name of the secret used to terminate TLS traffic on + // port 443. Field is left optional to allow TLS routing based on SNI + // hostname alone. If the SNI host in a listener conflicts with the "Host" + // header field used by an IngressRule, the SNI host is used for termination + // and value of the "Host" header is used for routing. + // +optional + secretName?: string @go(SecretName) @protobuf(2,bytes,opt) +} + +// IngressStatus describe the current state of the Ingress. +#IngressStatus: { + // loadBalancer contains the current status of the load-balancer. + // +optional + loadBalancer?: #IngressLoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt) +} + +// IngressLoadBalancerStatus represents the status of a load-balancer. +#IngressLoadBalancerStatus: { + // ingress is a list containing ingress points for the load-balancer. + // +optional + ingress?: [...#IngressLoadBalancerIngress] @go(Ingress,[]IngressLoadBalancerIngress) @protobuf(1,bytes,rep) +} + +// IngressLoadBalancerIngress represents the status of a load-balancer ingress point. +#IngressLoadBalancerIngress: { + // ip is set for load-balancer ingress points that are IP based. + // +optional + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // hostname is set for load-balancer ingress points that are DNS based. + // +optional + hostname?: string @go(Hostname) @protobuf(2,bytes,opt) + + // ports provides information about the ports exposed by this LoadBalancer. + // +listType=atomic + // +optional + ports?: [...#IngressPortStatus] @go(Ports,[]IngressPortStatus) @protobuf(4,bytes,rep) +} + +// IngressPortStatus represents the error condition of a service port +#IngressPortStatus: { + // port is the port number of the ingress port. + port: int32 @go(Port) @protobuf(1,varint,opt) + + // protocol is the protocol of the ingress port. + // The supported values are: "TCP", "UDP", "SCTP" + protocol: v1.#Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // error is to record the problem with the service port + // The format of the error shall comply with the following rules: + // - built-in error values shall be specified in this file and those shall use + // CamelCase names + // - cloud provider specific error values must have names that comply with the + // format foo.example.com/CamelCase. + // --- + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +optional + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + error?: null | string @go(Error,*string) @protobuf(3,bytes,opt) +} + +// IngressRule represents the rules mapping the paths under a specified host to +// the related backend services. Incoming requests are first evaluated for a host +// match, then routed to the backend associated with the matching IngressRuleValue. +#IngressRule: { + // host is the fully qualified domain name of a network host, as defined by RFC 3986. + // Note the following deviations from the "host" part of the + // URI as defined in RFC 3986: + // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to + // the IP in the Spec of the parent Ingress. + // 2. The `:` delimiter is not respected because ports are not allowed. + // Currently the port of an Ingress is implicitly :80 for http and + // :443 for https. + // Both these may change in the future. + // Incoming requests are matched against the host before the + // IngressRuleValue. If the host is unspecified, the Ingress routes all + // traffic based on the specified IngressRuleValue. + // + // host can be "precise" which is a domain name without the terminating dot of + // a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name + // prefixed with a single wildcard label (e.g. "*.foo.com"). + // The wildcard character '*' must appear by itself as the first DNS label and + // matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). + // Requests will be matched against the Host field in the following way: + // 1. If host is precise, the request matches this rule if the http host header is equal to Host. + // 2. If host is a wildcard, then the request matches this rule if the http host header + // is to equal to the suffix (removing the first label) of the wildcard rule. + // +optional + host?: string @go(Host) @protobuf(1,bytes,opt) + + #IngressRuleValue +} + +// IngressRuleValue represents a rule to apply against incoming requests. If the +// rule is satisfied, the request is routed to the specified backend. Currently +// mixing different types of rules in a single Ingress is disallowed, so exactly +// one of the following must be set. +#IngressRuleValue: { + // +optional + http?: null | #HTTPIngressRuleValue @go(HTTP,*HTTPIngressRuleValue) @protobuf(1,bytes,opt) +} + +// HTTPIngressRuleValue is a list of http selectors pointing to backends. +// In the example: http:///? -> backend where +// where parts of the url correspond to RFC 3986, this resource will be used +// to match against everything after the last '/' and before the first '?' +// or '#'. +#HTTPIngressRuleValue: { + // paths is a collection of paths that map requests to backends. + // +listType=atomic + paths: [...#HTTPIngressPath] @go(Paths,[]HTTPIngressPath) @protobuf(1,bytes,rep) +} + +// PathType represents the type of path referred to by a HTTPIngressPath. +// +enum +#PathType: string // #enumPathType + +#enumPathType: + #PathTypeExact | + #PathTypePrefix | + #PathTypeImplementationSpecific + +// PathTypeExact matches the URL path exactly and with case sensitivity. +#PathTypeExact: #PathType & "Exact" + +// PathTypePrefix matches based on a URL path prefix split by '/'. Matching +// is case sensitive and done on a path element by element basis. A path +// element refers to the list of labels in the path split by the '/' +// separator. A request is a match for path p if every p is an element-wise +// prefix of p of the request path. Note that if the last element of the +// path is a substring of the last element in request path, it is not a +// match (e.g. /foo/bar matches /foo/bar/baz, but does not match +// /foo/barbaz). If multiple matching paths exist in an Ingress spec, the +// longest matching path is given priority. +// Examples: +// - /foo/bar does not match requests to /foo/barbaz +// - /foo/bar matches request to /foo/bar and /foo/bar/baz +// - /foo and /foo/ both match requests to /foo and /foo/. If both paths are +// present in an Ingress spec, the longest matching path (/foo/) is given +// priority. +#PathTypePrefix: #PathType & "Prefix" + +// PathTypeImplementationSpecific matching is up to the IngressClass. +// Implementations can treat this as a separate PathType or treat it +// identically to Prefix or Exact path types. +#PathTypeImplementationSpecific: #PathType & "ImplementationSpecific" + +// HTTPIngressPath associates a path with a backend. Incoming urls matching the +// path are forwarded to the backend. +#HTTPIngressPath: { + // path is matched against the path of an incoming request. Currently it can + // contain characters disallowed from the conventional "path" part of a URL + // as defined by RFC 3986. Paths must begin with a '/' and must be present + // when using PathType with value "Exact" or "Prefix". + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // pathType determines the interpretation of the path matching. PathType can + // be one of the following values: + // * Exact: Matches the URL path exactly. + // * Prefix: Matches based on a URL path prefix split by '/'. Matching is + // done on a path element by element basis. A path element refers is the + // list of labels in the path split by the '/' separator. A request is a + // match for path p if every p is an element-wise prefix of p of the + // request path. Note that if the last element of the path is a substring + // of the last element in request path, it is not a match (e.g. /foo/bar + // matches /foo/bar/baz, but does not match /foo/barbaz). + // * ImplementationSpecific: Interpretation of the Path matching is up to + // the IngressClass. Implementations can treat this as a separate PathType + // or treat it identically to Prefix or Exact path types. + // Implementations are required to support all path types. + pathType?: null | #PathType @go(PathType,*PathType) @protobuf(3,bytes,opt) + + // backend defines the referenced service endpoint to which the traffic + // will be forwarded to. + backend: #IngressBackend @go(Backend) @protobuf(2,bytes,opt) +} + +// IngressBackend describes all endpoints for a given service and port. +#IngressBackend: { + // service references a service as a backend. + // This is a mutually exclusive setting with "Resource". + // +optional + service?: null | #IngressServiceBackend @go(Service,*IngressServiceBackend) @protobuf(4,bytes,opt) + + // resource is an ObjectRef to another Kubernetes resource in the namespace + // of the Ingress object. If resource is specified, a service.Name and + // service.Port must not be specified. + // This is a mutually exclusive setting with "Service". + // +optional + resource?: null | v1.#TypedLocalObjectReference @go(Resource,*v1.TypedLocalObjectReference) @protobuf(3,bytes,opt) +} + +// IngressServiceBackend references a Kubernetes Service as a Backend. +#IngressServiceBackend: { + // name is the referenced service. The service must exist in + // the same namespace as the Ingress object. + name: string @go(Name) @protobuf(1,bytes,opt) + + // port of the referenced service. A port name or port number + // is required for a IngressServiceBackend. + port?: #ServiceBackendPort @go(Port) @protobuf(2,bytes,opt) +} + +// ServiceBackendPort is the service port being referenced. +#ServiceBackendPort: { + // name is the name of the port on the Service. + // This is a mutually exclusive setting with "Number". + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // number is the numerical port number (e.g. 80) on the Service. + // This is a mutually exclusive setting with "Name". + // +optional + number?: int32 @go(Number) @protobuf(2,bytes,opt) +} + +// IngressClass represents the class of the Ingress, referenced by the Ingress +// Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be +// used to indicate that an IngressClass should be considered default. When a +// single IngressClass resource has this annotation set to true, new Ingress +// resources without a class specified will be assigned this default class. +#IngressClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the desired state of the IngressClass. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #IngressClassSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// IngressClassSpec provides information about the class of an Ingress. +#IngressClassSpec: { + // controller refers to the name of the controller that should handle this + // class. This allows for different "flavors" that are controlled by the + // same controller. For example, you may have different parameters for the + // same implementing controller. This should be specified as a + // domain-prefixed path no more than 250 characters in length, e.g. + // "acme.io/ingress-controller". This field is immutable. + controller?: string @go(Controller) @protobuf(1,bytes,opt) + + // parameters is a link to a custom resource containing additional + // configuration for the controller. This is optional if the controller does + // not require extra parameters. + // +optional + parameters?: null | #IngressClassParametersReference @go(Parameters,*IngressClassParametersReference) @protobuf(2,bytes,opt) +} + +// IngressClassParametersReferenceScopeNamespace indicates that the +// referenced Parameters resource is namespace-scoped. +#IngressClassParametersReferenceScopeNamespace: "Namespace" + +// IngressClassParametersReferenceScopeCluster indicates that the +// referenced Parameters resource is cluster-scoped. +#IngressClassParametersReferenceScopeCluster: "Cluster" + +// IngressClassParametersReference identifies an API object. This can be used +// to specify a cluster or namespace-scoped resource. +#IngressClassParametersReference: { + // apiGroup is the group for the resource being referenced. If APIGroup is + // not specified, the specified Kind must be in the core API group. For any + // other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt,name=aPIGroup) + + // kind is the type of resource being referenced. + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // name is the name of resource being referenced. + name: string @go(Name) @protobuf(3,bytes,opt) + + // scope represents if this refers to a cluster or namespace scoped resource. + // This may be set to "Cluster" (default) or "Namespace". + // +optional + scope?: null | string @go(Scope,*string) @protobuf(4,bytes,opt) + + // namespace is the namespace of the resource being referenced. This field is + // required when scope is set to "Namespace" and must be unset when scope is set to + // "Cluster". + // +optional + namespace?: null | string @go(Namespace,*string) @protobuf(5,bytes,opt) +} + +// IngressClassList is a collection of IngressClasses. +#IngressClassList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of IngressClasses. + items: [...#IngressClass] @go(Items,[]IngressClass) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue new file mode 100644 index 000000000..bee74f4b6 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue @@ -0,0 +1,11 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +// AnnotationIsDefaultIngressClass can be used to indicate that an +// IngressClass should be considered default. When a single IngressClass +// resource has this annotation set to true, new Ingress resources without a +// class specified will be assigned this default class. +#AnnotationIsDefaultIngressClass: "ingressclass.kubernetes.io/is-default-class" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue new file mode 100644 index 000000000..5969b44fa --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/node/v1 + +package v1 + +#GroupName: "node.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue new file mode 100644 index 000000000..3934557c9 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue @@ -0,0 +1,90 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/node/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" +) + +// RuntimeClass defines a class of container runtime supported in the cluster. +// The RuntimeClass is used to determine which container runtime is used to run +// all containers in a pod. RuntimeClasses are manually defined by a +// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is +// responsible for resolving the RuntimeClassName reference before running the +// pod. For more details, see +// https://kubernetes.io/docs/concepts/containers/runtime-class/ +#RuntimeClass: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // handler specifies the underlying runtime and configuration that the CRI + // implementation will use to handle pods of this class. The possible values + // are specific to the node & CRI configuration. It is assumed that all + // handlers are available on every node, and handlers of the same name are + // equivalent on every node. + // For example, a handler called "runc" might specify that the runc OCI + // runtime (using native Linux containers) will be used to run the containers + // in a pod. + // The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, + // and is immutable. + handler: string @go(Handler) @protobuf(2,bytes,opt) + + // overhead represents the resource overhead associated with running a pod for a + // given RuntimeClass. For more details, see + // https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/ + // +optional + overhead?: null | #Overhead @go(Overhead,*Overhead) @protobuf(3,bytes,opt) + + // scheduling holds the scheduling constraints to ensure that pods running + // with this RuntimeClass are scheduled to nodes that support it. + // If scheduling is nil, this RuntimeClass is assumed to be supported by all + // nodes. + // +optional + scheduling?: null | #Scheduling @go(Scheduling,*Scheduling) @protobuf(4,bytes,opt) +} + +// Overhead structure represents the resource overhead associated with running a pod. +#Overhead: { + // podFixed represents the fixed resource overhead associated with running a pod. + // +optional + podFixed?: corev1.#ResourceList @go(PodFixed) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.ResourceList,castkey=k8s.io/api/core/v1.ResourceName,castvalue=k8s.io/apimachinery/pkg/api/resource.Quantity) +} + +// Scheduling specifies the scheduling constraints for nodes supporting a +// RuntimeClass. +#Scheduling: { + // nodeSelector lists labels that must be present on nodes that support this + // RuntimeClass. Pods using this RuntimeClass can only be scheduled to a + // node matched by this selector. The RuntimeClass nodeSelector is merged + // with a pod's existing nodeSelector. Any conflicts will cause the pod to + // be rejected in admission. + // +optional + // +mapType=atomic + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(1,bytes,opt) + + // tolerations are appended (excluding duplicates) to pods running with this + // RuntimeClass during admission, effectively unioning the set of nodes + // tolerated by the pod and the RuntimeClass. + // +optional + // +listType=atomic + tolerations?: [...corev1.#Toleration] @go(Tolerations,[]corev1.Toleration) @protobuf(2,bytes,rep) +} + +// RuntimeClassList is a list of RuntimeClass objects. +#RuntimeClassList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#RuntimeClass] @go(Items,[]RuntimeClass) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue new file mode 100644 index 000000000..dedcdc34b --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue @@ -0,0 +1,8 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +// Package policy is for any kind of policy object. Suitable examples, even if +// they aren't all here, are PodDisruptionBudget, PodSecurityPolicy, +// NetworkPolicy, etc. +package v1 diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue new file mode 100644 index 000000000..e38fa373b --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +package v1 + +#GroupName: "policy" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue new file mode 100644 index 000000000..5901cc6db --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue @@ -0,0 +1,204 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +#DisruptionBudgetCause: metav1.#CauseType & "DisruptionBudget" + +// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget. +#PodDisruptionBudgetSpec: { + // An eviction is allowed if at least "minAvailable" pods selected by + // "selector" will still be available after the eviction, i.e. even in the + // absence of the evicted pod. So for example you can prevent all voluntary + // evictions by specifying "100%". + // +optional + minAvailable?: null | intstr.#IntOrString @go(MinAvailable,*intstr.IntOrString) @protobuf(1,bytes,opt) + + // Label query over pods whose evictions are managed by the disruption + // budget. + // A null selector will match no pods, while an empty ({}) selector will select + // all pods within the namespace. + // +patchStrategy=replace + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // An eviction is allowed if at most "maxUnavailable" pods selected by + // "selector" are unavailable after the eviction, i.e. even in absence of + // the evicted pod. For example, one can prevent all voluntary evictions + // by specifying 0. This is a mutually exclusive setting with "minAvailable". + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(3,bytes,opt) + + // UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods + // should be considered for eviction. Current implementation considers healthy pods, + // as pods that have status.conditions item with type="Ready",status="True". + // + // Valid policies are IfHealthyBudget and AlwaysAllow. + // If no policy is specified, the default behavior will be used, + // which corresponds to the IfHealthyBudget policy. + // + // IfHealthyBudget policy means that running pods (status.phase="Running"), + // but not yet healthy can be evicted only if the guarded application is not + // disrupted (status.currentHealthy is at least equal to status.desiredHealthy). + // Healthy pods will be subject to the PDB for eviction. + // + // AlwaysAllow policy means that all running pods (status.phase="Running"), + // but not yet healthy are considered disrupted and can be evicted regardless + // of whether the criteria in a PDB is met. This means perspective running + // pods of a disrupted application might not get a chance to become healthy. + // Healthy pods will be subject to the PDB for eviction. + // + // Additional policies may be added in the future. + // Clients making eviction decisions should disallow eviction of unhealthy pods + // if they encounter an unrecognized policy in this field. + // + // This field is beta-level. The eviction API uses this field when + // the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default). + // +optional + unhealthyPodEvictionPolicy?: null | #UnhealthyPodEvictionPolicyType @go(UnhealthyPodEvictionPolicy,*UnhealthyPodEvictionPolicyType) @protobuf(4,bytes,opt) +} + +// UnhealthyPodEvictionPolicyType defines the criteria for when unhealthy pods +// should be considered for eviction. +// +enum +#UnhealthyPodEvictionPolicyType: string // #enumUnhealthyPodEvictionPolicyType + +#enumUnhealthyPodEvictionPolicyType: + #IfHealthyBudget | + #AlwaysAllow + +// IfHealthyBudget policy means that running pods (status.phase="Running"), +// but not yet healthy can be evicted only if the guarded application is not +// disrupted (status.currentHealthy is at least equal to status.desiredHealthy). +// Healthy pods will be subject to the PDB for eviction. +#IfHealthyBudget: #UnhealthyPodEvictionPolicyType & "IfHealthyBudget" + +// AlwaysAllow policy means that all running pods (status.phase="Running"), +// but not yet healthy are considered disrupted and can be evicted regardless +// of whether the criteria in a PDB is met. This means perspective running +// pods of a disrupted application might not get a chance to become healthy. +// Healthy pods will be subject to the PDB for eviction. +#AlwaysAllow: #UnhealthyPodEvictionPolicyType & "AlwaysAllow" + +// PodDisruptionBudgetStatus represents information about the status of a +// PodDisruptionBudget. Status may trail the actual state of a system. +#PodDisruptionBudgetStatus: { + // Most recent generation observed when updating this PDB status. DisruptionsAllowed and other + // status information is valid only if observedGeneration equals to PDB's object generation. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt) + + // DisruptedPods contains information about pods whose eviction was + // processed by the API server eviction subresource handler but has not + // yet been observed by the PodDisruptionBudget controller. + // A pod will be in this map from the time when the API server processed the + // eviction request to the time when the pod is seen by PDB controller + // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod + // and the value is the time when the API server processed the eviction request. If + // the deletion didn't occur and a pod is still there it will be removed from + // the list automatically by PodDisruptionBudget controller after some time. + // If everything goes smooth this map should be empty for the most of the time. + // Large number of entries in the map may indicate problems with pod deletions. + // +optional + disruptedPods?: {[string]: metav1.#Time} @go(DisruptedPods,map[string]metav1.Time) @protobuf(2,bytes,rep) + + // Number of pod disruptions that are currently allowed. + disruptionsAllowed: int32 @go(DisruptionsAllowed) @protobuf(3,varint,opt) + + // current number of healthy pods + currentHealthy: int32 @go(CurrentHealthy) @protobuf(4,varint,opt) + + // minimum desired number of healthy pods + desiredHealthy: int32 @go(DesiredHealthy) @protobuf(5,varint,opt) + + // total number of pods counted by this disruption budget + expectedPods: int32 @go(ExpectedPods) @protobuf(6,varint,opt) + + // Conditions contain conditions for PDB. The disruption controller sets the + // DisruptionAllowed condition. The following are known values for the reason field + // (additional reasons could be added in the future): + // - SyncFailed: The controller encountered an error and wasn't able to compute + // the number of allowed disruptions. Therefore no disruptions are + // allowed and the status of the condition will be False. + // - InsufficientPods: The number of pods are either at or below the number + // required by the PodDisruptionBudget. No disruptions are + // allowed and the status of the condition will be False. + // - SufficientPods: There are more pods than required by the PodDisruptionBudget. + // The condition will be True, and the number of allowed + // disruptions are provided by the disruptionsAllowed property. + // + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(7,bytes,rep) +} + +// DisruptionAllowedCondition is a condition set by the disruption controller +// that signal whether any of the pods covered by the PDB can be disrupted. +#DisruptionAllowedCondition: "DisruptionAllowed" + +// SyncFailedReason is set on the DisruptionAllowed condition if reconcile +// of the PDB failed and therefore disruption of pods are not allowed. +#SyncFailedReason: "SyncFailed" + +// SufficientPodsReason is set on the DisruptionAllowed condition if there are +// more pods covered by the PDB than required and at least one can be disrupted. +#SufficientPodsReason: "SufficientPods" + +// InsufficientPodsReason is set on the DisruptionAllowed condition if the number +// of pods are equal to or fewer than required by the PDB. +#InsufficientPodsReason: "InsufficientPods" + +// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods +#PodDisruptionBudget: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the PodDisruptionBudget. + // +optional + spec?: #PodDisruptionBudgetSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the PodDisruptionBudget. + // +optional + status?: #PodDisruptionBudgetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodDisruptionBudgetList is a collection of PodDisruptionBudgets. +#PodDisruptionBudgetList: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of PodDisruptionBudgets + items: [...#PodDisruptionBudget] @go(Items,[]PodDisruptionBudget) @protobuf(2,bytes,rep) +} + +// Eviction evicts a pod from its node subject to certain policies and safety constraints. +// This is a subresource of Pod. A request to cause such an eviction is +// created by POSTing to .../pods//evictions. +#Eviction: { + metav1.#TypeMeta + + // ObjectMeta describes the pod that is being evicted. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // DeleteOptions may be provided + // +optional + deleteOptions?: null | metav1.#DeleteOptions @go(DeleteOptions,*metav1.DeleteOptions) @protobuf(2,bytes,opt) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue new file mode 100644 index 000000000..1c83e8b4f --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/rbac/v1 + +package v1 + +#GroupName: "rbac.authorization.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue new file mode 100644 index 000000000..521e355e9 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue @@ -0,0 +1,207 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/rbac/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +#APIGroupAll: "*" +#ResourceAll: "*" +#VerbAll: "*" +#NonResourceAll: "*" +#GroupKind: "Group" +#ServiceAccountKind: "ServiceAccount" +#UserKind: "User" + +// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false" +#AutoUpdateAnnotationKey: "rbac.authorization.kubernetes.io/autoupdate" + +// PolicyRule holds information that describes a policy rule, but does not contain information +// about who the rule applies to or which namespace the rule applies to. +#PolicyRule: { + // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. + // +optional + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. '*' represents all resources. + // +optional + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. + // +optional + resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep) + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path + // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. + // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. + // +optional + nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(5,bytes,rep) +} + +// Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, +// or a value for non-objects such as user and group names. +// +structType=atomic +#Subject: { + // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + // If the Authorizer does not recognized the kind value, the Authorizer should report an error. + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // APIGroup holds the API group of the referenced subject. + // Defaults to "" for ServiceAccount subjects. + // Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + // +optional + apiGroup?: string @go(APIGroup) @protobuf(2,bytes,opt.name=apiGroup) + + // Name of the object being referenced. + name: string @go(Name) @protobuf(3,bytes,opt) + + // Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + // the Authorizer should report an error. + // +optional + namespace?: string @go(Namespace) @protobuf(4,bytes,opt) +} + +// RoleRef contains information that points to the role being used +// +structType=atomic +#RoleRef: { + // APIGroup is the group for the resource being referenced + apiGroup: string @go(APIGroup) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) +} + +// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. +#Role: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Rules holds all the PolicyRules for this Role + // +optional + rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep) +} + +// RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. +// It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given +// namespace only have effect in that namespace. +#RoleBinding: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Subjects holds references to the objects the role applies to. + // +optional + subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep) + + // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. + // If the RoleRef cannot be resolved, the Authorizer must return an error. + // This field is immutable. + roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt) +} + +// RoleBindingList is a collection of RoleBindings +#RoleBindingList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of RoleBindings + items: [...#RoleBinding] @go(Items,[]RoleBinding) @protobuf(2,bytes,rep) +} + +// RoleList is a collection of Roles +#RoleList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of Roles + items: [...#Role] @go(Items,[]Role) @protobuf(2,bytes,rep) +} + +// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding. +#ClusterRole: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Rules holds all the PolicyRules for this ClusterRole + // +optional + rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep) + + // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. + // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be + // stomped by the controller. + // +optional + aggregationRule?: null | #AggregationRule @go(AggregationRule,*AggregationRule) @protobuf(3,bytes,opt) +} + +// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole +#AggregationRule: { + // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. + // If any of the selectors match, then the ClusterRole's permissions will be added + // +optional + clusterRoleSelectors?: [...metav1.#LabelSelector] @go(ClusterRoleSelectors,[]metav1.LabelSelector) @protobuf(1,bytes,rep) +} + +// ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, +// and adds who information via Subject. +#ClusterRoleBinding: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Subjects holds references to the objects the role applies to. + // +optional + subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep) + + // RoleRef can only reference a ClusterRole in the global namespace. + // If the RoleRef cannot be resolved, the Authorizer must return an error. + // This field is immutable. + roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt) +} + +// ClusterRoleBindingList is a collection of ClusterRoleBindings +#ClusterRoleBindingList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ClusterRoleBindings + items: [...#ClusterRoleBinding] @go(Items,[]ClusterRoleBinding) @protobuf(2,bytes,rep) +} + +// ClusterRoleList is a collection of ClusterRoles +#ClusterRoleList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ClusterRoles + items: [...#ClusterRole] @go(Items,[]ClusterRole) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue new file mode 100644 index 000000000..8cc2b5f28 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/scheduling/v1 + +package v1 + +#GroupName: "scheduling.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue new file mode 100644 index 000000000..1d8f95746 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue @@ -0,0 +1,57 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/scheduling/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + apiv1 "k8s.io/api/core/v1" +) + +// PriorityClass defines mapping from a priority class name to the priority +// integer value. The value can be any valid integer. +#PriorityClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // value represents the integer value of this priority class. This is the actual priority that pods + // receive when they have the name of this class in their pod spec. + value: int32 @go(Value) @protobuf(2,bytes,opt) + + // globalDefault specifies whether this PriorityClass should be considered as + // the default priority for pods that do not have any priority class. + // Only one PriorityClass can be marked as `globalDefault`. However, if more than + // one PriorityClasses exists with their `globalDefault` field set to true, + // the smallest value of such global default PriorityClasses will be used as the default priority. + // +optional + globalDefault?: bool @go(GlobalDefault) @protobuf(3,bytes,opt) + + // description is an arbitrary string that usually provides guidelines on + // when this priority class should be used. + // +optional + description?: string @go(Description) @protobuf(4,bytes,opt) + + // preemptionPolicy is the Policy for preempting pods with lower priority. + // One of Never, PreemptLowerPriority. + // Defaults to PreemptLowerPriority if unset. + // +optional + preemptionPolicy?: null | apiv1.#PreemptionPolicy @go(PreemptionPolicy,*apiv1.PreemptionPolicy) @protobuf(5,bytes,opt) +} + +// PriorityClassList is a collection of priority classes. +#PriorityClassList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of PriorityClasses + items: [...#PriorityClass] @go(Items,[]PriorityClass) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue new file mode 100644 index 000000000..641ce60cc --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/storage/v1 + +package v1 + +#GroupName: "storage.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue new file mode 100644 index 000000000..b5158650b --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue @@ -0,0 +1,652 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/storage/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" +) + +// StorageClass describes the parameters for a class of storage for +// which PersistentVolumes can be dynamically provisioned. +// +// StorageClasses are non-namespaced; the name of the storage class +// according to etcd is in ObjectMeta.Name. +#StorageClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // provisioner indicates the type of the provisioner. + provisioner: string @go(Provisioner) @protobuf(2,bytes,opt) + + // parameters holds the parameters for the provisioner that should + // create volumes of this storage class. + // +optional + parameters?: {[string]: string} @go(Parameters,map[string]string) @protobuf(3,bytes,rep) + + // reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class. + // Defaults to Delete. + // +optional + reclaimPolicy?: null | v1.#PersistentVolumeReclaimPolicy @go(ReclaimPolicy,*v1.PersistentVolumeReclaimPolicy) @protobuf(4,bytes,opt,casttype=k8s.io/api/core/v1.PersistentVolumeReclaimPolicy) + + // mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class. + // e.g. ["ro", "soft"]. Not validated - + // mount of the PVs will simply fail if one is invalid. + // +optional + mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(5,bytes,opt) + + // allowVolumeExpansion shows whether the storage class allow volume expand. + // +optional + allowVolumeExpansion?: null | bool @go(AllowVolumeExpansion,*bool) @protobuf(6,varint,opt) + + // volumeBindingMode indicates how PersistentVolumeClaims should be + // provisioned and bound. When unset, VolumeBindingImmediate is used. + // This field is only honored by servers that enable the VolumeScheduling feature. + // +optional + volumeBindingMode?: null | #VolumeBindingMode @go(VolumeBindingMode,*VolumeBindingMode) @protobuf(7,bytes,opt) + + // allowedTopologies restrict the node topologies where volumes can be dynamically provisioned. + // Each volume plugin defines its own supported topology specifications. + // An empty TopologySelectorTerm list means there is no topology restriction. + // This field is only honored by servers that enable the VolumeScheduling feature. + // +optional + // +listType=atomic + allowedTopologies?: [...v1.#TopologySelectorTerm] @go(AllowedTopologies,[]v1.TopologySelectorTerm) @protobuf(8,bytes,rep) +} + +// StorageClassList is a collection of storage classes. +#StorageClassList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of StorageClasses + items: [...#StorageClass] @go(Items,[]StorageClass) @protobuf(2,bytes,rep) +} + +// VolumeBindingMode indicates how PersistentVolumeClaims should be bound. +// +enum +#VolumeBindingMode: string // #enumVolumeBindingMode + +#enumVolumeBindingMode: + #VolumeBindingImmediate | + #VolumeBindingWaitForFirstConsumer + +// VolumeBindingImmediate indicates that PersistentVolumeClaims should be +// immediately provisioned and bound. This is the default mode. +#VolumeBindingImmediate: #VolumeBindingMode & "Immediate" + +// VolumeBindingWaitForFirstConsumer indicates that PersistentVolumeClaims +// should not be provisioned and bound until the first Pod is created that +// references the PeristentVolumeClaim. The volume provisioning and +// binding will occur during Pod scheduing. +#VolumeBindingWaitForFirstConsumer: #VolumeBindingMode & "WaitForFirstConsumer" + +// VolumeAttachment captures the intent to attach or detach the specified volume +// to/from the specified node. +// +// VolumeAttachment objects are non-namespaced. +#VolumeAttachment: { + metav1.#TypeMeta + + // Standard object metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents specification of the desired attach/detach volume behavior. + // Populated by the Kubernetes system. + spec: #VolumeAttachmentSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents status of the VolumeAttachment request. + // Populated by the entity completing the attach or detach + // operation, i.e. the external-attacher. + // +optional + status?: #VolumeAttachmentStatus @go(Status) @protobuf(3,bytes,opt) +} + +// VolumeAttachmentList is a collection of VolumeAttachment objects. +#VolumeAttachmentList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of VolumeAttachments + items: [...#VolumeAttachment] @go(Items,[]VolumeAttachment) @protobuf(2,bytes,rep) +} + +// VolumeAttachmentSpec is the specification of a VolumeAttachment request. +#VolumeAttachmentSpec: { + // attacher indicates the name of the volume driver that MUST handle this + // request. This is the name returned by GetPluginName(). + attacher: string @go(Attacher) @protobuf(1,bytes,opt) + + // source represents the volume that should be attached. + source: #VolumeAttachmentSource @go(Source) @protobuf(2,bytes,opt) + + // nodeName represents the node that the volume should be attached to. + nodeName: string @go(NodeName) @protobuf(3,bytes,opt) +} + +// VolumeAttachmentSource represents a volume that should be attached. +// Right now only PersistenVolumes can be attached via external attacher, +// in future we may allow also inline volumes in pods. +// Exactly one member can be set. +#VolumeAttachmentSource: { + // persistentVolumeName represents the name of the persistent volume to attach. + // +optional + persistentVolumeName?: null | string @go(PersistentVolumeName,*string) @protobuf(1,bytes,opt) + + // inlineVolumeSpec contains all the information necessary to attach + // a persistent volume defined by a pod's inline VolumeSource. This field + // is populated only for the CSIMigration feature. It contains + // translated fields from a pod's inline VolumeSource to a + // PersistentVolumeSpec. This field is beta-level and is only + // honored by servers that enabled the CSIMigration feature. + // +optional + inlineVolumeSpec?: null | v1.#PersistentVolumeSpec @go(InlineVolumeSpec,*v1.PersistentVolumeSpec) @protobuf(2,bytes,opt) +} + +// VolumeAttachmentStatus is the status of a VolumeAttachment request. +#VolumeAttachmentStatus: { + // attached indicates the volume is successfully attached. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + attached: bool @go(Attached) @protobuf(1,varint,opt) + + // attachmentMetadata is populated with any + // information returned by the attach operation, upon successful attach, that must be passed + // into subsequent WaitForAttach or Mount calls. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + // +optional + attachmentMetadata?: {[string]: string} @go(AttachmentMetadata,map[string]string) @protobuf(2,bytes,rep) + + // attachError represents the last error encountered during attach operation, if any. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + // +optional + attachError?: null | #VolumeError @go(AttachError,*VolumeError) @protobuf(3,bytes,opt,casttype=VolumeError) + + // detachError represents the last error encountered during detach operation, if any. + // This field must only be set by the entity completing the detach + // operation, i.e. the external-attacher. + // +optional + detachError?: null | #VolumeError @go(DetachError,*VolumeError) @protobuf(4,bytes,opt,casttype=VolumeError) +} + +// VolumeError captures an error encountered during a volume operation. +#VolumeError: { + // time represents the time the error was encountered. + // +optional + time?: metav1.#Time @go(Time) @protobuf(1,bytes,opt) + + // message represents the error encountered during Attach or Detach operation. + // This string may be logged, so it should not contain sensitive + // information. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) +} + +// CSIDriver captures information about a Container Storage Interface (CSI) +// volume driver deployed on the cluster. +// Kubernetes attach detach controller uses this object to determine whether attach is required. +// Kubelet uses this object to determine whether pod information needs to be passed on mount. +// CSIDriver objects are non-namespaced. +#CSIDriver: { + metav1.#TypeMeta + + // Standard object metadata. + // metadata.Name indicates the name of the CSI driver that this object + // refers to; it MUST be the same name returned by the CSI GetPluginName() + // call for that driver. + // The driver name must be 63 characters or less, beginning and ending with + // an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and + // alphanumerics between. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents the specification of the CSI Driver. + spec: #CSIDriverSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CSIDriverList is a collection of CSIDriver objects. +#CSIDriverList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSIDriver + items: [...#CSIDriver] @go(Items,[]CSIDriver) @protobuf(2,bytes,rep) +} + +// CSIDriverSpec is the specification of a CSIDriver. +#CSIDriverSpec: { + // attachRequired indicates this CSI volume driver requires an attach + // operation (because it implements the CSI ControllerPublishVolume() + // method), and that the Kubernetes attach detach controller should call + // the attach volume interface which checks the volumeattachment status + // and waits until the volume is attached before proceeding to mounting. + // The CSI external-attacher coordinates with CSI volume driver and updates + // the volumeattachment status when the attach operation is complete. + // If the CSIDriverRegistry feature gate is enabled and the value is + // specified to false, the attach operation will be skipped. + // Otherwise the attach operation will be called. + // + // This field is immutable. + // + // +optional + attachRequired?: null | bool @go(AttachRequired,*bool) @protobuf(1,varint,opt) + + // podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) + // during mount operations, if set to true. + // If set to false, pod information will not be passed on mount. + // Default is false. + // + // The CSI driver specifies podInfoOnMount as part of driver deployment. + // If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. + // The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. + // + // The following VolumeConext will be passed if podInfoOnMount is set to true. + // This list might grow, but the prefix will be used. + // "csi.storage.k8s.io/pod.name": pod.Name + // "csi.storage.k8s.io/pod.namespace": pod.Namespace + // "csi.storage.k8s.io/pod.uid": string(pod.UID) + // "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume + // defined by a CSIVolumeSource, otherwise "false" + // + // "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only + // required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode. + // Other drivers can leave pod info disabled and/or ignore this field. + // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when + // deployed on such a cluster and the deployment determines which mode that is, for example + // via a command line parameter of the driver. + // + // This field is immutable. + // + // +optional + podInfoOnMount?: null | bool @go(PodInfoOnMount,*bool) @protobuf(2,bytes,opt) + + // volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. + // The default if the list is empty is "Persistent", which is the usage defined by the + // CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. + // + // The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec + // with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. + // A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. + // + // For more information about implementing this mode, see + // https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html + // A driver can support one or more of these modes and more modes may be added in the future. + // + // This field is beta. + // This field is immutable. + // + // +optional + // +listType=set + volumeLifecycleModes?: [...#VolumeLifecycleMode] @go(VolumeLifecycleModes,[]VolumeLifecycleMode) @protobuf(3,bytes,opt) + + // storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage + // capacity that the driver deployment will report by creating + // CSIStorageCapacity objects with capacity information, if set to true. + // + // The check can be enabled immediately when deploying a driver. + // In that case, provisioning new volumes with late binding + // will pause until the driver deployment has published + // some suitable CSIStorageCapacity object. + // + // Alternatively, the driver can be deployed with the field + // unset or false and it can be flipped later when storage + // capacity information has been published. + // + // This field was immutable in Kubernetes <= 1.22 and now is mutable. + // + // +optional + // +featureGate=CSIStorageCapacity + storageCapacity?: null | bool @go(StorageCapacity,*bool) @protobuf(4,bytes,opt) + + // fsGroupPolicy defines if the underlying volume supports changing ownership and + // permission of the volume before being mounted. + // Refer to the specific FSGroupPolicy values for additional details. + // + // This field is immutable. + // + // Defaults to ReadWriteOnceWithFSType, which will examine each volume + // to determine if Kubernetes should modify ownership and permissions of the volume. + // With the default policy the defined fsGroup will only be applied + // if a fstype is defined and the volume's access mode contains ReadWriteOnce. + // + // +optional + fsGroupPolicy?: null | #FSGroupPolicy @go(FSGroupPolicy,*FSGroupPolicy) @protobuf(5,bytes,opt) + + // tokenRequests indicates the CSI driver needs pods' service account + // tokens it is mounting volume for to do necessary authentication. Kubelet + // will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. + // The CSI driver should parse and validate the following VolumeContext: + // "csi.storage.k8s.io/serviceAccount.tokens": { + // "": { + // "token": , + // "expirationTimestamp": , + // }, + // ... + // } + // + // Note: Audience in each TokenRequest should be different and at + // most one token is empty string. To receive a new token after expiry, + // RequiresRepublish can be used to trigger NodePublishVolume periodically. + // + // +optional + // +listType=atomic + tokenRequests?: [...#TokenRequest] @go(TokenRequests,[]TokenRequest) @protobuf(6,bytes,opt) + + // requiresRepublish indicates the CSI driver wants `NodePublishVolume` + // being periodically called to reflect any possible change in the mounted + // volume. This field defaults to false. + // + // Note: After a successful initial NodePublishVolume call, subsequent calls + // to NodePublishVolume should only update the contents of the volume. New + // mount points will not be seen by a running container. + // + // +optional + requiresRepublish?: null | bool @go(RequiresRepublish,*bool) @protobuf(7,varint,opt) + + // seLinuxMount specifies if the CSI driver supports "-o context" + // mount option. + // + // When "true", the CSI driver must ensure that all volumes provided by this CSI + // driver can be mounted separately with different `-o context` options. This is + // typical for storage backends that provide volumes as filesystems on block + // devices or as independent shared volumes. + // Kubernetes will call NodeStage / NodePublish with "-o context=xyz" mount + // option when mounting a ReadWriteOncePod volume used in Pod that has + // explicitly set SELinux context. In the future, it may be expanded to other + // volume AccessModes. In any case, Kubernetes will ensure that the volume is + // mounted only with a single SELinux context. + // + // When "false", Kubernetes won't pass any special SELinux mount options to the driver. + // This is typical for volumes that represent subdirectories of a bigger shared filesystem. + // + // Default is "false". + // + // +featureGate=SELinuxMountReadWriteOncePod + // +optional + seLinuxMount?: null | bool @go(SELinuxMount,*bool) @protobuf(8,varint,opt) +} + +// FSGroupPolicy specifies if a CSI Driver supports modifying +// volume ownership and permissions of the volume to be mounted. +// More modes may be added in the future. +#FSGroupPolicy: string // #enumFSGroupPolicy + +#enumFSGroupPolicy: + #ReadWriteOnceWithFSTypeFSGroupPolicy | + #FileFSGroupPolicy | + #NoneFSGroupPolicy + +// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined +// to determine if the volume ownership and permissions +// should be modified. If a fstype is defined and the volume's access mode +// contains ReadWriteOnce, then the defined fsGroup will be applied. +// This mode should be defined if it's expected that the +// fsGroup may need to be modified depending on the pod's SecurityPolicy. +// This is the default behavior if no other FSGroupPolicy is defined. +#ReadWriteOnceWithFSTypeFSGroupPolicy: #FSGroupPolicy & "ReadWriteOnceWithFSType" + +// FileFSGroupPolicy indicates that CSI driver supports volume ownership +// and permission change via fsGroup, and Kubernetes will change the permissions +// and ownership of every file in the volume to match the user requested fsGroup in +// the pod's SecurityPolicy regardless of fstype or access mode. +// Use this mode if Kubernetes should modify the permissions and ownership +// of the volume. +#FileFSGroupPolicy: #FSGroupPolicy & "File" + +// NoneFSGroupPolicy indicates that volumes will be mounted without performing +// any ownership or permission modifications, as the CSIDriver does not support +// these operations. +// This mode should be selected if the CSIDriver does not support fsGroup modifications, +// for example when Kubernetes cannot change ownership and permissions on a volume due +// to root-squash settings on a NFS volume. +#NoneFSGroupPolicy: #FSGroupPolicy & "None" + +// VolumeLifecycleMode is an enumeration of possible usage modes for a volume +// provided by a CSI driver. More modes may be added in the future. +#VolumeLifecycleMode: string // #enumVolumeLifecycleMode + +#enumVolumeLifecycleMode: + #VolumeLifecyclePersistent | + #VolumeLifecycleEphemeral + +// TokenRequest contains parameters of a service account token. +#TokenRequest: { + // audience is the intended audience of the token in "TokenRequestSpec". + // It will default to the audiences of kube apiserver. + audience: string @go(Audience) @protobuf(1,bytes,opt) + + // expirationSeconds is the duration of validity of the token in "TokenRequestSpec". + // It has the same default value of "ExpirationSeconds" in "TokenRequestSpec". + // + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt) +} + +// VolumeLifecyclePersistent explicitly confirms that the driver implements +// the full CSI spec. It is the default when CSIDriverSpec.VolumeLifecycleModes is not +// set. Such volumes are managed in Kubernetes via the persistent volume +// claim mechanism and have a lifecycle that is independent of the pods which +// use them. +#VolumeLifecyclePersistent: #VolumeLifecycleMode & "Persistent" + +// VolumeLifecycleEphemeral indicates that the driver can be used for +// ephemeral inline volumes. Such volumes are specified inside the pod +// spec with a CSIVolumeSource and, as far as Kubernetes is concerned, have +// a lifecycle that is tied to the lifecycle of the pod. For example, such +// a volume might contain data that gets created specifically for that pod, +// like secrets. +// But how the volume actually gets created and managed is entirely up to +// the driver. It might also use reference counting to share the same volume +// instance among different pods if the CSIVolumeSource of those pods is +// identical. +#VolumeLifecycleEphemeral: #VolumeLifecycleMode & "Ephemeral" + +// CSINode holds information about all CSI drivers installed on a node. +// CSI drivers do not need to create the CSINode object directly. As long as +// they use the node-driver-registrar sidecar container, the kubelet will +// automatically populate the CSINode object for the CSI driver as part of +// kubelet plugin registration. +// CSINode has the same name as a node. If the object is missing, it means either +// there are no CSI Drivers available on the node, or the Kubelet version is low +// enough that it doesn't create this object. +// CSINode has an OwnerReference that points to the corresponding node object. +#CSINode: { + metav1.#TypeMeta + + // Standard object's metadata. + // metadata.name must be the Kubernetes node name. + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the specification of CSINode + spec: #CSINodeSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CSINodeSpec holds information about the specification of all CSI drivers installed on a node +#CSINodeSpec: { + // drivers is a list of information of all CSI Drivers existing on a node. + // If all drivers in the list are uninstalled, this can become empty. + // +patchMergeKey=name + // +patchStrategy=merge + drivers: [...#CSINodeDriver] @go(Drivers,[]CSINodeDriver) @protobuf(1,bytes,rep) +} + +// CSINodeDriver holds information about the specification of one CSI driver installed on a node +#CSINodeDriver: { + // name represents the name of the CSI driver that this object refers to. + // This MUST be the same name returned by the CSI GetPluginName() call for + // that driver. + name: string @go(Name) @protobuf(1,bytes,opt) + + // nodeID of the node from the driver point of view. + // This field enables Kubernetes to communicate with storage systems that do + // not share the same nomenclature for nodes. For example, Kubernetes may + // refer to a given node as "node1", but the storage system may refer to + // the same node as "nodeA". When Kubernetes issues a command to the storage + // system to attach a volume to a specific node, it can use this field to + // refer to the node name using the ID that the storage system will + // understand, e.g. "nodeA" instead of "node1". This field is required. + nodeID: string @go(NodeID) @protobuf(2,bytes,opt) + + // topologyKeys is the list of keys supported by the driver. + // When a driver is initialized on a cluster, it provides a set of topology + // keys that it understands (e.g. "company.com/zone", "company.com/region"). + // When a driver is initialized on a node, it provides the same topology keys + // along with values. Kubelet will expose these topology keys as labels + // on its own node object. + // When Kubernetes does topology aware provisioning, it can use this list to + // determine which labels it should retrieve from the node object and pass + // back to the driver. + // It is possible for different nodes to use different topology keys. + // This can be empty if driver does not support topology. + // +optional + topologyKeys: [...string] @go(TopologyKeys,[]string) @protobuf(3,bytes,rep) + + // allocatable represents the volume resources of a node that are available for scheduling. + // This field is beta. + // +optional + allocatable?: null | #VolumeNodeResources @go(Allocatable,*VolumeNodeResources) @protobuf(4,bytes,opt) +} + +// VolumeNodeResources is a set of resource limits for scheduling of volumes. +#VolumeNodeResources: { + // count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node. + // A volume that is both attached and mounted on a node is considered to be used once, not twice. + // The same rule applies for a unique volume that is shared among multiple pods on the same node. + // If this field is not specified, then the supported number of volumes on this node is unbounded. + // +optional + count?: null | int32 @go(Count,*int32) @protobuf(1,varint,opt) +} + +// CSINodeList is a collection of CSINode objects. +#CSINodeList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSINode + items: [...#CSINode] @go(Items,[]CSINode) @protobuf(2,bytes,rep) +} + +// CSIStorageCapacity stores the result of one CSI GetCapacity call. +// For a given StorageClass, this describes the available capacity in a +// particular topology segment. This can be used when considering where to +// instantiate new PersistentVolumes. +// +// For example this can express things like: +// - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1" +// - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123" +// +// The following three cases all imply that no capacity is available for +// a certain combination: +// - no object exists with suitable topology and storage class name +// - such an object exists, but the capacity is unset +// - such an object exists, but the capacity is zero +// +// The producer of these objects can decide which approach is more suitable. +// +// They are consumed by the kube-scheduler when a CSI driver opts into +// capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler +// compares the MaximumVolumeSize against the requested size of pending volumes +// to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back +// to a comparison against the less precise Capacity. If that is also unset, +// the scheduler assumes that capacity is insufficient and tries some other +// node. +#CSIStorageCapacity: { + metav1.#TypeMeta + + // Standard object's metadata. + // The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters). + // To ensure that there are no conflicts with other CSI drivers on the cluster, + // the recommendation is to use csisc-, a generated name, or a reverse-domain name + // which ends with the unique CSI driver name. + // + // Objects are namespaced. + // + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // nodeTopology defines which nodes have access to the storage + // for which capacity was reported. If not set, the storage is + // not accessible from any node in the cluster. If empty, the + // storage is accessible from all nodes. This field is + // immutable. + // + // +optional + nodeTopology?: null | metav1.#LabelSelector @go(NodeTopology,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // storageClassName represents the name of the StorageClass that the reported capacity applies to. + // It must meet the same requirements as the name of a StorageClass + // object (non-empty, DNS subdomain). If that object no longer exists, + // the CSIStorageCapacity object is obsolete and should be removed by its + // creator. + // This field is immutable. + storageClassName: string @go(StorageClassName) @protobuf(3,bytes) + + // capacity is the value reported by the CSI driver in its GetCapacityResponse + // for a GetCapacityRequest with topology and parameters that match the + // previous fields. + // + // The semantic is currently (CSI spec 1.2) defined as: + // The available capacity, in bytes, of the storage that can be used + // to provision volumes. If not set, that information is currently + // unavailable. + // + // +optional + capacity?: null | resource.#Quantity @go(Capacity,*resource.Quantity) @protobuf(4,bytes,opt) + + // maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse + // for a GetCapacityRequest with topology and parameters that match the + // previous fields. + // + // This is defined since CSI spec 1.4.0 as the largest size + // that may be used in a + // CreateVolumeRequest.capacity_range.required_bytes field to + // create a volume with the same parameters as those in + // GetCapacityRequest. The corresponding value in the Kubernetes + // API is ResourceRequirements.Requests in a volume claim. + // + // +optional + maximumVolumeSize?: null | resource.#Quantity @go(MaximumVolumeSize,*resource.Quantity) @protobuf(5,bytes,opt) +} + +// CSIStorageCapacityList is a collection of CSIStorageCapacity objects. +#CSIStorageCapacityList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSIStorageCapacity objects. + // +listType=map + // +listMapKey=name + items: [...#CSIStorageCapacity] @go(Items,[]CSIStorageCapacity) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue new file mode 100644 index 000000000..083aa825b --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +// Package v1 is the v1 version of the API. +package v1 diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue new file mode 100644 index 000000000..c4ce800f4 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +#GroupName: "apiextensions.k8s.io" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue new file mode 100644 index 000000000..b938c8ba0 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue @@ -0,0 +1,513 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/runtime" +) + +// ConversionStrategyType describes different conversion types. +#ConversionStrategyType: string // #enumConversionStrategyType + +#enumConversionStrategyType: + #NoneConverter | + #WebhookConverter + +// KubeAPIApprovedAnnotation is an annotation that must be set to create a CRD for the k8s.io, *.k8s.io, kubernetes.io, or *.kubernetes.io namespaces. +// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL. +// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`. For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`. This is discouraged. +#KubeAPIApprovedAnnotation: "api-approved.kubernetes.io" + +// NoneConverter is a converter that only sets apiversion of the CR and leave everything else unchanged. +#NoneConverter: #ConversionStrategyType & "None" + +// WebhookConverter is a converter that calls to an external webhook to convert the CR. +#WebhookConverter: #ConversionStrategyType & "Webhook" + +// CustomResourceDefinitionSpec describes how a user wants their resource to appear +#CustomResourceDefinitionSpec: { + // group is the API group of the defined custom resource. + // The custom resources are served under `/apis//...`. + // Must match the name of the CustomResourceDefinition (in the form `.`). + group: string @go(Group) @protobuf(1,bytes,opt) + + // names specify the resource and kind names for the custom resource. + names: #CustomResourceDefinitionNames @go(Names) @protobuf(3,bytes,opt) + + // scope indicates whether the defined custom resource is cluster- or namespace-scoped. + // Allowed values are `Cluster` and `Namespaced`. + scope: #ResourceScope @go(Scope) @protobuf(4,bytes,opt,casttype=ResourceScope) + + // versions is the list of all API versions of the defined custom resource. + // Version names are used to compute the order in which served versions are listed in API discovery. + // If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered + // lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), + // then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first + // by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing + // major version, then minor version. An example sorted list of versions: + // v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10. + versions: [...#CustomResourceDefinitionVersion] @go(Versions,[]CustomResourceDefinitionVersion) @protobuf(7,bytes,rep) + + // conversion defines conversion settings for the CRD. + // +optional + conversion?: null | #CustomResourceConversion @go(Conversion,*CustomResourceConversion) @protobuf(9,bytes,opt) + + // preserveUnknownFields indicates that object fields which are not specified + // in the OpenAPI schema should be preserved when persisting to storage. + // apiVersion, kind, metadata and known fields inside metadata are always preserved. + // This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`. + // See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details. + // +optional + preserveUnknownFields?: bool @go(PreserveUnknownFields) @protobuf(10,varint,opt) +} + +// CustomResourceConversion describes how to convert different versions of a CR. +#CustomResourceConversion: { + // strategy specifies how custom resources are converted between versions. Allowed values are: + // - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource. + // - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information + // is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set. + strategy: #ConversionStrategyType @go(Strategy) @protobuf(1,bytes) + + // webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`. + // +optional + webhook?: null | #WebhookConversion @go(Webhook,*WebhookConversion) @protobuf(2,bytes,opt) +} + +// WebhookConversion describes how to call a conversion webhook +#WebhookConversion: { + // clientConfig is the instructions for how to call the webhook if strategy is `Webhook`. + // +optional + clientConfig?: null | #WebhookClientConfig @go(ClientConfig,*WebhookClientConfig) @protobuf(2,bytes) + + // conversionReviewVersions is an ordered list of preferred `ConversionReview` + // versions the Webhook expects. The API server will use the first version in + // the list which it supports. If none of the versions specified in this list + // are supported by API server, conversion will fail for the custom resource. + // If a persisted Webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail. + conversionReviewVersions: [...string] @go(ConversionReviewVersions,[]string) @protobuf(3,bytes,rep) +} + +// WebhookClientConfig contains the information to make a TLS connection with the webhook. +#WebhookClientConfig: { + // url gives the location of the webhook, in standard URL form + // (`scheme://host:port/path`). Exactly one of `url` or `service` + // must be specified. + // + // The `host` should not refer to a service running in the cluster; use + // the `service` field instead. The host might be resolved via external + // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve + // in-cluster DNS as that would be a layering violation). `host` may + // also be an IP address. + // + // Please note that using `localhost` or `127.0.0.1` as a `host` is + // risky unless you take great care to run this webhook on all hosts + // which run an apiserver which might need to make calls to this + // webhook. Such installs are likely to be non-portable, i.e., not easy + // to turn up in a new cluster. + // + // The scheme must be "https"; the URL must begin with "https://". + // + // A path is optional, and if present may be any string permissible in + // a URL. You may use the path to pass an arbitrary string to the + // webhook, for example, a cluster identifier. + // + // Attempting to use a user or basic auth e.g. "user:password@" is not + // allowed. Fragments ("#...") and query parameters ("?...") are not + // allowed, either. + // + // +optional + url?: null | string @go(URL,*string) @protobuf(3,bytes,opt) + + // service is a reference to the service for this webhook. Either + // service or url must be specified. + // + // If the webhook is running within the cluster, then you should use `service`. + // + // +optional + service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt) + + // caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. + // If unspecified, system trust roots on the apiserver are used. + // +optional + caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt) +} + +// ServiceReference holds a reference to Service.legacy.k8s.io +#ServiceReference: { + // namespace is the namespace of the service. + // Required + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // name is the name of the service. + // Required + name: string @go(Name) @protobuf(2,bytes,opt) + + // path is an optional URL path at which the webhook will be contacted. + // +optional + path?: null | string @go(Path,*string) @protobuf(3,bytes,opt) + + // port is an optional service port at which the webhook will be contacted. + // `port` should be a valid port number (1-65535, inclusive). + // Defaults to 443 for backward compatibility. + // +optional + port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt) +} + +// CustomResourceDefinitionVersion describes a version for CRD. +#CustomResourceDefinitionVersion: { + // name is the version name, e.g. “v1”, “v2beta1”, etc. + // The custom resources are served under this version at `/apis///...` if `served` is true. + name: string @go(Name) @protobuf(1,bytes,opt) + + // served is a flag enabling/disabling this version from being served via REST APIs + served: bool @go(Served) @protobuf(2,varint,opt) + + // storage indicates this version should be used when persisting custom resources to storage. + // There must be exactly one version with storage=true. + storage: bool @go(Storage) @protobuf(3,varint,opt) + + // deprecated indicates this version of the custom resource API is deprecated. + // When set to true, API requests to this version receive a warning header in the server response. + // Defaults to false. + // +optional + deprecated?: bool @go(Deprecated) @protobuf(7,varint,opt) + + // deprecationWarning overrides the default warning returned to API clients. + // May only be set when `deprecated` is true. + // The default warning indicates this version is deprecated and recommends use + // of the newest served version of equal or greater stability, if one exists. + // +optional + deprecationWarning?: null | string @go(DeprecationWarning,*string) @protobuf(8,bytes,opt) + + // schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource. + // +optional + schema?: null | #CustomResourceValidation @go(Schema,*CustomResourceValidation) @protobuf(4,bytes,opt) + + // subresources specify what subresources this version of the defined custom resource have. + // +optional + subresources?: null | #CustomResourceSubresources @go(Subresources,*CustomResourceSubresources) @protobuf(5,bytes,opt) + + // additionalPrinterColumns specifies additional columns returned in Table output. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. + // If no columns are specified, a single column displaying the age of the custom resource is used. + // +optional + additionalPrinterColumns?: [...#CustomResourceColumnDefinition] @go(AdditionalPrinterColumns,[]CustomResourceColumnDefinition) @protobuf(6,bytes,rep) +} + +// CustomResourceColumnDefinition specifies a column for server side printing. +#CustomResourceColumnDefinition: { + // name is a human readable name for the column. + name: string @go(Name) @protobuf(1,bytes,opt) + + // type is an OpenAPI type definition for this column. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details. + type: string @go(Type) @protobuf(2,bytes,opt) + + // format is an optional OpenAPI type definition for this column. The 'name' format is applied + // to the primary identifier column to assist in clients identifying column is the resource name. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details. + // +optional + format?: string @go(Format) @protobuf(3,bytes,opt) + + // description is a human readable description of this column. + // +optional + description?: string @go(Description) @protobuf(4,bytes,opt) + + // priority is an integer defining the relative importance of this column compared to others. Lower + // numbers are considered higher priority. Columns that may be omitted in limited space scenarios + // should be given a priority greater than 0. + // +optional + priority?: int32 @go(Priority) @protobuf(5,bytes,opt) + + // jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against + // each custom resource to produce the value for this column. + jsonPath: string @go(JSONPath) @protobuf(6,bytes,opt) +} + +// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition +#CustomResourceDefinitionNames: { + // plural is the plural name of the resource to serve. + // The custom resources are served under `/apis///.../`. + // Must match the name of the CustomResourceDefinition (in the form `.`). + // Must be all lowercase. + plural: string @go(Plural) @protobuf(1,bytes,opt) + + // singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`. + // +optional + singular?: string @go(Singular) @protobuf(2,bytes,opt) + + // shortNames are short names for the resource, exposed in API discovery documents, + // and used by clients to support invocations like `kubectl get `. + // It must be all lowercase. + // +optional + shortNames?: [...string] @go(ShortNames,[]string) @protobuf(3,bytes,opt) + + // kind is the serialized kind of the resource. It is normally CamelCase and singular. + // Custom resource instances will use this value as the `kind` attribute in API calls. + kind: string @go(Kind) @protobuf(4,bytes,opt) + + // listKind is the serialized kind of the list for this resource. Defaults to "`kind`List". + // +optional + listKind?: string @go(ListKind) @protobuf(5,bytes,opt) + + // categories is a list of grouped resources this custom resource belongs to (e.g. 'all'). + // This is published in API discovery documents, and used by clients to support invocations like + // `kubectl get all`. + // +optional + categories?: [...string] @go(Categories,[]string) @protobuf(6,bytes,rep) +} + +// ResourceScope is an enum defining the different scopes available to a custom resource +#ResourceScope: string // #enumResourceScope + +#enumResourceScope: + #ClusterScoped | + #NamespaceScoped + +#ClusterScoped: #ResourceScope & "Cluster" +#NamespaceScoped: #ResourceScope & "Namespaced" + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// CustomResourceDefinitionConditionType is a valid value for CustomResourceDefinitionCondition.Type +#CustomResourceDefinitionConditionType: string // #enumCustomResourceDefinitionConditionType + +#enumCustomResourceDefinitionConditionType: + #Established | + #NamesAccepted | + #NonStructuralSchema | + #Terminating | + #KubernetesAPIApprovalPolicyConformant + +// Established means that the resource has become active. A resource is established when all names are +// accepted without a conflict for the first time. A resource stays established until deleted, even during +// a later NamesAccepted due to changed names. Note that not all names can be changed. +#Established: #CustomResourceDefinitionConditionType & "Established" + +// NamesAccepted means the names chosen for this CustomResourceDefinition do not conflict with others in +// the group and are therefore accepted. +#NamesAccepted: #CustomResourceDefinitionConditionType & "NamesAccepted" + +// NonStructuralSchema means that one or more OpenAPI schema is not structural. +// +// A schema is structural if it specifies types for all values, with the only exceptions of those with +// - x-kubernetes-int-or-string: true — for fields which can be integer or string +// - x-kubernetes-preserve-unknown-fields: true — for raw, unspecified JSON values +// and there is no type, additionalProperties, default, nullable or x-kubernetes-* vendor extenions +// specified under allOf, anyOf, oneOf or not. +// +// Non-structural schemas will not be allowed anymore in v1 API groups. Moreover, new features will not be +// available for non-structural CRDs: +// - pruning +// - defaulting +// - read-only +// - OpenAPI publishing +// - webhook conversion +#NonStructuralSchema: #CustomResourceDefinitionConditionType & "NonStructuralSchema" + +// Terminating means that the CustomResourceDefinition has been deleted and is cleaning up. +#Terminating: #CustomResourceDefinitionConditionType & "Terminating" + +// KubernetesAPIApprovalPolicyConformant indicates that an API in *.k8s.io or *.kubernetes.io is or is not approved. For CRDs +// outside those groups, this condition will not be set. For CRDs inside those groups, the condition will +// be true if .metadata.annotations["api-approved.kubernetes.io"] is set to a URL, otherwise it will be false. +// See https://github.com/kubernetes/enhancements/pull/1111 for more details. +#KubernetesAPIApprovalPolicyConformant: #CustomResourceDefinitionConditionType & "KubernetesAPIApprovalPolicyConformant" + +// CustomResourceDefinitionCondition contains details for the current condition of this pod. +#CustomResourceDefinitionCondition: { + // type is the type of the condition. Types include Established, NamesAccepted and Terminating. + type: #CustomResourceDefinitionConditionType @go(Type) @protobuf(1,bytes,opt,casttype=CustomResourceDefinitionConditionType) + + // status is the status of the condition. + // Can be True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // lastTransitionTime last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is a unique, one-word, CamelCase reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition +#CustomResourceDefinitionStatus: { + // conditions indicate state for particular aspects of a CustomResourceDefinition + // +optional + // +listType=map + // +listMapKey=type + conditions: [...#CustomResourceDefinitionCondition] @go(Conditions,[]CustomResourceDefinitionCondition) @protobuf(1,bytes,opt) + + // acceptedNames are the names that are actually being used to serve discovery. + // They may be different than the names in spec. + // +optional + acceptedNames: #CustomResourceDefinitionNames @go(AcceptedNames) @protobuf(2,bytes,opt) + + // storedVersions lists all versions of CustomResources that were ever persisted. Tracking these + // versions allows a migration path for stored versions in etcd. The field is mutable + // so a migration controller can finish a migration to another version (ensuring + // no old objects are left in storage), and then remove the rest of the + // versions from this list. + // Versions may not be removed from `spec.versions` while they exist in this list. + // +optional + storedVersions: [...string] @go(StoredVersions,[]string) @protobuf(3,bytes,rep) +} + +#CustomResourceCleanupFinalizer: "customresourcecleanup.apiextensions.k8s.io" + +// CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format +// <.spec.name>.<.spec.group>. +#CustomResourceDefinition: { + metav1.#TypeMeta + + // Standard object's metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec describes how the user wants the resources to appear + spec: #CustomResourceDefinitionSpec @go(Spec) @protobuf(2,bytes,opt) + + // status indicates the actual state of the CustomResourceDefinition + // +optional + status?: #CustomResourceDefinitionStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CustomResourceDefinitionList is a list of CustomResourceDefinition objects. +#CustomResourceDefinitionList: { + metav1.#TypeMeta + + // Standard object's metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items list individual CustomResourceDefinition objects + items: [...#CustomResourceDefinition] @go(Items,[]CustomResourceDefinition) @protobuf(2,bytes,rep) +} + +// CustomResourceValidation is a list of validation methods for CustomResources. +#CustomResourceValidation: { + // openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning. + // +optional + openAPIV3Schema?: null | #JSONSchemaProps @go(OpenAPIV3Schema,*JSONSchemaProps) @protobuf(1,bytes,opt) +} + +// CustomResourceSubresources defines the status and scale subresources for CustomResources. +#CustomResourceSubresources: { + // status indicates the custom resource should serve a `/status` subresource. + // When enabled: + // 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. + // 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object. + // +optional + status?: null | #CustomResourceSubresourceStatus @go(Status,*CustomResourceSubresourceStatus) @protobuf(1,bytes,opt) + + // scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object. + // +optional + scale?: null | #CustomResourceSubresourceScale @go(Scale,*CustomResourceSubresourceScale) @protobuf(2,bytes,opt) +} + +// CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. +// Status is represented by the `.status` JSON path inside of a CustomResource. When set, +// * exposes a /status subresource for the custom resource +// * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza +// * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza +#CustomResourceSubresourceStatus: { +} + +// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources. +#CustomResourceSubresourceScale: { + // specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.spec`. + // If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET. + specReplicasPath: string @go(SpecReplicasPath) @protobuf(1,bytes) + + // statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.status`. + // If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource + // will default to 0. + statusReplicasPath: string @go(StatusReplicasPath) @protobuf(2,bytes,opt) + + // labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.status` or `.spec`. + // Must be set to work with HorizontalPodAutoscaler. + // The field pointed by this JSON path must be a string field (not a complex selector struct) + // which contains a serialized label selector in string form. + // More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource + // If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale` + // subresource will default to the empty string. + // +optional + labelSelectorPath?: null | string @go(LabelSelectorPath,*string) @protobuf(3,bytes,opt) +} + +// ConversionReview describes a conversion request/response. +#ConversionReview: { + metav1.#TypeMeta + + // request describes the attributes for the conversion request. + // +optional + request?: null | #ConversionRequest @go(Request,*ConversionRequest) @protobuf(1,bytes,opt) + + // response describes the attributes for the conversion response. + // +optional + response?: null | #ConversionResponse @go(Response,*ConversionResponse) @protobuf(2,bytes,opt) +} + +// ConversionRequest describes the conversion request parameters. +#ConversionRequest: { + // uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are + // otherwise identical (parallel requests, etc). + // The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request. + // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + uid: types.#UID @go(UID) @protobuf(1,bytes) + + // desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1" + desiredAPIVersion: string @go(DesiredAPIVersion) @protobuf(2,bytes) + + // objects is the list of custom resource objects to be converted. + objects: [...runtime.#RawExtension] @go(Objects,[]runtime.RawExtension) @protobuf(3,bytes,rep) +} + +// ConversionResponse describes a conversion response. +#ConversionResponse: { + // uid is an identifier for the individual request/response. + // This should be copied over from the corresponding `request.uid`. + uid: types.#UID @go(UID) @protobuf(1,bytes) + + // convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty. + // The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list + // must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace). + // The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored. + convertedObjects: [...runtime.#RawExtension] @go(ConvertedObjects,[]runtime.RawExtension) @protobuf(2,bytes,rep) + + // result contains the result of conversion with extra details if the conversion failed. `result.status` determines if + // the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the + // conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set + // `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message` + // will be used to construct an error message for the end user. + result: metav1.#Status @go(Result) @protobuf(3,bytes) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue new file mode 100644 index 000000000..19f42c1ff --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue @@ -0,0 +1,317 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +// FieldValueErrorReason is a machine-readable value providing more detail about why a field failed the validation. +// +enum +#FieldValueErrorReason: string // #enumFieldValueErrorReason + +#enumFieldValueErrorReason: + #FieldValueRequired | + #FieldValueDuplicate | + #FieldValueInvalid | + #FieldValueForbidden + +// FieldValueRequired is used to report required values that are not +// provided (e.g. empty strings, null values, or empty arrays). +#FieldValueRequired: #FieldValueErrorReason & "FieldValueRequired" + +// FieldValueDuplicate is used to report collisions of values that must be +// unique (e.g. unique IDs). +#FieldValueDuplicate: #FieldValueErrorReason & "FieldValueDuplicate" + +// FieldValueInvalid is used to report malformed values (e.g. failed regex +// match, too long, out of bounds). +#FieldValueInvalid: #FieldValueErrorReason & "FieldValueInvalid" + +// FieldValueForbidden is used to report valid (as per formatting rules) +// values which would be accepted under some conditions, but which are not +// permitted by the current conditions (such as security policy). +#FieldValueForbidden: #FieldValueErrorReason & "FieldValueForbidden" + +// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/). +#JSONSchemaProps: { + id?: string @go(ID) @protobuf(1,bytes,opt) + $schema?: #JSONSchemaURL @go(Schema) @protobuf(2,bytes,opt,name=schema) + $ref?: null | string @go(Ref,*string) @protobuf(3,bytes,opt,name=ref) + description?: string @go(Description) @protobuf(4,bytes,opt) + type?: string @go(Type) @protobuf(5,bytes,opt) + + // format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated: + // + // - bsonobjectid: a bson object ID, i.e. a 24 characters hex string + // - uri: an URI as parsed by Golang net/url.ParseRequestURI + // - email: an email address as parsed by Golang net/mail.ParseAddress + // - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034]. + // - ipv4: an IPv4 IP as parsed by Golang net.ParseIP + // - ipv6: an IPv6 IP as parsed by Golang net.ParseIP + // - cidr: a CIDR as parsed by Golang net.ParseCIDR + // - mac: a MAC address as parsed by Golang net.ParseMAC + // - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$ + // - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$ + // - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ + // - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ + // - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041" + // - isbn10: an ISBN10 number string like "0321751043" + // - isbn13: an ISBN13 number string like "978-0321751041" + // - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in + // - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$ + // - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$ + // - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559" + // - byte: base64 encoded binary data + // - password: any kind of string + // - date: a date string like "2006-01-02" as defined by full-date in RFC3339 + // - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format + // - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339. + format?: string @go(Format) @protobuf(6,bytes,opt) + title?: string @go(Title) @protobuf(7,bytes,opt) + + // default is a default value for undefined object fields. + // Defaulting is a beta feature under the CustomResourceDefaulting feature gate. + // Defaulting requires spec.preserveUnknownFields to be false. + default?: null | #JSON @go(Default,*JSON) @protobuf(8,bytes,opt) + maximum?: null | float64 @go(Maximum,*float64) @protobuf(9,bytes,opt) + exclusiveMaximum?: bool @go(ExclusiveMaximum) @protobuf(10,bytes,opt) + minimum?: null | float64 @go(Minimum,*float64) @protobuf(11,bytes,opt) + exclusiveMinimum?: bool @go(ExclusiveMinimum) @protobuf(12,bytes,opt) + maxLength?: null | int64 @go(MaxLength,*int64) @protobuf(13,bytes,opt) + minLength?: null | int64 @go(MinLength,*int64) @protobuf(14,bytes,opt) + pattern?: string @go(Pattern) @protobuf(15,bytes,opt) + maxItems?: null | int64 @go(MaxItems,*int64) @protobuf(16,bytes,opt) + minItems?: null | int64 @go(MinItems,*int64) @protobuf(17,bytes,opt) + uniqueItems?: bool @go(UniqueItems) @protobuf(18,bytes,opt) + multipleOf?: null | float64 @go(MultipleOf,*float64) @protobuf(19,bytes,opt) + enum?: [...#JSON] @go(Enum,[]JSON) @protobuf(20,bytes,rep) + maxProperties?: null | int64 @go(MaxProperties,*int64) @protobuf(21,bytes,opt) + minProperties?: null | int64 @go(MinProperties,*int64) @protobuf(22,bytes,opt) + required?: [...string] @go(Required,[]string) @protobuf(23,bytes,rep) + items?: null | #JSONSchemaPropsOrArray @go(Items,*JSONSchemaPropsOrArray) @protobuf(24,bytes,opt) + allOf?: [...#JSONSchemaProps] @go(AllOf,[]JSONSchemaProps) @protobuf(25,bytes,rep) + oneOf?: [...#JSONSchemaProps] @go(OneOf,[]JSONSchemaProps) @protobuf(26,bytes,rep) + anyOf?: [...#JSONSchemaProps] @go(AnyOf,[]JSONSchemaProps) @protobuf(27,bytes,rep) + not?: null | #JSONSchemaProps @go(Not,*JSONSchemaProps) @protobuf(28,bytes,opt) + properties?: {[string]: #JSONSchemaProps} @go(Properties,map[string]JSONSchemaProps) @protobuf(29,bytes,rep) + additionalProperties?: null | #JSONSchemaPropsOrBool @go(AdditionalProperties,*JSONSchemaPropsOrBool) @protobuf(30,bytes,opt) + patternProperties?: {[string]: #JSONSchemaProps} @go(PatternProperties,map[string]JSONSchemaProps) @protobuf(31,bytes,rep) + dependencies?: #JSONSchemaDependencies @go(Dependencies) @protobuf(32,bytes,opt) + additionalItems?: null | #JSONSchemaPropsOrBool @go(AdditionalItems,*JSONSchemaPropsOrBool) @protobuf(33,bytes,opt) + definitions?: #JSONSchemaDefinitions @go(Definitions) @protobuf(34,bytes,opt) + externalDocs?: null | #ExternalDocumentation @go(ExternalDocs,*ExternalDocumentation) @protobuf(35,bytes,opt) + example?: null | #JSON @go(Example,*JSON) @protobuf(36,bytes,opt) + nullable?: bool @go(Nullable) @protobuf(37,bytes,opt) + + // x-kubernetes-preserve-unknown-fields stops the API server + // decoding step from pruning fields which are not specified + // in the validation schema. This affects fields recursively, + // but switches back to normal pruning behaviour if nested + // properties or additionalProperties are specified in the schema. + // This can either be true or undefined. False is forbidden. + "x-kubernetes-preserve-unknown-fields"?: null | bool @go(XPreserveUnknownFields,*bool) @protobuf(38,bytes,opt,name=xKubernetesPreserveUnknownFields) + + // x-kubernetes-embedded-resource defines that the value is an + // embedded Kubernetes runtime.Object, with TypeMeta and + // ObjectMeta. The type must be object. It is allowed to further + // restrict the embedded object. kind, apiVersion and metadata + // are validated automatically. x-kubernetes-preserve-unknown-fields + // is allowed to be true, but does not have to be if the object + // is fully specified (up to kind, apiVersion, metadata). + "x-kubernetes-embedded-resource"?: bool @go(XEmbeddedResource) @protobuf(39,bytes,opt,name=xKubernetesEmbeddedResource) + + // x-kubernetes-int-or-string specifies that this value is + // either an integer or a string. If this is true, an empty + // type is allowed and type as child of anyOf is permitted + // if following one of the following patterns: + // + // 1) anyOf: + // - type: integer + // - type: string + // 2) allOf: + // - anyOf: + // - type: integer + // - type: string + // - ... zero or more + "x-kubernetes-int-or-string"?: bool @go(XIntOrString) @protobuf(40,bytes,opt,name=xKubernetesIntOrString) + + // x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used + // as the index of the map. + // + // This tag MUST only be used on lists that have the "x-kubernetes-list-type" + // extension set to "map". Also, the values specified for this attribute must + // be a scalar typed field of the child structure (no nesting is supported). + // + // The properties specified must either be required or have a default value, + // to ensure those properties are present for all list items. + // + // +optional + "x-kubernetes-list-map-keys"?: [...string] @go(XListMapKeys,[]string) @protobuf(41,bytes,rep,name=xKubernetesListMapKeys) + + // x-kubernetes-list-type annotates an array to further describe its topology. + // This extension must only be used on lists and may have 3 possible values: + // + // 1) `atomic`: the list is treated as a single entity, like a scalar. + // Atomic lists will be entirely replaced when updated. This extension + // may be used on any type of list (struct, scalar, ...). + // 2) `set`: + // Sets are lists that must not have multiple items with the same value. Each + // value must be a scalar, an object with x-kubernetes-map-type `atomic` or an + // array with x-kubernetes-list-type `atomic`. + // 3) `map`: + // These lists are like maps in that their elements have a non-index key + // used to identify them. Order is preserved upon merge. The map tag + // must only be used on a list with elements of type object. + // Defaults to atomic for arrays. + // +optional + "x-kubernetes-list-type"?: null | string @go(XListType,*string) @protobuf(42,bytes,opt,name=xKubernetesListType) + + // x-kubernetes-map-type annotates an object to further describe its topology. + // This extension must only be used when type is object and may have 2 possible values: + // + // 1) `granular`: + // These maps are actual maps (key-value pairs) and each fields are independent + // from each other (they can each be manipulated by separate actors). This is + // the default behaviour for all maps. + // 2) `atomic`: the list is treated as a single entity, like a scalar. + // Atomic maps will be entirely replaced when updated. + // +optional + "x-kubernetes-map-type"?: null | string @go(XMapType,*string) @protobuf(43,bytes,opt,name=xKubernetesMapType) + + // x-kubernetes-validations describes a list of validation rules written in the CEL expression language. + // This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled. + // +patchMergeKey=rule + // +patchStrategy=merge + // +listType=map + // +listMapKey=rule + "x-kubernetes-validations"?: #ValidationRules @go(XValidations) @protobuf(44,bytes,rep,name=xKubernetesValidations) +} + +// ValidationRules describes a list of validation rules written in the CEL expression language. +#ValidationRules: [...#ValidationRule] + +// ValidationRule describes a validation rule written in the CEL expression language. +#ValidationRule: { + // Rule represents the expression which will be evaluated by CEL. + // ref: https://github.com/google/cel-spec + // The Rule is scoped to the location of the x-kubernetes-validations extension in the schema. + // The `self` variable in the CEL expression is bound to the scoped value. + // Example: + // - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"} + // + // If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable + // via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as + // absent fields in CEL expressions. + // If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map + // are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map + // are accessible via CEL macros and functions such as `self.all(...)`. + // If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and + // functions. + // If the Rule is scoped to a scalar, `self` is bound to the scalar value. + // Examples: + // - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"} + // - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"} + // - Rule scoped to a string value: {"rule": "self.startsWith('kube')"} + // + // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the + // object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible. + // + // Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL + // expressions. This includes: + // - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields. + // - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as: + // - A schema with no type and x-kubernetes-preserve-unknown-fields set to true + // - An array where the items schema is of an "unknown type" + // - An object where the additionalProperties schema is of an "unknown type" + // + // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. + // Accessible property names are escaped according to the following rules when accessed in the expression: + // - '__' escapes to '__underscores__' + // - '.' escapes to '__dot__' + // - '-' escapes to '__dash__' + // - '/' escapes to '__slash__' + // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: + // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", + // "import", "let", "loop", "package", "namespace", "return". + // Examples: + // - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"} + // - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"} + // - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"} + // + // Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. + // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type: + // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and + // non-intersecting elements in `Y` are appended, retaining their partial order. + // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values + // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with + // non-intersecting keys are appended, retaining their partial order. + rule: string @go(Rule) @protobuf(1,bytes,opt) + + // Message represents the message displayed when validation fails. The message is required if the Rule contains + // line breaks. The message must not contain line breaks. + // If unset, the message is "failed rule: {Rule}". + // e.g. "must be a URL with the host matching spec.host" + message?: string @go(Message) @protobuf(2,bytes,opt) + + // MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + // Since messageExpression is used as a failure message, it must evaluate to a string. + // If both message and messageExpression are present on a rule, then messageExpression will be used if validation + // fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + // messageExpression has access to all the same variables as the rule; the only difference is the return type. + // Example: + // "x must be less than max ("+string(self.max)+")" + // +optional + messageExpression?: string @go(MessageExpression) @protobuf(3,bytes,opt) + + // reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule. + // The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule. + // The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate". + // If not set, default to use "FieldValueInvalid". + // All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid. + // +optional + reason?: null | #FieldValueErrorReason @go(Reason,*FieldValueErrorReason) @protobuf(4,bytes,opt) + + // fieldPath represents the field path returned when the validation fails. + // It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field. + // e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo` + // If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList` + // It does not support list numeric index. + // It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info. + // Numeric index of array is not supported. + // For field name which contains special characters, use `['specialName']` to refer the field name. + // e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']` + // +optional + fieldPath?: string @go(FieldPath) @protobuf(5,bytes,opt) +} + +// JSON represents any valid JSON value. +// These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil. +#JSON: _ + +// JSONSchemaURL represents a schema url. +#JSONSchemaURL: string + +// JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps +// or an array of JSONSchemaProps. Mainly here for serialization purposes. +#JSONSchemaPropsOrArray: _ + +// JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. +// Defaults to true for the boolean property. +#JSONSchemaPropsOrBool: _ + +// JSONSchemaDependencies represent a dependencies property. +#JSONSchemaDependencies: {[string]: #JSONSchemaPropsOrStringArray} + +// JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array. +#JSONSchemaPropsOrStringArray: _ + +// JSONSchemaDefinitions contains the models explicitly defined in this spec. +#JSONSchemaDefinitions: {[string]: #JSONSchemaProps} + +// ExternalDocumentation allows referencing an external resource for extended documentation. +#ExternalDocumentation: { + description?: string @go(Description) @protobuf(1,bytes,opt) + url?: string @go(URL) @protobuf(2,bytes,opt) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue new file mode 100644 index 000000000..cef44ba5c --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue @@ -0,0 +1,47 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// Scale is used for getting and setting the base-10 scaled value. +// Base-2 scales are omitted for mathematical simplicity. +// See Quantity.ScaledValue for more details. +#Scale: int32 // #enumScale + +#enumScale: + #Nano | + #Micro | + #Milli | + #Kilo | + #Mega | + #Giga | + #Tera | + #Peta | + #Exa + +#values_Scale: { + Nano: #Nano + Micro: #Micro + Milli: #Milli + Kilo: #Kilo + Mega: #Mega + Giga: #Giga + Tera: #Tera + Peta: #Peta + Exa: #Exa +} + +#Nano: #Scale & -9 +#Micro: #Scale & -6 +#Milli: #Scale & -3 +#Kilo: #Scale & 3 +#Mega: #Scale & 6 +#Giga: #Scale & 9 +#Tera: #Scale & 12 +#Peta: #Scale & 15 +#Exa: #Scale & 18 + +// infDecAmount implements common operations over an inf.Dec that are specific to the quantity +// representation. +_#infDecAmount: string diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue new file mode 100644 index 000000000..711f2096f --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue @@ -0,0 +1,13 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64. +// It is also the maximum decimal digits that can be represented with an int64. +_#maxInt64Factors: 18 + +_#mostNegative: -9223372036854775808 + +_#mostPositive: 9223372036854775807 diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue new file mode 100644 index 000000000..9d9713a1b --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue @@ -0,0 +1,107 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// Quantity is a fixed-point representation of a number. +// It provides convenient marshaling/unmarshaling in JSON and YAML, +// in addition to String() and AsInt64() accessors. +// +// The serialization format is: +// +// ``` +// ::= +// +// (Note that may be empty, from the "" case in .) +// +// ::= 0 | 1 | ... | 9 +// ::= | +// ::= | . | . | . +// ::= "+" | "-" +// ::= | +// ::= | | +// ::= Ki | Mi | Gi | Ti | Pi | Ei +// +// (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html) +// +// ::= m | "" | k | M | G | T | P | E +// +// (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) +// +// ::= "e" | "E" +// ``` +// +// No matter which of the three exponent forms is used, no quantity may represent +// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal +// places. Numbers larger or more precise will be capped or rounded up. +// (E.g.: 0.1m will rounded up to 1m.) +// This may be extended in the future if we require larger or smaller quantities. +// +// When a Quantity is parsed from a string, it will remember the type of suffix +// it had, and will use the same type again when it is serialized. +// +// Before serializing, Quantity will be put in "canonical form". +// This means that Exponent/suffix will be adjusted up or down (with a +// corresponding increase or decrease in Mantissa) such that: +// +// - No precision is lost +// - No fractional digits will be emitted +// - The exponent (or suffix) is as large as possible. +// +// The sign will be omitted unless the number is negative. +// +// Examples: +// +// - 1.5 will be serialized as "1500m" +// - 1.5Gi will be serialized as "1536Mi" +// +// Note that the quantity will NEVER be internally represented by a +// floating point number. That is the whole point of this exercise. +// +// Non-canonical values will still parse as long as they are well formed, +// but will be re-emitted in their canonical form. (So always use canonical +// form, or don't diff.) +// +// This format is intended to make it difficult to use these numbers without +// writing some sort of special handling code in the hopes that that will +// cause implementors to also use a fixed point implementation. +// +// +protobuf=true +// +protobuf.embed=string +// +protobuf.options.marshal=false +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen=true +// +k8s:openapi-gen=true +#Quantity: _ + +// CanonicalValue allows a quantity amount to be converted to a string. +#CanonicalValue: _ + +// Format lists the three possible formattings of a quantity. +#Format: string // #enumFormat + +#enumFormat: + #DecimalExponent | + #BinarySI | + #DecimalSI + +#DecimalExponent: #Format & "DecimalExponent" +#BinarySI: #Format & "BinarySI" +#DecimalSI: #Format & "DecimalSI" + +// splitREString is used to separate a number from its suffix; as such, +// this is overly permissive, but that's OK-- it will be checked later. +_#splitREString: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + +_#int64QuantityExpectedBytes: 18 + +// QuantityValue makes it possible to use a Quantity as value for a command +// line parameter. +// +// +protobuf=true +// +protobuf.embed=string +// +protobuf.options.marshal=false +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen=true +#QuantityValue: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue new file mode 100644 index 000000000..b40d68ec1 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +_#suffix: string + +// suffixer can interpret and construct suffixes. +_#suffixer: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue new file mode 100644 index 000000000..25ea8ecf1 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Duration is a wrapper around time.Duration which supports correct +// marshaling to YAML and JSON. In particular, it marshals into strings, which +// can be used as map keys in json. +#Duration: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue new file mode 100644 index 000000000..7ff538603 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue @@ -0,0 +1,48 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// GroupResource specifies a Group and a Resource, but does not force a version. This is useful for identifying +// concepts during lookup stages without having partially valid types +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupResource: { + group: string @go(Group) @protobuf(1,bytes,opt) + resource: string @go(Resource) @protobuf(2,bytes,opt) +} + +// GroupVersionResource unambiguously identifies a resource. It doesn't anonymously include GroupVersion +// to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersionResource: { + group: string @go(Group) @protobuf(1,bytes,opt) + version: string @go(Version) @protobuf(2,bytes,opt) + resource: string @go(Resource) @protobuf(3,bytes,opt) +} + +// GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying +// concepts during lookup stages without having partially valid types +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupKind: { + group: string @go(Group) @protobuf(1,bytes,opt) + kind: string @go(Kind) @protobuf(2,bytes,opt) +} + +// GroupVersionKind unambiguously identifies a kind. It doesn't anonymously include GroupVersion +// to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersionKind: { + group: string @go(Group) @protobuf(1,bytes,opt) + version: string @go(Version) @protobuf(2,bytes,opt) + kind: string @go(Kind) @protobuf(3,bytes,opt) +} + +// GroupVersion contains the "group" and the "version", which uniquely identifies the API. +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersion: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue new file mode 100644 index 000000000..f3c39a466 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue @@ -0,0 +1,33 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// TODO: move this, Object, List, and Type to a different package +#ObjectMetaAccessor: _ + +// Object lets you work with object metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field (Name, UID, Namespace on lists) will be a no-op and return +// a default value. +#Object: _ + +// ListMetaAccessor retrieves the list interface from an object +#ListMetaAccessor: _ + +// Common lets you work with core metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field will be a no-op and return a default value. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#Common: _ + +// ListInterface lets you work with list metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field will be a no-op and return a default value. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#ListInterface: _ + +// Type exposes the type and APIVersion of versioned or internal API objects. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#Type: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue new file mode 100644 index 000000000..3c067bae3 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +#RFC3339Micro: "2006-01-02T15:04:05.000000Z07:00" + +// MicroTime is version of Time with microsecond level precision. +// +// +protobuf.options.marshal=false +// +protobuf.as=Timestamp +// +protobuf.options.(gogoproto.goproto_stringer)=false +#MicroTime: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue new file mode 100644 index 000000000..39d23b288 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +#GroupName: "meta.k8s.io" + +#WatchEventKind: "WatchEvent" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue new file mode 100644 index 000000000..b3c8ec266 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Time is a wrapper around time.Time which supports correct +// marshaling to YAML and JSON. Wrappers are provided for many +// of the factory methods that the time package offers. +// +// +protobuf.options.marshal=false +// +protobuf.as=Timestamp +// +protobuf.options.(gogoproto.goproto_stringer)=false +#Time: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue new file mode 100644 index 000000000..835392730 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue @@ -0,0 +1,21 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Timestamp is a struct that is equivalent to Time, but intended for +// protobuf marshalling/unmarshalling. It is generated into a serialization +// that matches Time. Do not use in Go structs. +#Timestamp: { + // Represents seconds of UTC time since Unix epoch + // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + // 9999-12-31T23:59:59Z inclusive. + seconds: int64 @go(Seconds) @protobuf(1,varint,opt) + + // Non-negative fractions of a second at nanosecond resolution. Negative + // second values with fractions must still have non-negative nanos values + // that count forward in time. Must be from 0 to 999,999,999 + // inclusive. This field may be limited in precision depending on context. + nanos: int32 @go(Nanos) @protobuf(2,varint,opt) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue new file mode 100644 index 000000000..a0deb7c90 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue @@ -0,0 +1,1561 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +// Package v1 contains API types that are common to all versions. +// +// The package contains two categories of types: +// - external (serialized) types that lack their own version (e.g TypeMeta) +// - internal (never-serialized) types that are needed by several different +// api groups, and so live here, to avoid duplication and/or import loops +// (e.g. LabelSelector). +// +// In the future, we will probably move these categories of objects into +// separate packages. +package v1 + +import ( + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/runtime" +) + +// TypeMeta describes an individual object in an API response or request +// with strings representing the type of the object and its API schema version. +// Structures that are versioned or persisted should inline TypeMeta. +// +// +k8s:deepcopy-gen=false +#TypeMeta: { + // Kind is a string value representing the REST resource this object represents. + // Servers may infer this from the endpoint the client submits requests to. + // Cannot be updated. + // In CamelCase. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // APIVersion defines the versioned schema of this representation of an object. + // Servers should convert recognized schemas to the latest internal value, and + // may reject unrecognized values. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + // +optional + apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt) +} + +// ListMeta describes metadata that synthetic resources must have, including lists and +// various status objects. A resource may have only one of {ObjectMeta, ListMeta}. +#ListMeta: { + // Deprecated: selfLink is a legacy read-only field that is no longer populated by the system. + // +optional + selfLink?: string @go(SelfLink) @protobuf(1,bytes,opt) + + // String that identifies the server's internal version of this object that + // can be used by clients to determine when objects have changed. + // Value must be treated as opaque by clients and passed unmodified back to the server. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(2,bytes,opt) + + // continue may be set if the user set a limit on the number of items returned, and indicates that + // the server has more data available. The value is opaque and may be used to issue another request + // to the endpoint that served this list to retrieve the next set of available objects. Continuing a + // consistent list may not be possible if the server configuration has changed or more than a few + // minutes have passed. The resourceVersion field returned when using this continue value will be + // identical to the value in the first response, unless you have received this token from an error + // message. + continue?: string @go(Continue) @protobuf(3,bytes,opt) + + // remainingItemCount is the number of subsequent items in the list which are not included in this + // list response. If the list request contained label or field selectors, then the number of + // remaining items is unknown and the field will be left unset and omitted during serialization. + // If the list is complete (either because it is not chunking or because this is the last chunk), + // then there are no more remaining items and this field will be left unset and omitted during + // serialization. + // Servers older than v1.15 do not set this field. + // The intended use of the remainingItemCount is *estimating* the size of a collection. Clients + // should not rely on the remainingItemCount to be set or to be exact. + // +optional + remainingItemCount?: null | int64 @go(RemainingItemCount,*int64) @protobuf(4,bytes,opt) +} + +#ObjectNameField: "metadata.name" + +#FinalizerOrphanDependents: "orphan" +#FinalizerDeleteDependents: "foregroundDeletion" + +// ObjectMeta is metadata that all persisted resources must have, which includes all objects +// users must create. +#ObjectMeta: { + // Name must be unique within a namespace. Is required when creating resources, although + // some resources may allow a client to request the generation of an appropriate name + // automatically. Name is primarily intended for creation idempotence and configuration + // definition. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // GenerateName is an optional prefix, used by the server, to generate a unique + // name ONLY IF the Name field has not been provided. + // If this field is used, the name returned to the client will be different + // than the name passed. This value will also be combined with a unique suffix. + // The provided value has the same validation rules as the Name field, + // and may be truncated by the length of the suffix required to make the value + // unique on the server. + // + // If this field is specified and the generated name exists, the server will return a 409. + // + // Applied only if Name is not specified. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency + // +optional + generateName?: string @go(GenerateName) @protobuf(2,bytes,opt) + + // Namespace defines the space within which each name must be unique. An empty namespace is + // equivalent to the "default" namespace, but "default" is the canonical representation. + // Not all objects are required to be scoped to a namespace - the value of this field for + // those objects will be empty. + // + // Must be a DNS_LABEL. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces + // +optional + namespace?: string @go(Namespace) @protobuf(3,bytes,opt) + + // Deprecated: selfLink is a legacy read-only field that is no longer populated by the system. + // +optional + selfLink?: string @go(SelfLink) @protobuf(4,bytes,opt) + + // UID is the unique in time and space value for this object. It is typically generated by + // the server on successful creation of a resource and is not allowed to change on PUT + // operations. + // + // Populated by the system. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(5,bytes,opt,casttype=k8s.io/kubernetes/pkg/types.UID) + + // An opaque value that represents the internal version of this object that can + // be used by clients to determine when objects have changed. May be used for optimistic + // concurrency, change detection, and the watch operation on a resource or set of resources. + // Clients must treat these values as opaque and passed unmodified back to the server. + // They may only be valid for a particular resource or set of resources. + // + // Populated by the system. + // Read-only. + // Value must be treated as opaque by clients and . + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(6,bytes,opt) + + // A sequence number representing a specific generation of the desired state. + // Populated by the system. Read-only. + // +optional + generation?: int64 @go(Generation) @protobuf(7,varint,opt) + + // CreationTimestamp is a timestamp representing the server time when this object was + // created. It is not guaranteed to be set in happens-before order across separate operations. + // Clients may not set this value. It is represented in RFC3339 form and is in UTC. + // + // Populated by the system. + // Read-only. + // Null for lists. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + creationTimestamp?: #Time @go(CreationTimestamp) @protobuf(8,bytes,opt) + + // DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This + // field is set by the server when a graceful deletion is requested by the user, and is not + // directly settable by a client. The resource is expected to be deleted (no longer visible + // from resource lists, and not reachable by name) after the time in this field, once the + // finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. + // Once the deletionTimestamp is set, this value may not be unset or be set further into the + // future, although it may be shortened or the resource may be deleted prior to this time. + // For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react + // by sending a graceful termination signal to the containers in the pod. After that 30 seconds, + // the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, + // remove the pod from the API. In the presence of network partitions, this object may still + // exist after this timestamp, until an administrator or automated process can determine the + // resource is fully terminated. + // If not set, graceful deletion of the object has not been requested. + // + // Populated by the system when a graceful deletion is requested. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + deletionTimestamp?: null | #Time @go(DeletionTimestamp,*Time) @protobuf(9,bytes,opt) + + // Number of seconds allowed for this object to gracefully terminate before + // it will be removed from the system. Only set when deletionTimestamp is also set. + // May only be shortened. + // Read-only. + // +optional + deletionGracePeriodSeconds?: null | int64 @go(DeletionGracePeriodSeconds,*int64) @protobuf(10,varint,opt) + + // Map of string keys and values that can be used to organize and categorize + // (scope and select) objects. May match selectors of replication controllers + // and services. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + // +optional + labels?: {[string]: string} @go(Labels,map[string]string) @protobuf(11,bytes,rep) + + // Annotations is an unstructured key value map stored with a resource that may be + // set by external tools to store and retrieve arbitrary metadata. They are not + // queryable and should be preserved when modifying objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + // +optional + annotations?: {[string]: string} @go(Annotations,map[string]string) @protobuf(12,bytes,rep) + + // List of objects depended by this object. If ALL objects in the list have + // been deleted, this object will be garbage collected. If this object is managed by a controller, + // then an entry in this list will point to this controller, with the controller field set to true. + // There cannot be more than one managing controller. + // +optional + // +patchMergeKey=uid + // +patchStrategy=merge + ownerReferences?: [...#OwnerReference] @go(OwnerReferences,[]OwnerReference) @protobuf(13,bytes,rep) + + // Must be empty before the object is deleted from the registry. Each entry + // is an identifier for the responsible component that will remove the entry + // from the list. If the deletionTimestamp of the object is non-nil, entries + // in this list can only be removed. + // Finalizers may be processed and removed in any order. Order is NOT enforced + // because it introduces significant risk of stuck finalizers. + // finalizers is a shared field, any actor with permission can reorder it. + // If the finalizer list is processed in order, then this can lead to a situation + // in which the component responsible for the first finalizer in the list is + // waiting for a signal (field value, external system, or other) produced by a + // component responsible for a finalizer later in the list, resulting in a deadlock. + // Without enforced ordering finalizers are free to order amongst themselves and + // are not vulnerable to ordering changes in the list. + // +optional + // +patchStrategy=merge + finalizers?: [...string] @go(Finalizers,[]string) @protobuf(14,bytes,rep) + + // ManagedFields maps workflow-id and version to the set of fields + // that are managed by that workflow. This is mostly for internal + // housekeeping, and users typically shouldn't need to set or + // understand this field. A workflow can be the user's name, a + // controller's name, or the name of a specific apply path like + // "ci-cd". The set of fields is always in the version that the + // workflow used when modifying the object. + // + // +optional + managedFields?: [...#ManagedFieldsEntry] @go(ManagedFields,[]ManagedFieldsEntry) @protobuf(17,bytes,rep) +} + +// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients +#NamespaceDefault: "default" + +// NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces +#NamespaceAll: "" + +// NamespaceNone is the argument for a context when there is no namespace. +#NamespaceNone: "" + +// NamespaceSystem is the system namespace where we place system components. +#NamespaceSystem: "kube-system" + +// NamespacePublic is the namespace where we place public info (ConfigMaps) +#NamespacePublic: "kube-public" + +// OwnerReference contains enough information to let you identify an owning +// object. An owning object must be in the same namespace as the dependent, or +// be cluster-scoped, so there is no namespace field. +// +structType=atomic +#OwnerReference: { + // API version of the referent. + apiVersion: string @go(APIVersion) @protobuf(5,bytes,opt) + + // Kind of the referent. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + name: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + uid: types.#UID @go(UID) @protobuf(4,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // If true, this reference points to the managing controller. + // +optional + controller?: null | bool @go(Controller,*bool) @protobuf(6,varint,opt) + + // If true, AND if the owner has the "foregroundDeletion" finalizer, then + // the owner cannot be deleted from the key-value store until this + // reference is removed. + // See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + // for how the garbage collector interacts with this field and enforces the foreground deletion. + // Defaults to false. + // To set this field, a user needs "delete" permission of the owner, + // otherwise 422 (Unprocessable Entity) will be returned. + // +optional + blockOwnerDeletion?: null | bool @go(BlockOwnerDeletion,*bool) @protobuf(7,varint,opt) +} + +// ListOptions is the query options to a standard REST list call. +#ListOptions: { + #TypeMeta + + // A selector to restrict the list of returned objects by their labels. + // Defaults to everything. + // +optional + labelSelector?: string @go(LabelSelector) @protobuf(1,bytes,opt) + + // A selector to restrict the list of returned objects by their fields. + // Defaults to everything. + // +optional + fieldSelector?: string @go(FieldSelector) @protobuf(2,bytes,opt) + + // Watch for changes to the described resources and return them as a stream of + // add, update, and remove notifications. Specify resourceVersion. + // +optional + watch?: bool @go(Watch) @protobuf(3,varint,opt) + + // allowWatchBookmarks requests watch events with type "BOOKMARK". + // Servers that do not implement bookmarks may ignore this flag and + // bookmarks are sent at the server's discretion. Clients should not + // assume bookmarks are returned at any specific interval, nor may they + // assume the server will send any BOOKMARK event during a session. + // If this is not a watch, this field is ignored. + // +optional + allowWatchBookmarks?: bool @go(AllowWatchBookmarks) @protobuf(9,varint,opt) + + // resourceVersion sets a constraint on what resource versions a request may be served from. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(4,bytes,opt) + + // resourceVersionMatch determines how resourceVersion is applied to list calls. + // It is highly recommended that resourceVersionMatch be set for list calls where + // resourceVersion is set + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersionMatch?: #ResourceVersionMatch @go(ResourceVersionMatch) @protobuf(10,bytes,opt,casttype=ResourceVersionMatch) + + // Timeout for the list/watch call. + // This limits the duration of the call, regardless of any activity or inactivity. + // +optional + timeoutSeconds?: null | int64 @go(TimeoutSeconds,*int64) @protobuf(5,varint,opt) + + // limit is a maximum number of responses to return for a list call. If more items exist, the + // server will set the `continue` field on the list metadata to a value that can be used with the + // same initial query to retrieve the next set of results. Setting a limit may return fewer than + // the requested amount of items (up to zero items) in the event all requested objects are + // filtered out and clients should only use the presence of the continue field to determine whether + // more results are available. Servers may choose not to support the limit argument and will return + // all of the available results. If limit is specified and the continue field is empty, clients may + // assume that no more results are available. This field is not supported if watch is true. + // + // The server guarantees that the objects returned when using continue will be identical to issuing + // a single list call without a limit - that is, no objects created, modified, or deleted after the + // first request is issued will be included in any subsequent continued requests. This is sometimes + // referred to as a consistent snapshot, and ensures that a client that is using limit to receive + // smaller chunks of a very large result can ensure they see all possible objects. If objects are + // updated during a chunked list the version of the object that was present at the time the first list + // result was calculated is returned. + limit?: int64 @go(Limit) @protobuf(7,varint,opt) + + // The continue option should be set when retrieving more results from the server. Since this value is + // server defined, clients may only use the continue value from a previous query result with identical + // query parameters (except for the value of continue) and the server may reject a continue value it + // does not recognize. If the specified continue value is no longer valid whether due to expiration + // (generally five to fifteen minutes) or a configuration change on the server, the server will + // respond with a 410 ResourceExpired error together with a continue token. If the client needs a + // consistent list, it must restart their list without the continue field. Otherwise, the client may + // send another list request with the token received with the 410 error, the server will respond with + // a list starting from the next key, but from the latest snapshot, which is inconsistent from the + // previous list results - objects that are created, modified, or deleted after the first list request + // will be included in the response, as long as their keys are after the "next key". + // + // This field is not supported when watch is true. Clients may start a watch from the last + // resourceVersion value returned by the server and not miss any modifications. + continue?: string @go(Continue) @protobuf(8,bytes,opt) + + // `sendInitialEvents=true` may be set together with `watch=true`. + // In that case, the watch stream will begin with synthetic events to + // produce the current state of objects in the collection. Once all such + // events have been sent, a synthetic "Bookmark" event will be sent. + // The bookmark will report the ResourceVersion (RV) corresponding to the + // set of objects, and be marked with `"k8s.io/initial-events-end": "true"` annotation. + // Afterwards, the watch stream will proceed as usual, sending watch events + // corresponding to changes (subsequent to the RV) to objects watched. + // + // When `sendInitialEvents` option is set, we require `resourceVersionMatch` + // option to also be set. The semantic of the watch request is as following: + // - `resourceVersionMatch` = NotOlderThan + // is interpreted as "data at least as new as the provided `resourceVersion`" + // and the bookmark event is send when the state is synced + // to a `resourceVersion` at least as fresh as the one provided by the ListOptions. + // If `resourceVersion` is unset, this is interpreted as "consistent read" and the + // bookmark event is send when the state is synced at least to the moment + // when request started being processed. + // - `resourceVersionMatch` set to any other value or unset + // Invalid error is returned. + // + // Defaults to true if `resourceVersion=""` or `resourceVersion="0"` (for backward + // compatibility reasons) and to false otherwise. + // +optional + sendInitialEvents?: null | bool @go(SendInitialEvents,*bool) @protobuf(11,varint,opt) +} + +// resourceVersionMatch specifies how the resourceVersion parameter is applied. resourceVersionMatch +// may only be set if resourceVersion is also set. +// +// "NotOlderThan" matches data at least as new as the provided resourceVersion. +// "Exact" matches data at the exact resourceVersion provided. +// +// See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for +// details. +#ResourceVersionMatch: string // #enumResourceVersionMatch + +#enumResourceVersionMatch: + #ResourceVersionMatchNotOlderThan | + #ResourceVersionMatchExact + +// ResourceVersionMatchNotOlderThan matches data at least as new as the provided +// resourceVersion. +#ResourceVersionMatchNotOlderThan: #ResourceVersionMatch & "NotOlderThan" + +// ResourceVersionMatchExact matches data at the exact resourceVersion +// provided. +#ResourceVersionMatchExact: #ResourceVersionMatch & "Exact" + +// GetOptions is the standard query options to the standard REST get call. +#GetOptions: { + #TypeMeta + + // resourceVersion sets a constraint on what resource versions a request may be served from. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(1,bytes,opt) +} + +// DeletionPropagation decides if a deletion will propagate to the dependents of +// the object, and how the garbage collector will handle the propagation. +#DeletionPropagation: string // #enumDeletionPropagation + +#enumDeletionPropagation: + #DeletePropagationOrphan | + #DeletePropagationBackground | + #DeletePropagationForeground + +// Orphans the dependents. +#DeletePropagationOrphan: #DeletionPropagation & "Orphan" + +// Deletes the object from the key-value store, the garbage collector will +// delete the dependents in the background. +#DeletePropagationBackground: #DeletionPropagation & "Background" + +// The object exists in the key-value store until the garbage collector +// deletes all the dependents whose ownerReference.blockOwnerDeletion=true +// from the key-value store. API sever will put the "foregroundDeletion" +// finalizer on the object, and sets its deletionTimestamp. This policy is +// cascading, i.e., the dependents will be deleted with Foreground. +#DeletePropagationForeground: #DeletionPropagation & "Foreground" + +// DryRunAll means to complete all processing stages, but don't +// persist changes to storage. +#DryRunAll: "All" + +// DeleteOptions may be provided when deleting an API object. +#DeleteOptions: { + #TypeMeta + + // The duration in seconds before the object should be deleted. Value must be non-negative integer. + // The value zero indicates delete immediately. If this value is nil, the default grace period for the + // specified type will be used. + // Defaults to a per object value if not specified. zero means delete immediately. + // +optional + gracePeriodSeconds?: null | int64 @go(GracePeriodSeconds,*int64) @protobuf(1,varint,opt) + + // Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be + // returned. + // +k8s:conversion-gen=false + // +optional + preconditions?: null | #Preconditions @go(Preconditions,*Preconditions) @protobuf(2,bytes,opt) + + // Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. + // Should the dependent objects be orphaned. If true/false, the "orphan" + // finalizer will be added to/removed from the object's finalizers list. + // Either this field or PropagationPolicy may be set, but not both. + // +optional + orphanDependents?: null | bool @go(OrphanDependents,*bool) @protobuf(3,varint,opt) + + // Whether and how garbage collection will be performed. + // Either this field or OrphanDependents may be set, but not both. + // The default policy is decided by the existing finalizer set in the + // metadata.finalizers and the resource-specific default policy. + // Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - + // allow the garbage collector to delete the dependents in the background; + // 'Foreground' - a cascading policy that deletes all dependents in the + // foreground. + // +optional + propagationPolicy?: null | #DeletionPropagation @go(PropagationPolicy,*DeletionPropagation) @protobuf(4,varint,opt) + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(5,bytes,rep) +} + +// FieldValidationIgnore ignores unknown/duplicate fields +#FieldValidationIgnore: "Ignore" + +// FieldValidationWarn responds with a warning, but successfully serve the request +#FieldValidationWarn: "Warn" + +// FieldValidationStrict fails the request on unknown/duplicate fields +#FieldValidationStrict: "Strict" + +// CreateOptions may be provided when creating an API object. +#CreateOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. + // +optional + fieldManager?: string @go(FieldManager) @protobuf(3,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(4,bytes) +} + +// PatchOptions may be provided when patching an API object. +// PatchOptions is meant to be a superset of UpdateOptions. +#PatchOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // Force is going to "force" Apply requests. It means user will + // re-acquire conflicting fields owned by other people. Force + // flag must be unset for non-apply patch requests. + // +optional + force?: null | bool @go(Force,*bool) @protobuf(2,varint,opt) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. This + // field is required for apply requests + // (application/apply-patch) but optional for non-apply patch + // types (JsonPatch, MergePatch, StrategicMergePatch). + // +optional + fieldManager?: string @go(FieldManager) @protobuf(3,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(4,bytes) +} + +// ApplyOptions may be provided when applying an API object. +// FieldManager is required for apply requests. +// ApplyOptions is equivalent to PatchOptions. It is provided as a convenience with documentation +// that speaks specifically to how the options fields relate to apply. +#ApplyOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // Force is going to "force" Apply requests. It means user will + // re-acquire conflicting fields owned by other people. + force: bool @go(Force) @protobuf(2,varint,opt) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. This + // field is required. + fieldManager: string @go(FieldManager) @protobuf(3,bytes) +} + +// UpdateOptions may be provided when updating an API object. +// All fields in UpdateOptions should also be present in PatchOptions. +#UpdateOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. + // +optional + fieldManager?: string @go(FieldManager) @protobuf(2,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(3,bytes) +} + +// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out. +#Preconditions: { + // Specifies the target UID. + // +optional + uid?: null | types.#UID @go(UID,*types.UID) @protobuf(1,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // Specifies the target ResourceVersion + // +optional + resourceVersion?: null | string @go(ResourceVersion,*string) @protobuf(2,bytes,opt) +} + +// Status is a return value for calls that don't return other objects. +#Status: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Status of the operation. + // One of: "Success" or "Failure". + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: string @go(Status) @protobuf(2,bytes,opt) + + // A human-readable description of the status of this operation. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // A machine-readable description of why this operation is in the + // "Failure" status. If this value is empty there + // is no information available. A Reason clarifies an HTTP status + // code but does not override it. + // +optional + reason?: #StatusReason @go(Reason) @protobuf(4,bytes,opt,casttype=StatusReason) + + // Extended data associated with the reason. Each reason may define its + // own extended details. This field is optional and the data returned + // is not guaranteed to conform to any schema except that defined by + // the reason type. + // +optional + details?: null | #StatusDetails @go(Details,*StatusDetails) @protobuf(5,bytes,opt) + + // Suggested HTTP return code for this status, 0 if not set. + // +optional + code?: int32 @go(Code) @protobuf(6,varint,opt) +} + +// StatusDetails is a set of additional properties that MAY be set by the +// server to provide additional information about a response. The Reason +// field of a Status object defines what attributes will be set. Clients +// must ignore fields that do not match the defined type of each attribute, +// and should assume that any attribute may be empty, invalid, or under +// defined. +#StatusDetails: { + // The name attribute of the resource associated with the status StatusReason + // (when there is a single name which can be described). + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The group attribute of the resource associated with the status StatusReason. + // +optional + group?: string @go(Group) @protobuf(2,bytes,opt) + + // The kind attribute of the resource associated with the status StatusReason. + // On some operations may differ from the requested resource Kind. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(3,bytes,opt) + + // UID of the resource. + // (when there is a single resource which can be described). + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(6,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // The Causes array includes more details associated with the StatusReason + // failure. Not all StatusReasons may provide detailed causes. + // +optional + causes?: [...#StatusCause] @go(Causes,[]StatusCause) @protobuf(4,bytes,rep) + + // If specified, the time in seconds before the operation should be retried. Some errors may indicate + // the client must take an alternate action - for those errors this field may indicate how long to wait + // before taking the alternate action. + // +optional + retryAfterSeconds?: int32 @go(RetryAfterSeconds) @protobuf(5,varint,opt) +} + +#StatusSuccess: "Success" +#StatusFailure: "Failure" + +// StatusReason is an enumeration of possible failure causes. Each StatusReason +// must map to a single HTTP status code, but multiple reasons may map +// to the same HTTP status code. +// TODO: move to apiserver +#StatusReason: string // #enumStatusReason + +#enumStatusReason: + #StatusReasonUnknown | + #StatusReasonUnauthorized | + #StatusReasonForbidden | + #StatusReasonNotFound | + #StatusReasonAlreadyExists | + #StatusReasonConflict | + #StatusReasonGone | + #StatusReasonInvalid | + #StatusReasonServerTimeout | + #StatusReasonTimeout | + #StatusReasonTooManyRequests | + #StatusReasonBadRequest | + #StatusReasonMethodNotAllowed | + #StatusReasonNotAcceptable | + #StatusReasonRequestEntityTooLarge | + #StatusReasonUnsupportedMediaType | + #StatusReasonInternalError | + #StatusReasonExpired | + #StatusReasonServiceUnavailable + +// StatusReasonUnknown means the server has declined to indicate a specific reason. +// The details field may contain other information about this error. +// Status code 500. +#StatusReasonUnknown: #StatusReason & "" + +// StatusReasonUnauthorized means the server can be reached and understood the request, but requires +// the user to present appropriate authorization credentials (identified by the WWW-Authenticate header) +// in order for the action to be completed. If the user has specified credentials on the request, the +// server considers them insufficient. +// Status code 401 +#StatusReasonUnauthorized: #StatusReason & "Unauthorized" + +// StatusReasonForbidden means the server can be reached and understood the request, but refuses +// to take any further action. It is the result of the server being configured to deny access for some reason +// to the requested resource by the client. +// Details (optional): +// "kind" string - the kind attribute of the forbidden resource +// on some operations may differ from the requested +// resource. +// "id" string - the identifier of the forbidden resource +// Status code 403 +#StatusReasonForbidden: #StatusReason & "Forbidden" + +// StatusReasonNotFound means one or more resources required for this operation +// could not be found. +// Details (optional): +// "kind" string - the kind attribute of the missing resource +// on some operations may differ from the requested +// resource. +// "id" string - the identifier of the missing resource +// Status code 404 +#StatusReasonNotFound: #StatusReason & "NotFound" + +// StatusReasonAlreadyExists means the resource you are creating already exists. +// Details (optional): +// "kind" string - the kind attribute of the conflicting resource +// "id" string - the identifier of the conflicting resource +// Status code 409 +#StatusReasonAlreadyExists: #StatusReason & "AlreadyExists" + +// StatusReasonConflict means the requested operation cannot be completed +// due to a conflict in the operation. The client may need to alter the +// request. Each resource may define custom details that indicate the +// nature of the conflict. +// Status code 409 +#StatusReasonConflict: #StatusReason & "Conflict" + +// StatusReasonGone means the item is no longer available at the server and no +// forwarding address is known. +// Status code 410 +#StatusReasonGone: #StatusReason & "Gone" + +// StatusReasonInvalid means the requested create or update operation cannot be +// completed due to invalid data provided as part of the request. The client may +// need to alter the request. When set, the client may use the StatusDetails +// message field as a summary of the issues encountered. +// Details (optional): +// "kind" string - the kind attribute of the invalid resource +// "id" string - the identifier of the invalid resource +// "causes" - one or more StatusCause entries indicating the data in the +// provided resource that was invalid. The code, message, and +// field attributes will be set. +// Status code 422 +#StatusReasonInvalid: #StatusReason & "Invalid" + +// StatusReasonServerTimeout means the server can be reached and understood the request, +// but cannot complete the action in a reasonable time. The client should retry the request. +// This is may be due to temporary server load or a transient communication issue with +// another server. Status code 500 is used because the HTTP spec provides no suitable +// server-requested client retry and the 5xx class represents actionable errors. +// Details (optional): +// "kind" string - the kind attribute of the resource being acted on. +// "id" string - the operation that is being attempted. +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 500 +#StatusReasonServerTimeout: #StatusReason & "ServerTimeout" + +// StatusReasonTimeout means that the request could not be completed within the given time. +// Clients can get this response only when they specified a timeout param in the request, +// or if the server cannot complete the operation within a reasonable amount of time. +// The request might succeed with an increased value of timeout param. The client *should* +// wait at least the number of seconds specified by the retryAfterSeconds field. +// Details (optional): +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 504 +#StatusReasonTimeout: #StatusReason & "Timeout" + +// StatusReasonTooManyRequests means the server experienced too many requests within a +// given window and that the client must wait to perform the action again. A client may +// always retry the request that led to this error, although the client should wait at least +// the number of seconds specified by the retryAfterSeconds field. +// Details (optional): +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 429 +#StatusReasonTooManyRequests: #StatusReason & "TooManyRequests" + +// StatusReasonBadRequest means that the request itself was invalid, because the request +// doesn't make any sense, for example deleting a read-only object. This is different than +// StatusReasonInvalid above which indicates that the API call could possibly succeed, but the +// data was invalid. API calls that return BadRequest can never succeed. +// Status code 400 +#StatusReasonBadRequest: #StatusReason & "BadRequest" + +// StatusReasonMethodNotAllowed means that the action the client attempted to perform on the +// resource was not supported by the code - for instance, attempting to delete a resource that +// can only be created. API calls that return MethodNotAllowed can never succeed. +// Status code 405 +#StatusReasonMethodNotAllowed: #StatusReason & "MethodNotAllowed" + +// StatusReasonNotAcceptable means that the accept types indicated by the client were not acceptable +// to the server - for instance, attempting to receive protobuf for a resource that supports only json and yaml. +// API calls that return NotAcceptable can never succeed. +// Status code 406 +#StatusReasonNotAcceptable: #StatusReason & "NotAcceptable" + +// StatusReasonRequestEntityTooLarge means that the request entity is too large. +// Status code 413 +#StatusReasonRequestEntityTooLarge: #StatusReason & "RequestEntityTooLarge" + +// StatusReasonUnsupportedMediaType means that the content type sent by the client is not acceptable +// to the server - for instance, attempting to send protobuf for a resource that supports only json and yaml. +// API calls that return UnsupportedMediaType can never succeed. +// Status code 415 +#StatusReasonUnsupportedMediaType: #StatusReason & "UnsupportedMediaType" + +// StatusReasonInternalError indicates that an internal error occurred, it is unexpected +// and the outcome of the call is unknown. +// Details (optional): +// "causes" - The original error +// Status code 500 +#StatusReasonInternalError: #StatusReason & "InternalError" + +// StatusReasonExpired indicates that the request is invalid because the content you are requesting +// has expired and is no longer available. It is typically associated with watches that can't be +// serviced. +// Status code 410 (gone) +#StatusReasonExpired: #StatusReason & "Expired" + +// StatusReasonServiceUnavailable means that the request itself was valid, +// but the requested service is unavailable at this time. +// Retrying the request after some time might succeed. +// Status code 503 +#StatusReasonServiceUnavailable: #StatusReason & "ServiceUnavailable" + +// StatusCause provides more information about an api.Status failure, including +// cases when multiple errors are encountered. +#StatusCause: { + // A machine-readable description of the cause of the error. If this value is + // empty there is no information available. + // +optional + reason?: #CauseType @go(Type) @protobuf(1,bytes,opt,casttype=CauseType) + + // A human-readable description of the cause of the error. This field may be + // presented as-is to a reader. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) + + // The field of the resource that has caused this error, as named by its JSON + // serialization. May include dot and postfix notation for nested attributes. + // Arrays are zero-indexed. Fields may appear more than once in an array of + // causes due to fields having multiple errors. + // Optional. + // + // Examples: + // "name" - the field "name" on the current resource + // "items[0].name" - the field "name" on the first array entry in "items" + // +optional + field?: string @go(Field) @protobuf(3,bytes,opt) +} + +// CauseType is a machine readable value providing more detail about what +// occurred in a status response. An operation may have multiple causes for a +// status (whether Failure or Success). +#CauseType: string // #enumCauseType + +#enumCauseType: + #CauseTypeFieldValueNotFound | + #CauseTypeFieldValueRequired | + #CauseTypeFieldValueDuplicate | + #CauseTypeFieldValueInvalid | + #CauseTypeFieldValueNotSupported | + #CauseTypeForbidden | + #CauseTypeTooLong | + #CauseTypeTooMany | + #CauseTypeInternal | + #CauseTypeTypeInvalid | + #CauseTypeUnexpectedServerResponse | + #CauseTypeFieldManagerConflict | + #CauseTypeResourceVersionTooLarge + +// CauseTypeFieldValueNotFound is used to report failure to find a requested value +// (e.g. looking up an ID). +#CauseTypeFieldValueNotFound: #CauseType & "FieldValueNotFound" + +// CauseTypeFieldValueRequired is used to report required values that are not +// provided (e.g. empty strings, null values, or empty arrays). +#CauseTypeFieldValueRequired: #CauseType & "FieldValueRequired" + +// CauseTypeFieldValueDuplicate is used to report collisions of values that must be +// unique (e.g. unique IDs). +#CauseTypeFieldValueDuplicate: #CauseType & "FieldValueDuplicate" + +// CauseTypeFieldValueInvalid is used to report malformed values (e.g. failed regex +// match). +#CauseTypeFieldValueInvalid: #CauseType & "FieldValueInvalid" + +// CauseTypeFieldValueNotSupported is used to report valid (as per formatting rules) +// values that can not be handled (e.g. an enumerated string). +#CauseTypeFieldValueNotSupported: #CauseType & "FieldValueNotSupported" + +// CauseTypeForbidden is used to report valid (as per formatting rules) +// values which would be accepted under some conditions, but which are not +// permitted by the current conditions (such as security policy). See +// Forbidden(). +#CauseTypeForbidden: #CauseType & "FieldValueForbidden" + +// CauseTypeTooLong is used to report that the given value is too long. +// This is similar to ErrorTypeInvalid, but the error will not include the +// too-long value. See TooLong(). +#CauseTypeTooLong: #CauseType & "FieldValueTooLong" + +// CauseTypeTooMany is used to report "too many". This is used to +// report that a given list has too many items. This is similar to FieldValueTooLong, +// but the error indicates quantity instead of length. +#CauseTypeTooMany: #CauseType & "FieldValueTooMany" + +// CauseTypeInternal is used to report other errors that are not related +// to user input. See InternalError(). +#CauseTypeInternal: #CauseType & "InternalError" + +// CauseTypeTypeInvalid is for the value did not match the schema type for that field +#CauseTypeTypeInvalid: #CauseType & "FieldValueTypeInvalid" + +// CauseTypeUnexpectedServerResponse is used to report when the server responded to the client +// without the expected return type. The presence of this cause indicates the error may be +// due to an intervening proxy or the server software malfunctioning. +#CauseTypeUnexpectedServerResponse: #CauseType & "UnexpectedServerResponse" + +// FieldManagerConflict is used to report when another client claims to manage this field, +// It should only be returned for a request using server-side apply. +#CauseTypeFieldManagerConflict: #CauseType & "FieldManagerConflict" + +// CauseTypeResourceVersionTooLarge is used to report that the requested resource version +// is newer than the data observed by the API server, so the request cannot be served. +#CauseTypeResourceVersionTooLarge: #CauseType & "ResourceVersionTooLarge" + +// List holds a list of objects, which may not be known by the server. +#List: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of objects + items: [...runtime.#RawExtension] @go(Items,[]runtime.RawExtension) @protobuf(2,bytes,rep) +} + +// APIVersions lists the versions that are available, to allow clients to +// discover the API at /api, which is the root path of the legacy v1 API. +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#APIVersions: { + #TypeMeta + + // versions are the api versions that are available. + versions: [...string] @go(Versions,[]string) @protobuf(1,bytes,rep) + + // a map of client CIDR to server address that is serving this group. + // This is to help clients reach servers in the most network-efficient way possible. + // Clients can use the appropriate server address as per the CIDR that they match. + // In case of multiple matches, clients should use the longest matching CIDR. + // The server returns only those CIDRs that it thinks that the client can match. + // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. + // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP. + serverAddressByClientCIDRs: [...#ServerAddressByClientCIDR] @go(ServerAddressByClientCIDRs,[]ServerAddressByClientCIDR) @protobuf(2,bytes,rep) +} + +// APIGroupList is a list of APIGroup, to allow clients to discover the API at +// /apis. +#APIGroupList: { + #TypeMeta + + // groups is a list of APIGroup. + groups: [...#APIGroup] @go(Groups,[]APIGroup) @protobuf(1,bytes,rep) +} + +// APIGroup contains the name, the supported versions, and the preferred version +// of a group. +#APIGroup: { + #TypeMeta + + // name is the name of the group. + name: string @go(Name) @protobuf(1,bytes,opt) + + // versions are the versions supported in this group. + versions: [...#GroupVersionForDiscovery] @go(Versions,[]GroupVersionForDiscovery) @protobuf(2,bytes,rep) + + // preferredVersion is the version preferred by the API server, which + // probably is the storage version. + // +optional + preferredVersion?: #GroupVersionForDiscovery @go(PreferredVersion) @protobuf(3,bytes,opt) + + // a map of client CIDR to server address that is serving this group. + // This is to help clients reach servers in the most network-efficient way possible. + // Clients can use the appropriate server address as per the CIDR that they match. + // In case of multiple matches, clients should use the longest matching CIDR. + // The server returns only those CIDRs that it thinks that the client can match. + // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. + // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP. + // +optional + serverAddressByClientCIDRs?: [...#ServerAddressByClientCIDR] @go(ServerAddressByClientCIDRs,[]ServerAddressByClientCIDR) @protobuf(4,bytes,rep) +} + +// ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match. +#ServerAddressByClientCIDR: { + // The CIDR with which clients can match their IP to figure out the server address that they should use. + clientCIDR: string @go(ClientCIDR) @protobuf(1,bytes,opt) + + // Address of this server, suitable for a client that matches the above CIDR. + // This can be a hostname, hostname:port, IP or IP:port. + serverAddress: string @go(ServerAddress) @protobuf(2,bytes,opt) +} + +// GroupVersion contains the "group/version" and "version" string of a version. +// It is made a struct to keep extensibility. +#GroupVersionForDiscovery: { + // groupVersion specifies the API group and version in the form "group/version" + groupVersion: string @go(GroupVersion) @protobuf(1,bytes,opt) + + // version specifies the version in the form of "version". This is to save + // the clients the trouble of splitting the GroupVersion. + version: string @go(Version) @protobuf(2,bytes,opt) +} + +// APIResource specifies the name of a resource and whether it is namespaced. +#APIResource: { + // name is the plural name of the resource. + name: string @go(Name) @protobuf(1,bytes,opt) + + // singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely. + // The singularName is more correct for reporting status on a single item and both singular and plural are allowed + // from the kubectl CLI interface. + singularName: string @go(SingularName) @protobuf(6,bytes,opt) + + // namespaced indicates if a resource is namespaced or not. + namespaced: bool @go(Namespaced) @protobuf(2,varint,opt) + + // group is the preferred group of the resource. Empty implies the group of the containing resource list. + // For subresources, this may have a different value, for example: Scale". + group?: string @go(Group) @protobuf(8,bytes,opt) + + // version is the preferred version of the resource. Empty implies the version of the containing resource list + // For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)". + version?: string @go(Version) @protobuf(9,bytes,opt) + + // kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo') + kind: string @go(Kind) @protobuf(3,bytes,opt) + + // verbs is a list of supported kube verbs (this includes get, list, watch, create, + // update, patch, delete, deletecollection, and proxy) + verbs: #Verbs @go(Verbs) @protobuf(4,bytes,opt) + + // shortNames is a list of suggested short names of the resource. + shortNames?: [...string] @go(ShortNames,[]string) @protobuf(5,bytes,rep) + + // categories is a list of the grouped resources this resource belongs to (e.g. 'all') + categories?: [...string] @go(Categories,[]string) @protobuf(7,bytes,rep) + + // The hash value of the storage version, the version this resource is + // converted to when written to the data store. Value must be treated + // as opaque by clients. Only equality comparison on the value is valid. + // This is an alpha feature and may change or be removed in the future. + // The field is populated by the apiserver only if the + // StorageVersionHash feature gate is enabled. + // This field will remain optional even if it graduates. + // +optional + storageVersionHash?: string @go(StorageVersionHash) @protobuf(10,bytes,opt) +} + +// Verbs masks the value so protobuf can generate +// +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#Verbs: [...string] + +// APIResourceList is a list of APIResource, it is used to expose the name of the +// resources supported in a specific group and version, and if the resource +// is namespaced. +#APIResourceList: { + #TypeMeta + + // groupVersion is the group and version this APIResourceList is for. + groupVersion: string @go(GroupVersion) @protobuf(1,bytes,opt) + + // resources contains the name of the resources and if they are namespaced. + resources: [...#APIResource] @go(APIResources,[]APIResource) @protobuf(2,bytes,rep) +} + +// RootPaths lists the paths available at root. +// For example: "/healthz", "/apis". +#RootPaths: { + // paths are the paths available at root. + paths: [...string] @go(Paths,[]string) @protobuf(1,bytes,rep) +} + +// Patch is provided to give a concrete name and type to the Kubernetes PATCH request body. +#Patch: { +} + +// A label selector is a label query over a set of resources. The result of matchLabels and +// matchExpressions are ANDed. An empty label selector matches all objects. A null +// label selector matches no objects. +// +structType=atomic +#LabelSelector: { + // matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + // map is equivalent to an element of matchExpressions, whose key field is "key", the + // operator is "In", and the values array contains only "value". The requirements are ANDed. + // +optional + matchLabels?: {[string]: string} @go(MatchLabels,map[string]string) @protobuf(1,bytes,rep) + + // matchExpressions is a list of label selector requirements. The requirements are ANDed. + // +optional + matchExpressions?: [...#LabelSelectorRequirement] @go(MatchExpressions,[]LabelSelectorRequirement) @protobuf(2,bytes,rep) +} + +// A label selector requirement is a selector that contains values, a key, and an operator that +// relates the key and values. +#LabelSelectorRequirement: { + // key is the label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: #LabelSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=LabelSelectorOperator) + + // values is an array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. This array is replaced during a strategic + // merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A label selector operator is the set of operators that can be used in a selector requirement. +#LabelSelectorOperator: string // #enumLabelSelectorOperator + +#enumLabelSelectorOperator: + #LabelSelectorOpIn | + #LabelSelectorOpNotIn | + #LabelSelectorOpExists | + #LabelSelectorOpDoesNotExist + +#LabelSelectorOpIn: #LabelSelectorOperator & "In" +#LabelSelectorOpNotIn: #LabelSelectorOperator & "NotIn" +#LabelSelectorOpExists: #LabelSelectorOperator & "Exists" +#LabelSelectorOpDoesNotExist: #LabelSelectorOperator & "DoesNotExist" + +// ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource +// that the fieldset applies to. +#ManagedFieldsEntry: { + // Manager is an identifier of the workflow managing these fields. + manager?: string @go(Manager) @protobuf(1,bytes,opt) + + // Operation is the type of operation which lead to this ManagedFieldsEntry being created. + // The only valid values for this field are 'Apply' and 'Update'. + operation?: #ManagedFieldsOperationType @go(Operation) @protobuf(2,bytes,opt,casttype=ManagedFieldsOperationType) + + // APIVersion defines the version of this resource that this field set + // applies to. The format is "group/version" just like the top-level + // APIVersion field. It is necessary to track the version of a field + // set because it cannot be automatically converted. + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) + + // Time is the timestamp of when the ManagedFields entry was added. The + // timestamp will also be updated if a field is added, the manager + // changes any of the owned fields value or removes a field. The + // timestamp does not update when a field is removed from the entry + // because another manager took it over. + // +optional + time?: null | #Time @go(Time,*Time) @protobuf(4,bytes,opt) + + // FieldsType is the discriminator for the different fields format and version. + // There is currently only one possible value: "FieldsV1" + fieldsType?: string @go(FieldsType) @protobuf(6,bytes,opt) + + // FieldsV1 holds the first JSON version format as described in the "FieldsV1" type. + // +optional + fieldsV1?: null | #FieldsV1 @go(FieldsV1,*FieldsV1) @protobuf(7,bytes,opt) + + // Subresource is the name of the subresource used to update that object, or + // empty string if the object was updated through the main resource. The + // value of this field is used to distinguish between managers, even if they + // share the same name. For example, a status update will be distinct from a + // regular update using the same manager name. + // Note that the APIVersion field is not related to the Subresource field and + // it always corresponds to the version of the main resource. + subresource?: string @go(Subresource) @protobuf(8,bytes,opt) +} + +// ManagedFieldsOperationType is the type of operation which lead to a ManagedFieldsEntry being created. +#ManagedFieldsOperationType: string // #enumManagedFieldsOperationType + +#enumManagedFieldsOperationType: + #ManagedFieldsOperationApply | + #ManagedFieldsOperationUpdate + +#ManagedFieldsOperationApply: #ManagedFieldsOperationType & "Apply" +#ManagedFieldsOperationUpdate: #ManagedFieldsOperationType & "Update" + +// FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format. +// +// Each key is either a '.' representing the field itself, and will always map to an empty set, +// or a string representing a sub-field or item. The string will follow one of these four formats: +// 'f:', where is the name of a field in a struct, or key in a map +// 'v:', where is the exact json formatted value of a list item +// 'i:', where is position of a item in a list +// 'k:', where is a map of a list item's key fields to their unique values +// If a key maps to an empty Fields value, the field that key represents is part of the set. +// +// The exact format is defined in sigs.k8s.io/structured-merge-diff +// +protobuf.options.(gogoproto.goproto_stringer)=false +#FieldsV1: _ + +// Table is a tabular representation of a set of API resources. The server transforms the +// object into a set of preferred columns for quickly reviewing the objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +protobuf=false +#Table: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) + + // columnDefinitions describes each column in the returned items array. The number of cells per row + // will always match the number of column definitions. + columnDefinitions: [...#TableColumnDefinition] @go(ColumnDefinitions,[]TableColumnDefinition) + + // rows is the list of items in the table. + rows: [...#TableRow] @go(Rows,[]TableRow) +} + +// TableColumnDefinition contains information about a column returned in the Table. +// +protobuf=false +#TableColumnDefinition: { + // name is a human readable name for the column. + name: string @go(Name) + + // type is an OpenAPI type definition for this column, such as number, integer, string, or + // array. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more. + type: string @go(Type) + + // format is an optional OpenAPI type modifier for this column. A format modifies the type and + // imposes additional rules, like date or time formatting for a string. The 'name' format is applied + // to the primary identifier column which has type 'string' to assist in clients identifying column + // is the resource name. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more. + format: string @go(Format) + + // description is a human readable description of this column. + description: string @go(Description) + + // priority is an integer defining the relative importance of this column compared to others. Lower + // numbers are considered higher priority. Columns that may be omitted in limited space scenarios + // should be given a higher priority. + priority: int32 @go(Priority) +} + +// TableRow is an individual row in a table. +// +protobuf=false +#TableRow: { + // cells will be as wide as the column definitions array and may contain strings, numbers (float64 or + // int64), booleans, simple maps, lists, or null. See the type field of the column definition for a + // more detailed description. + cells: [...] @go(Cells,[]interface{}) + + // conditions describe additional status of a row that are relevant for a human user. These conditions + // apply to the row, not to the object, and will be specific to table output. The only defined + // condition type is 'Completed', for a row that indicates a resource that has run to completion and + // can be given less visual priority. + // +optional + conditions?: [...#TableRowCondition] @go(Conditions,[]TableRowCondition) + + // This field contains the requested additional information about each object based on the includeObject + // policy when requesting the Table. If "None", this field is empty, if "Object" this will be the + // default serialization of the object for the current API version, and if "Metadata" (the default) will + // contain the object metadata. Check the returned kind and apiVersion of the object before parsing. + // The media type of the object will always match the enclosing list - if this as a JSON table, these + // will be JSON encoded objects. + // +optional + object?: runtime.#RawExtension @go(Object) +} + +// TableRowCondition allows a row to be marked with additional information. +// +protobuf=false +#TableRowCondition: { + // Type of row condition. The only defined value is 'Completed' indicating that the + // object this row represents has reached a completed state and may be given less visual + // priority than other rows. Clients are not required to honor any conditions but should + // be consistent where possible about handling the conditions. + type: #RowConditionType @go(Type) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) + + // (brief) machine readable reason for the condition's last transition. + // +optional + reason?: string @go(Reason) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) +} + +#RowConditionType: string // #enumRowConditionType + +#enumRowConditionType: + #RowCompleted + +// RowCompleted means the underlying resource has reached completion and may be given less +// visual priority than other resources. +#RowCompleted: #RowConditionType & "Completed" + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// IncludeObjectPolicy controls which portion of the object is returned with a Table. +#IncludeObjectPolicy: string // #enumIncludeObjectPolicy + +#enumIncludeObjectPolicy: + #IncludeNone | + #IncludeMetadata | + #IncludeObject + +// IncludeNone returns no object. +#IncludeNone: #IncludeObjectPolicy & "None" + +// IncludeMetadata serializes the object containing only its metadata field. +#IncludeMetadata: #IncludeObjectPolicy & "Metadata" + +// IncludeObject contains the full object. +#IncludeObject: #IncludeObjectPolicy & "Object" + +// TableOptions are used when a Table is requested by the caller. +// +k8s:conversion-gen:explicit-from=net/url.Values +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#TableOptions: { + #TypeMeta + + // includeObject decides whether to include each object along with its columnar information. + // Specifying "None" will return no object, specifying "Object" will return the full object contents, and + // specifying "Metadata" (the default) will return the object's metadata in the PartialObjectMetadata kind + // in version v1beta1 of the meta.k8s.io API group. + includeObject?: #IncludeObjectPolicy @go(IncludeObject) @protobuf(1,bytes,opt,casttype=IncludeObjectPolicy) +} + +// PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients +// to get access to a particular ObjectMeta schema without knowing the details of the version. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#PartialObjectMetadata: { + #TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: #ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) +} + +// PartialObjectMetadataList contains a list of objects containing only their metadata +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#PartialObjectMetadataList: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items contains each of the included items. + items: [...#PartialObjectMetadata] @go(Items,[]PartialObjectMetadata) @protobuf(2,bytes,rep) +} + +// Condition contains details for one aspect of the current state of this API Resource. +// --- +// This struct is intended for direct use as an array at the field path .status.conditions. For example, +// +// type FooStatus struct{ +// // Represents the observations of a foo's current state. +// // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" +// // +patchMergeKey=type +// // +patchStrategy=merge +// // +listType=map +// // +listMapKey=type +// Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` +// +// // other fields +// } +#Condition: { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + type: string @go(Type) @protobuf(1,bytes,opt) + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt) + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + lastTransitionTime: #Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + reason: string @go(Reason) @protobuf(5,bytes,opt) + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + message: string @go(Message) @protobuf(6,bytes,opt) +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue new file mode 100644 index 000000000..12f5f1b63 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue @@ -0,0 +1,30 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" +) + +// Event represents a single event to a watched resource. +// +// +protobuf=true +// +k8s:deepcopy-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#WatchEvent: { + type: string @go(Type) @protobuf(1,bytes,opt) + + // Object is: + // * If Type is Added or Modified: the new state of the object. + // * If Type is Deleted: the state of the object immediately before deletion. + // * If Type is Error: *Status is recommended; other types may make sense + // depending on context. + object: runtime.#RawExtension @go(Object) @protobuf(2,bytes,opt) +} + +// InternalEvent makes watch.Event versioned +// +protobuf=false +#InternalEvent: watch.#Event diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue new file mode 100644 index 000000000..43474c392 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// SimpleAllocator a wrapper around make([]byte) +// conforms to the MemoryAllocator interface +#SimpleAllocator: { +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue new file mode 100644 index 000000000..a05de5d58 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue @@ -0,0 +1,37 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// codec binds an encoder and decoder. +_#codec: { + Encoder: #Encoder + Decoder: #Decoder +} + +// NoopEncoder converts an Decoder to a Serializer or Codec for code that expects them but only uses decoding. +#NoopEncoder: { + Decoder: #Decoder +} + +_#noopEncoderIdentifier: #Identifier & "noop" + +// NoopDecoder converts an Encoder to a Serializer or Codec for code that expects them but only uses encoding. +#NoopDecoder: { + Encoder: #Encoder +} + +_#base64Serializer: { + Encoder: #Encoder + Decoder: #Decoder +} + +_#internalGroupVersionerIdentifier: "internal" +_#disabledGroupVersionerIdentifier: "disabled" + +_#internalGroupVersioner: { +} + +_#disabledGroupVersioner: { +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue new file mode 100644 index 000000000..ce6d644cb --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +// Package runtime defines conversions between generic types and structs to map query strings +// to struct objects. +package runtime diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue new file mode 100644 index 000000000..f49ad1e36 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// UnstructuredConverter is an interface for converting between interface{} +// and map[string]interface representation. +#UnstructuredConverter: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue new file mode 100644 index 000000000..89c5c51b3 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue @@ -0,0 +1,39 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +// Package runtime includes helper functions for working with API objects +// that follow the kubernetes API object conventions, which are: +// +// 0. Your API objects have a common metadata struct member, TypeMeta. +// +// 1. Your code refers to an internal set of API objects. +// +// 2. In a separate package, you have an external set of API objects. +// +// 3. The external set is considered to be versioned, and no breaking +// changes are ever made to it (fields may be added but not changed +// or removed). +// +// 4. As your api evolves, you'll make an additional versioned package +// with every major change. +// +// 5. Versioned packages have conversion functions which convert to +// and from the internal version. +// +// 6. You'll continue to support older versions according to your +// deprecation policy, and you can easily provide a program/library +// to update old versions into new versions because of 5. +// +// 7. All of your serializations and deserializations are handled in a +// centralized place. +// +// Package runtime provides a conversion helper to make 5 easy, and the +// Encode/Decode/DecodeInto trio to accomplish 7. You can also register +// additional "codecs" which use a version of your choice. It's +// recommended that you register your types with runtime in your +// package's init function. +// +// As a bonus, a few common types useful from all api objects and versions +// are provided in types.go. +package runtime diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue new file mode 100644 index 000000000..d43f15f25 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +_#encodable: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue new file mode 100644 index 000000000..ec8f1f070 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue @@ -0,0 +1,23 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// MultiObjectTyper returns the types of objects across multiple schemes in order. +#MultiObjectTyper: [...#ObjectTyper] + +_#defaultFramer: { +} + +// WithVersionEncoder serializes an object and ensures the GVK is set. +#WithVersionEncoder: { + Version: #GroupVersioner + Encoder: #Encoder + ObjectTyper: #ObjectTyper +} + +// WithoutVersionDecoder clears the group version kind of a deserialized object. +#WithoutVersionDecoder: { + Decoder: #Decoder +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue new file mode 100644 index 000000000..22abcb620 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue @@ -0,0 +1,165 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// APIVersionInternal may be used if you are registering a type that should not +// be considered stable or serialized - it is a convention only and has no +// special behavior in this package. +#APIVersionInternal: "__internal" + +// GroupVersioner refines a set of possible conversion targets into a single option. +#GroupVersioner: _ + +// Identifier represents an identifier. +// Identitier of two different objects should be equal if and only if for every +// input the output they produce is exactly the same. +#Identifier: string // #enumIdentifier + +#enumIdentifier: + _#noopEncoderIdentifier + +// Encoder writes objects to a serialized form +#Encoder: _ + +// MemoryAllocator is responsible for allocating memory. +// By encapsulating memory allocation into its own interface, we can reuse the memory +// across many operations in places we know it can significantly improve the performance. +#MemoryAllocator: _ + +// EncoderWithAllocator serializes objects in a way that allows callers to manage any additional memory allocations. +#EncoderWithAllocator: _ + +// Decoder attempts to load an object from data. +#Decoder: _ + +// Serializer is the core interface for transforming objects into a serialized format and back. +// Implementations may choose to perform conversion of the object, but no assumptions should be made. +#Serializer: _ + +// Codec is a Serializer that deals with the details of versioning objects. It offers the same +// interface as Serializer, so this is a marker to consumers that care about the version of the objects +// they receive. +#Codec: #Serializer + +// ParameterCodec defines methods for serializing and deserializing API objects to url.Values and +// performing any necessary conversion. Unlike the normal Codec, query parameters are not self describing +// and the desired version must be specified. +#ParameterCodec: _ + +// Framer is a factory for creating readers and writers that obey a particular framing pattern. +#Framer: _ + +// SerializerInfo contains information about a specific serialization format +#SerializerInfo: { + // MediaType is the value that represents this serializer over the wire. + MediaType: string + + // MediaTypeType is the first part of the MediaType ("application" in "application/json"). + MediaTypeType: string + + // MediaTypeSubType is the second part of the MediaType ("json" in "application/json"). + MediaTypeSubType: string + + // EncodesAsText indicates this serializer can be encoded to UTF-8 safely. + EncodesAsText: bool + + // Serializer is the individual object serializer for this media type. + Serializer: #Serializer + + // PrettySerializer, if set, can serialize this object in a form biased towards + // readability. + PrettySerializer: #Serializer + + // StrictSerializer, if set, deserializes this object strictly, + // erring on unknown fields. + StrictSerializer: #Serializer + + // StreamSerializer, if set, describes the streaming serialization format + // for this media type. + StreamSerializer?: null | #StreamSerializerInfo @go(,*StreamSerializerInfo) +} + +// StreamSerializerInfo contains information about a specific stream serialization format +#StreamSerializerInfo: { + // EncodesAsText indicates this serializer can be encoded to UTF-8 safely. + EncodesAsText: bool + + // Serializer is the top level object serializer for this type when streaming + Serializer: #Serializer + + // Framer is the factory for retrieving streams that separate objects on the wire + Framer: #Framer +} + +// NegotiatedSerializer is an interface used for obtaining encoders, decoders, and serializers +// for multiple supported media types. This would commonly be accepted by a server component +// that performs HTTP content negotiation to accept multiple formats. +#NegotiatedSerializer: _ + +// ClientNegotiator handles turning an HTTP content type into the appropriate encoder. +// Use NewClientNegotiator or NewVersionedClientNegotiator to create this interface from +// a NegotiatedSerializer. +#ClientNegotiator: _ + +// StorageSerializer is an interface used for obtaining encoders, decoders, and serializers +// that can read and write data at rest. This would commonly be used by client tools that must +// read files, or server side storage interfaces that persist restful objects. +#StorageSerializer: _ + +// NestedObjectEncoder is an optional interface that objects may implement to be given +// an opportunity to encode any nested Objects / RawExtensions during serialization. +#NestedObjectEncoder: _ + +// NestedObjectDecoder is an optional interface that objects may implement to be given +// an opportunity to decode any nested Objects / RawExtensions during serialization. +// It is possible for DecodeNestedObjects to return a non-nil error but for the decoding +// to have succeeded in the case of strict decoding errors (e.g. unknown/duplicate fields). +// As such it is important for callers of DecodeNestedObjects to check to confirm whether +// an error is a runtime.StrictDecodingError before short circuiting. +// Similarly, implementations of DecodeNestedObjects should ensure that a runtime.StrictDecodingError +// is only returned when the rest of decoding has succeeded. +#NestedObjectDecoder: _ + +#ObjectDefaulter: _ + +#ObjectVersioner: _ + +// ObjectConvertor converts an object to a different version. +#ObjectConvertor: _ + +// ObjectTyper contains methods for extracting the APIVersion and Kind +// of objects. +#ObjectTyper: _ + +// ObjectCreater contains methods for instantiating an object by kind and version. +#ObjectCreater: _ + +// EquivalentResourceMapper provides information about resources that address the same underlying data as a specified resource +#EquivalentResourceMapper: _ + +// EquivalentResourceRegistry provides an EquivalentResourceMapper interface, +// and allows registering known resource[/subresource] -> kind +#EquivalentResourceRegistry: _ + +// ResourceVersioner provides methods for setting and retrieving +// the resource version from an API object. +#ResourceVersioner: _ + +// Namer provides methods for retrieving name and namespace of an API object. +#Namer: _ + +// Object interface must be supported by all API types registered with Scheme. Since objects in a scheme are +// expected to be serialized to the wire, the interface an Object must provide to the Scheme allows +// serializers to set the kind, version, and group the object is represented as. An Object may choose +// to return a no-op ObjectKindAccessor in cases where it is not expected to be serialized. +#Object: _ + +// CacheableObject allows an object to cache its different serializations +// to avoid performing the same serialization multiple times. +#CacheableObject: _ + +// Unstructured objects store values as map[string]interface{}, with only values that can be serialized +// to JSON allowed. +#Unstructured: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue new file mode 100644 index 000000000..7580f4676 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// NegotiateError is returned when a ClientNegotiator is unable to locate +// a serializer for the requested operation. +#NegotiateError: { + ContentType: string + Stream: bool +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue new file mode 100644 index 000000000..bd9c409a7 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// Splice is the interface that wraps the Splice method. +// +// Splice moves data from given slice without copying the underlying data for +// efficiency purpose. Therefore, the caller should make sure the underlying +// data is not changed later. +#Splice: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue new file mode 100644 index 000000000..9dfc078b4 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// Pair of strings. We keed the name of fields and the doc +#Pair: { + Name: string + Doc: string +} + +// KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself +#KubeTypes: [...#Pair] diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue new file mode 100644 index 000000000..d1ee609a2 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue @@ -0,0 +1,97 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type, +// like this: +// +// type MyAwesomeAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// ... // other fields +// } +// +// func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind +// +// TypeMeta is provided here for convenience. You may use it directly from this package or define +// your own with the same fields. +// +// +k8s:deepcopy-gen=false +// +protobuf=true +// +k8s:openapi-gen=true +#TypeMeta: { + // +optional + apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt) + + // +optional + kind?: string @go(Kind) @protobuf(2,bytes,opt) +} + +#ContentTypeJSON: "application/json" +#ContentTypeYAML: "application/yaml" +#ContentTypeProtobuf: "application/vnd.kubernetes.protobuf" + +// RawExtension is used to hold extensions in external versions. +// +// To use this, make a field which has RawExtension as its type in your external, versioned +// struct, and Object in your internal struct. You also need to register your +// various plugin types. +// +// // Internal package: +// +// type MyAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// MyPlugin runtime.Object `json:"myPlugin"` +// } +// +// type PluginA struct { +// AOption string `json:"aOption"` +// } +// +// // External package: +// +// type MyAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// MyPlugin runtime.RawExtension `json:"myPlugin"` +// } +// +// type PluginA struct { +// AOption string `json:"aOption"` +// } +// +// // On the wire, the JSON will look something like this: +// +// { +// "kind":"MyAPIObject", +// "apiVersion":"v1", +// "myPlugin": { +// "kind":"PluginA", +// "aOption":"foo", +// }, +// } +// +// So what happens? Decode first uses json or yaml to unmarshal the serialized data into +// your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. +// The next step is to copy (using pkg/conversion) into the internal struct. The runtime +// package's DefaultScheme has conversion functions installed which will unpack the +// JSON stored in RawExtension, turning it into the correct object type, and storing it +// in the Object. (TODO: In the case where the object is of an unknown type, a +// runtime.Unknown object will be created and stored.) +// +// +k8s:deepcopy-gen=true +// +protobuf=true +// +k8s:openapi-gen=true +#RawExtension: _ + +// Unknown allows api objects with unknown types to be passed-through. This can be used +// to deal with the API objects from a plug-in. Unknown objects still have functioning +// TypeMeta features-- kind, version, etc. +// TODO: Make this object have easy access to field based accessors and settors for +// metadata and field mutatation. +// +// +k8s:deepcopy-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +protobuf=true +// +k8s:openapi-gen=true +#Unknown: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue new file mode 100644 index 000000000..8b8ddf891 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +#ProtobufMarshaller: _ + +#ProtobufReverseMarshaller: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue new file mode 100644 index 000000000..bfb4bcda3 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +// Package types implements various generic types used throughout kubernetes. +package types diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue new file mode 100644 index 000000000..7cb2745aa --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +#NamespacedName: { + Namespace: string + Name: string +} + +#Separator: 47 // '/' diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue new file mode 100644 index 000000000..8b264b80c --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// NodeName is a type that holds a api.Node's Name identifier. +// Being a type captures intent and helps make sure that the node name +// is not confused with similar concepts (the hostname, the cloud provider id, +// the cloud provider name etc) +// +// To clarify the various types: +// +// - Node.Name is the Name field of the Node in the API. This should be stored in a NodeName. +// Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level. +// +// - Hostname is the hostname of the local machine (from uname -n). +// However, some components allow the user to pass in a --hostname-override flag, +// which will override this in most places. In the absence of anything more meaningful, +// kubelet will use Hostname as the Node.Name when it creates the Node. +// +// * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId. +// +// For GCE, InstanceName is the Name of an Instance object in the GCE API. On GCE, Instance.Name becomes the +// Hostname, and thus it makes sense also to use it as the Node.Name. But that is GCE specific, and it is up +// to the cloudprovider how to do this mapping. +// +// For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the +// PrivateDnsName for the Node.Name. And this is _not_ always the same as the hostname: if +// we are using a custom DHCP domain it won't be. +#NodeName: string diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue new file mode 100644 index 000000000..3de5d80f9 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue @@ -0,0 +1,21 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// Similarly to above, these are constants to support HTTP PATCH utilized by +// both the client and server that didn't make sense for a whole package to be +// dedicated to. +#PatchType: string // #enumPatchType + +#enumPatchType: + #JSONPatchType | + #MergePatchType | + #StrategicMergePatchType | + #ApplyPatchType + +#JSONPatchType: #PatchType & "application/json-patch+json" +#MergePatchType: #PatchType & "application/merge-patch+json" +#StrategicMergePatchType: #PatchType & "application/strategic-merge-patch+json" +#ApplyPatchType: #PatchType & "application/apply-patch+yaml" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue new file mode 100644 index 000000000..40bdd8285 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// UID is a type that holds unique ID values, including UUIDs. Because we +// don't ONLY use UUIDs, this is an alias to string. Being a type captures +// intent and helps make sure that UIDs and names do not get conflated. +#UID: string diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue new file mode 100644 index 000000000..2c8cc3651 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/util/intstr + +package intstr + +// IntOrString is a type that can hold an int32 or a string. When used in +// JSON or YAML marshalling and unmarshalling, it produces or consumes the +// inner type. This allows you to have, for example, a JSON field that can +// accept a name or number. +// TODO: Rename to Int32OrString +// +// +protobuf=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:openapi-gen=true +#IntOrString: _ + +// Type represents the stored type of IntOrString. +#Type: int64 // #enumType + +#enumType: + #Int | + #String + +#values_Type: { + Int: #Int + String: #String +} + +#Int: #Type & 0 +#String: #Type & 1 diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue new file mode 100644 index 000000000..bc1b91894 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +// Package watch contains a generic watchable interface, and a fake for +// testing code that uses the watch interface. +package watch diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue new file mode 100644 index 000000000..045e8ec85 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// Recorder records all events that are sent from the watch until it is closed. +#Recorder: { + Interface: #Interface +} diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue new file mode 100644 index 000000000..dcf72d5b0 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue @@ -0,0 +1,25 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// FullChannelBehavior controls how the Broadcaster reacts if a watcher's watch +// channel is full. +#FullChannelBehavior: int // #enumFullChannelBehavior + +#enumFullChannelBehavior: + #WaitIfChannelFull | + #DropIfChannelFull + +#values_FullChannelBehavior: { + WaitIfChannelFull: #WaitIfChannelFull + DropIfChannelFull: #DropIfChannelFull +} + +#WaitIfChannelFull: #FullChannelBehavior & 0 +#DropIfChannelFull: #FullChannelBehavior & 1 + +_#incomingQueueLength: 25 + +_#internalRunFunctionMarker: "internal-do-function" diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue new file mode 100644 index 000000000..f0805cfb2 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// Decoder allows StreamWatcher to watch any stream for which a Decoder can be written. +#Decoder: _ + +// Reporter hides the details of how an error is turned into a runtime.Object for +// reporting on a watch stream since this package may not import a higher level report. +#Reporter: _ diff --git a/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue new file mode 100644 index 000000000..0db2e6be1 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue @@ -0,0 +1,48 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +import "k8s.io/apimachinery/pkg/runtime" + +// Interface can be implemented by anything that knows how to watch and report changes. +#Interface: _ + +// EventType defines the possible types of events. +#EventType: string // #enumEventType + +#enumEventType: + #Added | + #Modified | + #Deleted | + #Bookmark | + #Error + +#Added: #EventType & "ADDED" +#Modified: #EventType & "MODIFIED" +#Deleted: #EventType & "DELETED" +#Bookmark: #EventType & "BOOKMARK" +#Error: #EventType & "ERROR" + +// Event represents a single event to a watched resource. +// +k8s:deepcopy-gen=true +#Event: { + Type: #EventType + + // Object is: + // * If Type is Added or Modified: the new state of the object. + // * If Type is Deleted: the state of the object immediately before deletion. + // * If Type is Bookmark: the object (instance of a type being watched) where + // only ResourceVersion field is set. On successful restart of watch from a + // bookmark resourceVersion, client is guaranteed to not get repeat event + // nor miss any events. + // * If Type is Error: *api.Status is recommended; other types may make sense + // depending on context. + Object: runtime.#Object +} + +// RaceFreeFakeWatcher lets you test anything that consumes a watch.Interface; threadsafe. +#RaceFreeFakeWatcher: { + Stopped: bool +} diff --git a/k8s/timoni/gateway/cue.mod/module.cue b/k8s/timoni/gateway/cue.mod/module.cue new file mode 100644 index 000000000..3004290e3 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/module.cue @@ -0,0 +1,2 @@ +module: "timoni.sh/gateway" +language: version: "v0.9.0" diff --git a/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue new file mode 100644 index 000000000..2c579e99d --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue @@ -0,0 +1,26 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Action holds the list of annotations for controlling +// Timoni's apply behaviour of Kubernetes resources. +Action: { + // Force annotation for recreating immutable resources such as Kubernetes Jobs. + Force: { + "action.timoni.sh/force": ActionStatus.Enabled + } + // One-off annotation for appling resources only if they don't exist on the cluster. + Oneoff: { + "action.timoni.sh/one-off": ActionStatus.Enabled + } + // Keep annotation for preventing Timoni's garbage collector from deleting resources. + Keep: { + "action.timoni.sh/prune": ActionStatus.Disabled + } +} + +ActionStatus: { + Enabled: "enabled" + Disabled: "disabled" +} diff --git a/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue new file mode 100644 index 000000000..1535ea43f --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue @@ -0,0 +1,50 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strings" +) + +// Image defines the schema for OCI image reference used in Kubernetes PodSpec container image. +#Image: { + + // Repository is the address of a container registry repository. + // An image repository is made up of slash-separated name components, optionally + // prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. + repository!: string + + // Tag identifies an image in the repository. + // A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. + // A tag name may not start with a period or a dash and may contain a maximum of 128 characters. + tag!: string & strings.MaxRunes(128) + + // Digest uniquely and immutably identifies an image in the repository. + // Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. + digest!: string + + // PullPolicy defines the pull policy for the image. + // By default, it is set to IfNotPresent. + pullPolicy: *"IfNotPresent" | "Always" | "Never" + + // Reference is the image address computed from repository, tag and digest + // in the format [REPOSITORY]:[TAG]@[DIGEST]. + reference: string + + if digest != "" && tag != "" { + reference: "\(repository):\(tag)@\(digest)" + } + + if digest != "" && tag == "" { + reference: "\(repository)@\(digest)" + } + + if digest == "" && tag != "" { + reference: "\(repository):\(tag)" + } + + if digest == "" && tag == "" { + reference: "\(repository):latest" + } +} diff --git a/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue new file mode 100644 index 000000000..19f098967 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue @@ -0,0 +1,47 @@ +// Copyright 2024 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "encoding/base64" + "strings" +) + +// ImagePullSecret is a generator for Kubernetes Secrets of type kubernetes.io/dockerconfigjson. +// Spec: https://kubernetes.io/docs/concepts/configuration/secret/#docker-config-secrets. +#ImagePullSecret: { + // Metadata is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Registry is the hostname of the container registry in the format [HOST[:PORT_NUMBER]]. + #Registry!: string + + // Username is the username used to authenticate to the container registry. + #Username!: string + + // Password is the password used to authenticate to the container registry. + #Password!: string + + // Optional suffix used to generate the Secret name. + #Suffix: *"" | string & strings.MaxRunes(30) + + let auth = base64.Encode(null, #Username+":"+#Password) + + apiVersion: "v1" + kind: "Secret" + type: "kubernetes.io/dockerconfigjson" + metadata: { + name: #Meta.name + #Suffix + namespace: #Meta.namespace + labels: #Meta.labels + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + } + stringData: { + ".dockerconfigjson": """ + {"auths": {"\(#Registry)": {"username": "\(#Username)","password": "\(#Password)","auth": "\(auth)"}}} + """ + } +} diff --git a/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue new file mode 100644 index 000000000..7b31c23e4 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue @@ -0,0 +1,49 @@ +// Copyright 2024 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "encoding/json" + "strings" + "uuid" +) + +#ConfigMapKind: "ConfigMap" +#SecretKind: "Secret" + +// ImmutableConfig is a generator for immutable Kubernetes ConfigMaps and Secrets. +// The metadata.name of the generated object is suffixed with the hash of the input data. +#ImmutableConfig: { + // Kind of the generated object. + #Kind: *#ConfigMapKind | #SecretKind + + // Metadata of the generated object. + #Meta: #Metadata + + // Optional suffix appended to the generate name. + #Suffix: *"" | string + + // Data of the generated object. + #Data: {[string]: string} + + let hash = strings.Split(uuid.SHA1(uuid.ns.DNS, json.Marshal(#Data)), "-")[0] + + apiVersion: "v1" + kind: #Kind + metadata: { + name: #Meta.name + #Suffix + "-" + hash + namespace: #Meta.namespace + labels: #Meta.labels + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + } + immutable: true + if kind == #ConfigMapKind { + data: #Data + } + if kind == #SecretKind { + stringData: #Data + } +} diff --git a/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue new file mode 100644 index 000000000..ad96b0621 --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue @@ -0,0 +1,27 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// InstanceName defines the schema for the name of a Timoni instance. +// The instance name is used as a Kubernetes label value and must be 63 characters or less. +#InstanceName: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MinRunes(1) & strings.MaxRunes(63) + +// InstanceNamespace defines the schema for the namespace of a Timoni instance. +// The instance namespace is used as a Kubernetes label value and must be 63 characters or less. +#InstanceNamespace: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MinRunes(1) & strings.MaxRunes(63) + +// InstanceOwnerReference defines the schema for Kubernetes labels used to denote ownership. +#InstanceOwnerReference: { + #Name: "instance.timoni.sh/name" + #Namespace: "instance.timoni.sh/namespace" +} + +// InstanceModule defines the schema for the Module of a Timoni instance. +#InstanceModule: { + url: string & =~"^((oci|file)://.*)$" + version: *"latest" | string + digest?: string +} diff --git a/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue new file mode 100644 index 000000000..188ff505d --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue @@ -0,0 +1,120 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// Annotations defines the schema for Kubernetes object metadata annotations. +#Annotations: {[string & strings.MaxRunes(253)]: string} + +// Labels defines the schema for Kubernetes object metadata labels. +#Labels: {[string & strings.MaxRunes(253)]: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MaxRunes(63)} + +#StdLabelName: "app.kubernetes.io/name" +#StdLabelVersion: "app.kubernetes.io/version" +#StdLabelPartOf: "app.kubernetes.io/part-of" +#StdLabelManagedBy: "app.kubernetes.io/managed-by" +#StdLabelComponent: "app.kubernetes.io/component" +#StdLabelInstance: "app.kubernetes.io/instance" + +// Metadata defines the schema for Kubernetes object metadata. +#Metadata: { + // Version should be in the strict semver format. Is required when creating resources. + #Version!: string & strings.MaxRunes(63) + + // Name must be unique within a namespace. Is required when creating resources. + // Name is primarily intended for creation idempotence and configuration definition. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + name!: #InstanceName + + // Namespace defines the space within which each name must be unique. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces + namespace!: #InstanceNamespace + + // Annotations is an unstructured key value map stored with a resource that may be + // set to store and retrieve arbitrary metadata. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + annotations?: #Annotations + + // Map of string keys and values that can be used to organize and categorize (scope and select) objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + labels: #Labels + + // Standard Kubernetes labels: app name, version and managed-by. + labels: { + (#StdLabelName): name + (#StdLabelVersion): #Version + (#StdLabelManagedBy): "timoni" + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name label. + #LabelSelector: #Labels & { + (#StdLabelName): name + } + + // Finalizers are namespaced keys that tell Kubernetes to wait until specific conditions + // are met before it fully deletes resources marked for deletion. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/ + finalizers?: [...string] +} + +// MetaComponent generates the Kubernetes object metadata for a module namespaced component. +// The metadata.name is composed of the instance name and the component name. +// The metadata.labels contain the app.kubernetes.io/component label. +#MetaComponent: { + // Meta is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Component is the name of the component used + // as a suffix for the generate object name. + #Component!: string & strings.MaxRunes(30) + + name: #Meta.name + "-" + #Component + namespace: #Meta.namespace + + labels: #Meta.labels + labels: (#StdLabelComponent): #Component + + annotations?: #Annotations + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name + // and app.kubernetes.io/component labels. + #LabelSelector: #Labels & { + (#StdLabelComponent): #Component + (#StdLabelName): #Meta.name + } +} + +// MetaClusterComponent generates the Kubernetes object metadata for a module non-namespaced component. +// The metadata.name is composed of the instance name and the component name. +// The metadata.namespace is unset. +// The metadata.labels contain the app.kubernetes.io/component label. +#MetaClusterComponent: { + // Meta is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Component is the name of the component used + // as a suffix for the generate object name. + #Component!: string & strings.MaxRunes(30) + + name: #Meta.name + "-" + #Component + + labels: #Meta.labels + labels: (#StdLabelComponent): #Component + + annotations?: #Annotations + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name + // and app.kubernetes.io/component labels. + #LabelSelector: #Labels & { + (#StdLabelComponent): #Component + (#StdLabelName): #Meta.name + } +} diff --git a/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue new file mode 100644 index 000000000..1dcdb699e --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue @@ -0,0 +1,21 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// ObjectReference is a reference to a Kubernetes object. +#ObjectReference: { + // Name of the referent. + name!: string & strings.MaxRunes(256) + + // Namespace of the referent. + namespace?: string & strings.MaxRunes(256) + + // API version of the referent. + apiVersion?: string & strings.MaxRunes(256) + + // Kind of the referent. + kind?: string & strings.MaxRunes(256) +} diff --git a/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue new file mode 100644 index 000000000..d3b5573ae --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue @@ -0,0 +1,40 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strconv" + "strings" +) + +// CPUQuantity is a string that is validated as a quantity of CPU, such as 100m or 2000m. +#CPUQuantity: string & =~"^[1-9]\\d*m$" + +// MemoryQuantity is a string that is validated as a quantity of memory, such as 128Mi or 2Gi. +#MemoryQuantity: string & =~"^[1-9]\\d*(Mi|Gi)$" + +// ResourceRequirement defines the schema for the CPU and Memory resource requirements. +#ResourceRequirement: { + cpu?: #CPUQuantity + memory?: #MemoryQuantity +} + +// ResourceRequirements defines the schema for the compute resource requirements of a container. +// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/. +#ResourceRequirements: { + // Limits describes the maximum amount of compute resources allowed. + limits?: #ResourceRequirement + + // Requests describes the minimum amount of compute resources required. + // Requests cannot exceed Limits. + requests?: #ResourceRequirement & { + if limits != _|_ { + if limits.cpu != _|_ { + _lc: strconv.Atoi(strings.Split(limits.cpu, "m")[0]) + _rc: strconv.Atoi(strings.Split(requests.cpu, "m")[0]) + #cpu: int & >=_rc & _lc + } + } + } +} diff --git a/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue new file mode 100644 index 000000000..9c4f2384b --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue @@ -0,0 +1,19 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Selector defines the schema for Kubernetes Pod label selector used in Deployments, Services, Jobs, etc. +#Selector: { + // Name must be unique within a namespace. Is required when creating resources. + // Name is primarily intended for creation idempotence and configuration definition. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + #Name!: #InstanceName + + // Map of string keys and values that can be used to organize and categorize (scope and select) objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + labels: #Labels + + // Standard Kubernetes label: app name. + labels: (#StdLabelName): #Name +} diff --git a/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue new file mode 100644 index 000000000..ecd1e397f --- /dev/null +++ b/k8s/timoni/gateway/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue @@ -0,0 +1,29 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strconv" + "strings" +) + +// SemVer validates the input version string and extracts the major and minor version numbers. +// When Minimum is set, the major and minor parts must be greater or equal to the minimum +// or a validation error is returned. +#SemVer: { + // Input version string in strict semver format. + #Version!: string & =~"^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?$" + + // Minimum is the minimum allowed MAJOR.MINOR version. + #Minimum: *"0.0.0" | string & =~"^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?$" + + let minMajor = strconv.Atoi(strings.Split(#Minimum, ".")[0]) + let minMinor = strconv.Atoi(strings.Split(#Minimum, ".")[1]) + + major: int & >=minMajor + major: strconv.Atoi(strings.Split(#Version, ".")[0]) + + minor: int & >=minMinor + minor: strconv.Atoi(strings.Split(#Version, ".")[1]) +} diff --git a/k8s/timoni/gateway/templates/config.cue b/k8s/timoni/gateway/templates/config.cue new file mode 100644 index 000000000..2e2b34be1 --- /dev/null +++ b/k8s/timoni/gateway/templates/config.cue @@ -0,0 +1,25 @@ +package templates + +import ( + timoniv1 "timoni.sh/core/v1alpha1" +) + +#Config: { + kubeVersion!: string + moduleVersion!: string + + metadata: timoniv1.#Metadata & {#Version: moduleVersion} + metadata: labels: timoniv1.#Labels + metadata: annotations?: timoniv1.#Annotations + + selector: timoniv1.#Selector & {#Name: metadata.name} +} + +#Instance: { + config: #Config + + objects: { + gatewayclass: #GatewayClass & {#config: config} + gateway: #Gateway & {#config: config} + } +} diff --git a/k8s/timoni/gateway/templates/gateway.cue b/k8s/timoni/gateway/templates/gateway.cue new file mode 100644 index 000000000..ed17ad798 --- /dev/null +++ b/k8s/timoni/gateway/templates/gateway.cue @@ -0,0 +1,28 @@ +package templates + +import ( + gatewayv1 "gateway.networking.k8s.io/gateway/v1" +) + +#Gateway: gatewayv1.#Gateway & { + #config: #Config + apiVersion: "gateway.networking.k8s.io/v1" + kind: "Gateway" + metadata: #config.metadata + spec: { + gatewayClassName: metadata.name + listeners: [{ + name: "tls" + port: 443 + protocol: "HTTPS" + tls: { + mode: "Terminate" + certificateRefs: [{ + group: "" + kind: "Secret" + name: metadata.name + }] + } + }] + } +} diff --git a/k8s/timoni/gateway/templates/gatewayclass.cue b/k8s/timoni/gateway/templates/gatewayclass.cue new file mode 100644 index 000000000..401819365 --- /dev/null +++ b/k8s/timoni/gateway/templates/gatewayclass.cue @@ -0,0 +1,13 @@ +package templates + +import ( + gatewayv1 "gateway.networking.k8s.io/gatewayclass/v1" +) + +#GatewayClass: gatewayv1.#GatewayClass & { + #config: #Config + apiVersion: "gateway.networking.k8s.io/v1" + kind: "GatewayClass" + metadata: #config.metadata + spec: controllerName: "gateway.envoyproxy.io/gatewayclass-controller" +} diff --git a/k8s/timoni/gateway/timoni.cue b/k8s/timoni/gateway/timoni.cue new file mode 100644 index 000000000..1827afaef --- /dev/null +++ b/k8s/timoni/gateway/timoni.cue @@ -0,0 +1,25 @@ +package main + +import ( + templates "timoni.sh/gateway/templates" +) + +values: templates.#Config + +timoni: { + apiVersion: "v1alpha1" + + instance: templates.#Instance & { + config: values + config: { + metadata: { + name: string @tag(name) + namespace: string @tag(namespace) + } + moduleVersion: string @tag(mv, var=moduleVersion) + kubeVersion: string @tag(kv, var=kubeVersion) + } + } + + apply: app: [for obj in instance.objects {obj}] +} diff --git a/k8s/timoni/gateway/timoni.ignore b/k8s/timoni/gateway/timoni.ignore new file mode 100644 index 000000000..0722c3486 --- /dev/null +++ b/k8s/timoni/gateway/timoni.ignore @@ -0,0 +1,14 @@ +# VCS +.git/ +.gitignore +.gitmodules +.gitattributes + +# Go +vendor/ +go.mod +go.sum + +# CUE +*_tool.cue +debug_values.cue diff --git a/k8s/timoni/gateway/values.cue b/k8s/timoni/gateway/values.cue new file mode 100644 index 000000000..17bc0aff9 --- /dev/null +++ b/k8s/timoni/gateway/values.cue @@ -0,0 +1,3 @@ +package main + +values: {} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue new file mode 100644 index 000000000..3a3027906 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue @@ -0,0 +1,147 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy +// webhook backend fails. +#ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open" + +// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods +#MirrorPodAnnotationKey: "kubernetes.io/config.mirror" + +// TolerationsAnnotationKey represents the key of tolerations data (json serialized) +// in the Annotations of a Pod. +#TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations" + +// TaintsAnnotationKey represents the key of taints data (json serialized) +// in the Annotations of a Node. +#TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints" + +// SeccompPodAnnotationKey represents the key of a seccomp profile applied +// to all containers of a pod. +// Deprecated: set a pod security context `seccompProfile` field. +#SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod" + +// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied +// to one container of a pod. +// Deprecated: set a container security context `seccompProfile` field. +#SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/" + +// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime. +// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. +#SeccompProfileRuntimeDefault: "runtime/default" + +// SeccompProfileNameUnconfined is the unconfined seccomp profile. +#SeccompProfileNameUnconfined: "unconfined" + +// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk. +#SeccompLocalhostProfileNamePrefix: "localhost/" + +// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile. +#AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/" + +// AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile. +#AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName" + +// AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles. +#AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames" + +// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default. +#AppArmorBetaProfileRuntimeDefault: "runtime/default" + +// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node. +#AppArmorBetaProfileNamePrefix: "localhost/" + +// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile +#AppArmorBetaProfileNameUnconfined: "unconfined" + +// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker. +// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. +#DeprecatedSeccompProfileDockerDefault: "docker/default" + +// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized) +// in the Annotations of a Node. +#PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods" + +// ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache +// an object (e.g. secret, config map) before fetching it again from apiserver. +// This annotation can be attached to node. +#ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl" + +// annotation key prefix used to identify non-convertible json paths. +#NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io" +_#kubectlPrefix: "kubectl.kubernetes.io/" + +// LastAppliedConfigAnnotation is the annotation used to store the previous +// configuration of a resource for use in a three way diff by UpdateApplyAnnotation. +#LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration" + +// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers +// +// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to +// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow +// access only from the CIDRs currently allocated to MIT & the USPS. +// +// Not all cloud providers support this annotation, though AWS & GCE do. +#AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges" + +// EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that +// represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z') +// of the last change, of some Pod or Service object, that triggered the endpoints object change. +// In other words, if a Pod / Service changed at time T0, that change was observed by endpoints +// controller at T1, and the Endpoints object was changed at T2, the +// EndpointsLastChangeTriggerTime would be set to T0. +// +// The "endpoints change trigger" here means any Pod or Service change that resulted in the +// Endpoints object change. +// +// Given the definition of the "endpoints change trigger", please note that this annotation will +// be set ONLY for endpoints object changes triggered by either Pod or Service change. If the +// Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's +// already set). +// +// This annotation will be used to compute the in-cluster network programming latency SLI, see +// https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md +#EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time" + +// EndpointsOverCapacity will be set on an Endpoints resource when it +// exceeds the maximum capacity of 1000 addresses. Initially the Endpoints +// controller will set this annotation with a value of "warning". In a +// future release, the controller may set this annotation with a value of +// "truncated" to indicate that any addresses exceeding the limit of 1000 +// have been truncated from the Endpoints resource. +#EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity" + +// MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated +// list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode. +// This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or +// CSI Backend for a volume plugin on a specific node. +#MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins" + +// PodDeletionCost can be used to set to an int32 that represent the cost of deleting +// a pod compared to other pods belonging to the same ReplicaSet. Pods with lower +// deletion cost are preferred to be deleted before pods with higher deletion cost. +// Note that this is honored on a best-effort basis, and so it does not offer guarantees on +// pod deletion order. +// The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted. +// +// This annotation is beta-level and is only honored when PodDeletionCost feature is enabled. +#PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost" + +// DeprecatedAnnotationTopologyAwareHints can be used to enable or disable +// Topology Aware Hints for a Service. This may be set to "Auto" or +// "Disabled". Any other value is treated as "Disabled". This annotation has +// been deprecated in favor of the "service.kubernetes.io/topology-mode" +// annotation. +#DeprecatedAnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints" + +// AnnotationTopologyMode can be used to enable or disable Topology Aware +// Routing for a Service. Well known values are "Auto" and "Disabled". +// Implementations may choose to develop new topology approaches, exposing +// them with domain-prefixed values. For example, "example.com/lowest-rtt" +// could be a valid implementation-specific value for this annotation. These +// heuristics will often populate topology hints on EndpointSlices, but that +// is not a requirement. +#AnnotationTopologyMode: "service.kubernetes.io/topology-mode" diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue new file mode 100644 index 000000000..2bf1afce0 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +// Package v1 is the v1 version of the core API. +package v1 diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue new file mode 100644 index 000000000..29c24abce --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +#GroupName: "" diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue new file mode 100644 index 000000000..d87edcff5 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue @@ -0,0 +1,7617 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/types" +) + +// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients +#NamespaceDefault: "default" + +// NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces +#NamespaceAll: "" + +// NamespaceNodeLease is the namespace where we place node lease objects (used for node heartbeats) +#NamespaceNodeLease: "kube-node-lease" + +// Volume represents a named volume in a pod that may be accessed by any container in the pod. +#Volume: { + // name of the volume. + // Must be a DNS_LABEL and unique within the pod. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(1,bytes,opt) + + #VolumeSource +} + +// Represents the source of a volume to mount. +// Only one of its members may be specified. +#VolumeSource: { + // hostPath represents a pre-existing file or directory on the host + // machine that is directly exposed to the container. This is generally + // used for system agents or other privileged things that are allowed + // to see the host machine. Most containers will NOT need this. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // --- + // TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + // mount host directories as read/write. + // +optional + hostPath?: null | #HostPathVolumeSource @go(HostPath,*HostPathVolumeSource) @protobuf(1,bytes,opt) + + // emptyDir represents a temporary directory that shares a pod's lifetime. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + emptyDir?: null | #EmptyDirVolumeSource @go(EmptyDir,*EmptyDirVolumeSource) @protobuf(2,bytes,opt) + + // gcePersistentDisk represents a GCE Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + gcePersistentDisk?: null | #GCEPersistentDiskVolumeSource @go(GCEPersistentDisk,*GCEPersistentDiskVolumeSource) @protobuf(3,bytes,opt) + + // awsElasticBlockStore represents an AWS Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + awsElasticBlockStore?: null | #AWSElasticBlockStoreVolumeSource @go(AWSElasticBlockStore,*AWSElasticBlockStoreVolumeSource) @protobuf(4,bytes,opt) + + // gitRepo represents a git repository at a particular revision. + // DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + // EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + // into the Pod's container. + // +optional + gitRepo?: null | #GitRepoVolumeSource @go(GitRepo,*GitRepoVolumeSource) @protobuf(5,bytes,opt) + + // secret represents a secret that should populate this volume. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + // +optional + secret?: null | #SecretVolumeSource @go(Secret,*SecretVolumeSource) @protobuf(6,bytes,opt) + + // nfs represents an NFS mount on the host that shares a pod's lifetime + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + nfs?: null | #NFSVolumeSource @go(NFS,*NFSVolumeSource) @protobuf(7,bytes,opt) + + // iscsi represents an ISCSI Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://examples.k8s.io/volumes/iscsi/README.md + // +optional + iscsi?: null | #ISCSIVolumeSource @go(ISCSI,*ISCSIVolumeSource) @protobuf(8,bytes,opt) + + // glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md + // +optional + glusterfs?: null | #GlusterfsVolumeSource @go(Glusterfs,*GlusterfsVolumeSource) @protobuf(9,bytes,opt) + + // persistentVolumeClaimVolumeSource represents a reference to a + // PersistentVolumeClaim in the same namespace. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + persistentVolumeClaim?: null | #PersistentVolumeClaimVolumeSource @go(PersistentVolumeClaim,*PersistentVolumeClaimVolumeSource) @protobuf(10,bytes,opt) + + // rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/rbd/README.md + // +optional + rbd?: null | #RBDVolumeSource @go(RBD,*RBDVolumeSource) @protobuf(11,bytes,opt) + + // flexVolume represents a generic volume resource that is + // provisioned/attached using an exec based plugin. + // +optional + flexVolume?: null | #FlexVolumeSource @go(FlexVolume,*FlexVolumeSource) @protobuf(12,bytes,opt) + + // cinder represents a cinder volume attached and mounted on kubelets host machine. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + cinder?: null | #CinderVolumeSource @go(Cinder,*CinderVolumeSource) @protobuf(13,bytes,opt) + + // cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + // +optional + cephfs?: null | #CephFSVolumeSource @go(CephFS,*CephFSVolumeSource) @protobuf(14,bytes,opt) + + // flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + // +optional + flocker?: null | #FlockerVolumeSource @go(Flocker,*FlockerVolumeSource) @protobuf(15,bytes,opt) + + // downwardAPI represents downward API about the pod that should populate this volume + // +optional + downwardAPI?: null | #DownwardAPIVolumeSource @go(DownwardAPI,*DownwardAPIVolumeSource) @protobuf(16,bytes,opt) + + // fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + // +optional + fc?: null | #FCVolumeSource @go(FC,*FCVolumeSource) @protobuf(17,bytes,opt) + + // azureFile represents an Azure File Service mount on the host and bind mount to the pod. + // +optional + azureFile?: null | #AzureFileVolumeSource @go(AzureFile,*AzureFileVolumeSource) @protobuf(18,bytes,opt) + + // configMap represents a configMap that should populate this volume + // +optional + configMap?: null | #ConfigMapVolumeSource @go(ConfigMap,*ConfigMapVolumeSource) @protobuf(19,bytes,opt) + + // vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + // +optional + vsphereVolume?: null | #VsphereVirtualDiskVolumeSource @go(VsphereVolume,*VsphereVirtualDiskVolumeSource) @protobuf(20,bytes,opt) + + // quobyte represents a Quobyte mount on the host that shares a pod's lifetime + // +optional + quobyte?: null | #QuobyteVolumeSource @go(Quobyte,*QuobyteVolumeSource) @protobuf(21,bytes,opt) + + // azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + // +optional + azureDisk?: null | #AzureDiskVolumeSource @go(AzureDisk,*AzureDiskVolumeSource) @protobuf(22,bytes,opt) + + // photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + photonPersistentDisk?: null | #PhotonPersistentDiskVolumeSource @go(PhotonPersistentDisk,*PhotonPersistentDiskVolumeSource) @protobuf(23,bytes,opt) + + // projected items for all in one resources secrets, configmaps, and downward API + projected?: null | #ProjectedVolumeSource @go(Projected,*ProjectedVolumeSource) @protobuf(26,bytes,opt) + + // portworxVolume represents a portworx volume attached and mounted on kubelets host machine + // +optional + portworxVolume?: null | #PortworxVolumeSource @go(PortworxVolume,*PortworxVolumeSource) @protobuf(24,bytes,opt) + + // scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + // +optional + scaleIO?: null | #ScaleIOVolumeSource @go(ScaleIO,*ScaleIOVolumeSource) @protobuf(25,bytes,opt) + + // storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + // +optional + storageos?: null | #StorageOSVolumeSource @go(StorageOS,*StorageOSVolumeSource) @protobuf(27,bytes,opt) + + // csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + // +optional + csi?: null | #CSIVolumeSource @go(CSI,*CSIVolumeSource) @protobuf(28,bytes,opt) + + // ephemeral represents a volume that is handled by a cluster storage driver. + // The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + // and deleted when the pod is removed. + // + // Use this if: + // a) the volume is only needed while the pod runs, + // b) features of normal volumes like restoring from snapshot or capacity + // tracking are needed, + // c) the storage driver is specified through a storage class, and + // d) the storage driver supports dynamic volume provisioning through + // a PersistentVolumeClaim (see EphemeralVolumeSource for more + // information on the connection between this volume type + // and PersistentVolumeClaim). + // + // Use PersistentVolumeClaim or one of the vendor-specific + // APIs for volumes that persist for longer than the lifecycle + // of an individual pod. + // + // Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + // be used that way - see the documentation of the driver for + // more information. + // + // A pod can use both types of ephemeral volumes and + // persistent volumes at the same time. + // + // +optional + ephemeral?: null | #EphemeralVolumeSource @go(Ephemeral,*EphemeralVolumeSource) @protobuf(29,bytes,opt) +} + +// PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. +// This volume finds the bound PV and mounts that volume for the pod. A +// PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another +// type of volume that is owned by someone else (the system). +#PersistentVolumeClaimVolumeSource: { + // claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + claimName: string @go(ClaimName) @protobuf(1,bytes,opt) + + // readOnly Will force the ReadOnly setting in VolumeMounts. + // Default false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt) +} + +// PersistentVolumeSource is similar to VolumeSource but meant for the +// administrator who creates PVs. Exactly one of its members must be set. +#PersistentVolumeSource: { + // gcePersistentDisk represents a GCE Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. Provisioned by an admin. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + gcePersistentDisk?: null | #GCEPersistentDiskVolumeSource @go(GCEPersistentDisk,*GCEPersistentDiskVolumeSource) @protobuf(1,bytes,opt) + + // awsElasticBlockStore represents an AWS Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + awsElasticBlockStore?: null | #AWSElasticBlockStoreVolumeSource @go(AWSElasticBlockStore,*AWSElasticBlockStoreVolumeSource) @protobuf(2,bytes,opt) + + // hostPath represents a directory on the host. + // Provisioned by a developer or tester. + // This is useful for single-node development and testing only! + // On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // +optional + hostPath?: null | #HostPathVolumeSource @go(HostPath,*HostPathVolumeSource) @protobuf(3,bytes,opt) + + // glusterfs represents a Glusterfs volume that is attached to a host and + // exposed to the pod. Provisioned by an admin. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md + // +optional + glusterfs?: null | #GlusterfsPersistentVolumeSource @go(Glusterfs,*GlusterfsPersistentVolumeSource) @protobuf(4,bytes,opt) + + // nfs represents an NFS mount on the host. Provisioned by an admin. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + nfs?: null | #NFSVolumeSource @go(NFS,*NFSVolumeSource) @protobuf(5,bytes,opt) + + // rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/rbd/README.md + // +optional + rbd?: null | #RBDPersistentVolumeSource @go(RBD,*RBDPersistentVolumeSource) @protobuf(6,bytes,opt) + + // iscsi represents an ISCSI Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. Provisioned by an admin. + // +optional + iscsi?: null | #ISCSIPersistentVolumeSource @go(ISCSI,*ISCSIPersistentVolumeSource) @protobuf(7,bytes,opt) + + // cinder represents a cinder volume attached and mounted on kubelets host machine. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + cinder?: null | #CinderPersistentVolumeSource @go(Cinder,*CinderPersistentVolumeSource) @protobuf(8,bytes,opt) + + // cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + // +optional + cephfs?: null | #CephFSPersistentVolumeSource @go(CephFS,*CephFSPersistentVolumeSource) @protobuf(9,bytes,opt) + + // fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + // +optional + fc?: null | #FCVolumeSource @go(FC,*FCVolumeSource) @protobuf(10,bytes,opt) + + // flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running + // +optional + flocker?: null | #FlockerVolumeSource @go(Flocker,*FlockerVolumeSource) @protobuf(11,bytes,opt) + + // flexVolume represents a generic volume resource that is + // provisioned/attached using an exec based plugin. + // +optional + flexVolume?: null | #FlexPersistentVolumeSource @go(FlexVolume,*FlexPersistentVolumeSource) @protobuf(12,bytes,opt) + + // azureFile represents an Azure File Service mount on the host and bind mount to the pod. + // +optional + azureFile?: null | #AzureFilePersistentVolumeSource @go(AzureFile,*AzureFilePersistentVolumeSource) @protobuf(13,bytes,opt) + + // vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + // +optional + vsphereVolume?: null | #VsphereVirtualDiskVolumeSource @go(VsphereVolume,*VsphereVirtualDiskVolumeSource) @protobuf(14,bytes,opt) + + // quobyte represents a Quobyte mount on the host that shares a pod's lifetime + // +optional + quobyte?: null | #QuobyteVolumeSource @go(Quobyte,*QuobyteVolumeSource) @protobuf(15,bytes,opt) + + // azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + // +optional + azureDisk?: null | #AzureDiskVolumeSource @go(AzureDisk,*AzureDiskVolumeSource) @protobuf(16,bytes,opt) + + // photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + photonPersistentDisk?: null | #PhotonPersistentDiskVolumeSource @go(PhotonPersistentDisk,*PhotonPersistentDiskVolumeSource) @protobuf(17,bytes,opt) + + // portworxVolume represents a portworx volume attached and mounted on kubelets host machine + // +optional + portworxVolume?: null | #PortworxVolumeSource @go(PortworxVolume,*PortworxVolumeSource) @protobuf(18,bytes,opt) + + // scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + // +optional + scaleIO?: null | #ScaleIOPersistentVolumeSource @go(ScaleIO,*ScaleIOPersistentVolumeSource) @protobuf(19,bytes,opt) + + // local represents directly-attached storage with node affinity + // +optional + local?: null | #LocalVolumeSource @go(Local,*LocalVolumeSource) @protobuf(20,bytes,opt) + + // storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod + // More info: https://examples.k8s.io/volumes/storageos/README.md + // +optional + storageos?: null | #StorageOSPersistentVolumeSource @go(StorageOS,*StorageOSPersistentVolumeSource) @protobuf(21,bytes,opt) + + // csi represents storage that is handled by an external CSI driver (Beta feature). + // +optional + csi?: null | #CSIPersistentVolumeSource @go(CSI,*CSIPersistentVolumeSource) @protobuf(22,bytes,opt) +} + +// BetaStorageClassAnnotation represents the beta/previous StorageClass annotation. +// It's currently still used and will be held for backwards compatibility +#BetaStorageClassAnnotation: "volume.beta.kubernetes.io/storage-class" + +// MountOptionAnnotation defines mount option annotation used in PVs +#MountOptionAnnotation: "volume.beta.kubernetes.io/mount-options" + +// PersistentVolume (PV) is a storage resource provisioned by an administrator. +// It is analogous to a node. +// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes +#PersistentVolume: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines a specification of a persistent volume owned by the cluster. + // Provisioned by an administrator. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes + // +optional + spec?: #PersistentVolumeSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents the current information/status for the persistent volume. + // Populated by the system. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes + // +optional + status?: #PersistentVolumeStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PersistentVolumeSpec is the specification of a persistent volume. +#PersistentVolumeSpec: { + // capacity is the description of the persistent volume's resources and capacity. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + #PersistentVolumeSource + + // accessModes contains all ways the volume can be mounted. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(3,bytes,rep,casttype=PersistentVolumeAccessMode) + + // claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. + // Expected to be non-nil when bound. + // claim.VolumeName is the authoritative bind between PV and PVC. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding + // +optional + // +structType=granular + claimRef?: null | #ObjectReference @go(ClaimRef,*ObjectReference) @protobuf(4,bytes,opt) + + // persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. + // Valid options are Retain (default for manually created PersistentVolumes), Delete (default + // for dynamically provisioned PersistentVolumes), and Recycle (deprecated). + // Recycle must be supported by the volume plugin underlying this PersistentVolume. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming + // +optional + persistentVolumeReclaimPolicy?: #PersistentVolumeReclaimPolicy @go(PersistentVolumeReclaimPolicy) @protobuf(5,bytes,opt,casttype=PersistentVolumeReclaimPolicy) + + // storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value + // means that this volume does not belong to any StorageClass. + // +optional + storageClassName?: string @go(StorageClassName) @protobuf(6,bytes,opt) + + // mountOptions is the list of mount options, e.g. ["ro", "soft"]. Not validated - mount will + // simply fail if one is invalid. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options + // +optional + mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(7,bytes,opt) + + // volumeMode defines if a volume is intended to be used with a formatted filesystem + // or to remain in raw block state. Value of Filesystem is implied when not included in spec. + // +optional + volumeMode?: null | #PersistentVolumeMode @go(VolumeMode,*PersistentVolumeMode) @protobuf(8,bytes,opt,casttype=PersistentVolumeMode) + + // nodeAffinity defines constraints that limit what nodes this volume can be accessed from. + // This field influences the scheduling of pods that use this volume. + // +optional + nodeAffinity?: null | #VolumeNodeAffinity @go(NodeAffinity,*VolumeNodeAffinity) @protobuf(9,bytes,opt) +} + +// VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from. +#VolumeNodeAffinity: { + // required specifies hard node constraints that must be met. + required?: null | #NodeSelector @go(Required,*NodeSelector) @protobuf(1,bytes,opt) +} + +// PersistentVolumeReclaimPolicy describes a policy for end-of-life maintenance of persistent volumes. +// +enum +#PersistentVolumeReclaimPolicy: string // #enumPersistentVolumeReclaimPolicy + +#enumPersistentVolumeReclaimPolicy: + #PersistentVolumeReclaimRecycle | + #PersistentVolumeReclaimDelete | + #PersistentVolumeReclaimRetain + +// PersistentVolumeReclaimRecycle means the volume will be recycled back into the pool of unbound persistent volumes on release from its claim. +// The volume plugin must support Recycling. +#PersistentVolumeReclaimRecycle: #PersistentVolumeReclaimPolicy & "Recycle" + +// PersistentVolumeReclaimDelete means the volume will be deleted from Kubernetes on release from its claim. +// The volume plugin must support Deletion. +#PersistentVolumeReclaimDelete: #PersistentVolumeReclaimPolicy & "Delete" + +// PersistentVolumeReclaimRetain means the volume will be left in its current phase (Released) for manual reclamation by the administrator. +// The default policy is Retain. +#PersistentVolumeReclaimRetain: #PersistentVolumeReclaimPolicy & "Retain" + +// PersistentVolumeMode describes how a volume is intended to be consumed, either Block or Filesystem. +// +enum +#PersistentVolumeMode: string // #enumPersistentVolumeMode + +#enumPersistentVolumeMode: + #PersistentVolumeBlock | + #PersistentVolumeFilesystem + +// PersistentVolumeBlock means the volume will not be formatted with a filesystem and will remain a raw block device. +#PersistentVolumeBlock: #PersistentVolumeMode & "Block" + +// PersistentVolumeFilesystem means the volume will be or is formatted with a filesystem. +#PersistentVolumeFilesystem: #PersistentVolumeMode & "Filesystem" + +// PersistentVolumeStatus is the current status of a persistent volume. +#PersistentVolumeStatus: { + // phase indicates if a volume is available, bound to a claim, or released by a claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase + // +optional + phase?: #PersistentVolumePhase @go(Phase) @protobuf(1,bytes,opt,casttype=PersistentVolumePhase) + + // message is a human-readable message indicating details about why the volume is in this state. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) + + // reason is a brief CamelCase string that describes any failure and is meant + // for machine parsing and tidy display in the CLI. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // lastPhaseTransitionTime is the time the phase transitioned from one to another + // and automatically resets to current time everytime a volume phase transitions. + // This is an alpha field and requires enabling PersistentVolumeLastPhaseTransitionTime feature. + // +featureGate=PersistentVolumeLastPhaseTransitionTime + // +optional + lastPhaseTransitionTime?: null | metav1.#Time @go(LastPhaseTransitionTime,*metav1.Time) @protobuf(4,bytes,opt) +} + +// PersistentVolumeList is a list of PersistentVolume items. +#PersistentVolumeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of persistent volumes. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes + items: [...#PersistentVolume] @go(Items,[]PersistentVolume) @protobuf(2,bytes,rep) +} + +// PersistentVolumeClaim is a user's request for and claim to a persistent volume +#PersistentVolumeClaim: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the desired characteristics of a volume requested by a pod author. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + spec?: #PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents the current information/status of a persistent volume claim. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + status?: #PersistentVolumeClaimStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PersistentVolumeClaimList is a list of PersistentVolumeClaim items. +#PersistentVolumeClaimList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of persistent volume claims. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + items: [...#PersistentVolumeClaim] @go(Items,[]PersistentVolumeClaim) @protobuf(2,bytes,rep) +} + +// PersistentVolumeClaimSpec describes the common attributes of storage devices +// and allows a Source for provider-specific attributes +#PersistentVolumeClaimSpec: { + // accessModes contains the desired access modes the volume should have. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(1,bytes,rep,casttype=PersistentVolumeAccessMode) + + // selector is a label query over volumes to consider for binding. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // resources represents the minimum resources the volume should have. + // If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + // that are lower than previous value but must still be higher than capacity recorded in the + // status field of the claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(2,bytes,opt) + + // volumeName is the binding reference to the PersistentVolume backing this claim. + // +optional + volumeName?: string @go(VolumeName) @protobuf(3,bytes,opt) + + // storageClassName is the name of the StorageClass required by the claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + // +optional + storageClassName?: null | string @go(StorageClassName,*string) @protobuf(5,bytes,opt) + + // volumeMode defines what type of volume is required by the claim. + // Value of Filesystem is implied when not included in claim spec. + // +optional + volumeMode?: null | #PersistentVolumeMode @go(VolumeMode,*PersistentVolumeMode) @protobuf(6,bytes,opt,casttype=PersistentVolumeMode) + + // dataSource field can be used to specify either: + // * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + // * An existing PVC (PersistentVolumeClaim) + // If the provisioner or an external controller can support the specified data source, + // it will create a new volume based on the contents of the specified data source. + // When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + // and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + // If the namespace is specified, then dataSourceRef will not be copied to dataSource. + // +optional + dataSource?: null | #TypedLocalObjectReference @go(DataSource,*TypedLocalObjectReference) @protobuf(7,bytes,opt) + + // dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + // volume is desired. This may be any object from a non-empty API group (non + // core object) or a PersistentVolumeClaim object. + // When this field is specified, volume binding will only succeed if the type of + // the specified object matches some installed volume populator or dynamic + // provisioner. + // This field will replace the functionality of the dataSource field and as such + // if both fields are non-empty, they must have the same value. For backwards + // compatibility, when namespace isn't specified in dataSourceRef, + // both fields (dataSource and dataSourceRef) will be set to the same + // value automatically if one of them is empty and the other is non-empty. + // When namespace is specified in dataSourceRef, + // dataSource isn't set to the same value and must be empty. + // There are three important differences between dataSource and dataSourceRef: + // * While dataSource only allows two specific types of objects, dataSourceRef + // allows any non-core object, as well as PersistentVolumeClaim objects. + // * While dataSource ignores disallowed values (dropping them), dataSourceRef + // preserves all values, and generates an error if a disallowed value is + // specified. + // * While dataSource only allows local objects, dataSourceRef allows objects + // in any namespaces. + // (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + // (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + // +optional + dataSourceRef?: null | #TypedObjectReference @go(DataSourceRef,*TypedObjectReference) @protobuf(8,bytes,opt) +} + +#TypedObjectReference: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the core API group. + // For any other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) + + // Namespace is the namespace of resource being referenced + // Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + // (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + // +featureGate=CrossNamespaceVolumeDataSource + // +optional + namespace?: null | string @go(Namespace,*string) @protobuf(4,bytes,opt) +} + +// PersistentVolumeClaimConditionType is a valid value of PersistentVolumeClaimCondition.Type +#PersistentVolumeClaimConditionType: string // #enumPersistentVolumeClaimConditionType + +#enumPersistentVolumeClaimConditionType: + #PersistentVolumeClaimResizing | + #PersistentVolumeClaimFileSystemResizePending + +// PersistentVolumeClaimResizing - a user trigger resize of pvc has been started +#PersistentVolumeClaimResizing: #PersistentVolumeClaimConditionType & "Resizing" + +// PersistentVolumeClaimFileSystemResizePending - controller resize is finished and a file system resize is pending on node +#PersistentVolumeClaimFileSystemResizePending: #PersistentVolumeClaimConditionType & "FileSystemResizePending" + +// +enum +// When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource +// that it does not recognizes, then it should ignore that update and let other controllers +// handle it. +#ClaimResourceStatus: string // #enumClaimResourceStatus + +#enumClaimResourceStatus: + #PersistentVolumeClaimControllerResizeInProgress | + #PersistentVolumeClaimControllerResizeFailed | + #PersistentVolumeClaimNodeResizePending | + #PersistentVolumeClaimNodeResizeInProgress | + #PersistentVolumeClaimNodeResizeFailed + +// State set when resize controller starts resizing the volume in control-plane. +#PersistentVolumeClaimControllerResizeInProgress: #ClaimResourceStatus & "ControllerResizeInProgress" + +// State set when resize has failed in resize controller with a terminal error. +// Transient errors such as timeout should not set this status and should leave allocatedResourceStatus +// unmodified, so as resize controller can resume the volume expansion. +#PersistentVolumeClaimControllerResizeFailed: #ClaimResourceStatus & "ControllerResizeFailed" + +// State set when resize controller has finished resizing the volume but further resizing of volume +// is needed on the node. +#PersistentVolumeClaimNodeResizePending: #ClaimResourceStatus & "NodeResizePending" + +// State set when kubelet starts resizing the volume. +#PersistentVolumeClaimNodeResizeInProgress: #ClaimResourceStatus & "NodeResizeInProgress" + +// State set when resizing has failed in kubelet with a terminal error. Transient errors don't set NodeResizeFailed +#PersistentVolumeClaimNodeResizeFailed: #ClaimResourceStatus & "NodeResizeFailed" + +// PersistentVolumeClaimCondition contains details about state of pvc +#PersistentVolumeClaimCondition: { + type: #PersistentVolumeClaimConditionType @go(Type) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimConditionType) + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // lastProbeTime is the time we probed the condition. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // lastTransitionTime is the time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // reason is a unique, this should be a short, machine understandable string that gives the reason + // for condition's last transition. If it reports "ResizeStarted" that means the underlying + // persistent volume is being resized. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // message is the human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// PersistentVolumeClaimStatus is the current status of a persistent volume claim. +#PersistentVolumeClaimStatus: { + // phase represents the current phase of PersistentVolumeClaim. + // +optional + phase?: #PersistentVolumeClaimPhase @go(Phase) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimPhase) + + // accessModes contains the actual access modes the volume backing the PVC has. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(2,bytes,rep,casttype=PersistentVolumeAccessMode) + + // capacity represents the actual resources of the underlying volume. + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(3,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // conditions is the current Condition of persistent volume claim. If underlying persistent volume is being + // resized then the Condition will be set to 'ResizeStarted'. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#PersistentVolumeClaimCondition] @go(Conditions,[]PersistentVolumeClaimCondition) @protobuf(4,bytes,rep) + + // allocatedResources tracks the resources allocated to a PVC including its capacity. + // Key names follow standard Kubernetes label syntax. Valid values are either: + // * Un-prefixed keys: + // - storage - the capacity of the volume. + // * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" + // Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered + // reserved and hence may not be used. + // + // Capacity reported here may be larger than the actual capacity when a volume expansion operation + // is requested. + // For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. + // If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. + // If a volume expansion capacity request is lowered, allocatedResources is only + // lowered if there are no expansion operations in progress and if the actual volume capacity + // is equal or lower than the requested capacity. + // + // A controller that receives PVC update with previously unknown resourceName + // should ignore the update for the purpose it was designed. For example - a controller that + // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid + // resources associated with PVC. + // + // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature. + // +featureGate=RecoverVolumeExpansionFailure + // +optional + allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // allocatedResourceStatuses stores status of resource being resized for the given PVC. + // Key names follow standard Kubernetes label syntax. Valid values are either: + // * Un-prefixed keys: + // - storage - the capacity of the volume. + // * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" + // Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered + // reserved and hence may not be used. + // + // ClaimResourceStatus can be in any of following states: + // - ControllerResizeInProgress: + // State set when resize controller starts resizing the volume in control-plane. + // - ControllerResizeFailed: + // State set when resize has failed in resize controller with a terminal error. + // - NodeResizePending: + // State set when resize controller has finished resizing the volume but further resizing of + // volume is needed on the node. + // - NodeResizeInProgress: + // State set when kubelet starts resizing the volume. + // - NodeResizeFailed: + // State set when resizing has failed in kubelet with a terminal error. Transient errors don't set + // NodeResizeFailed. + // For example: if expanding a PVC for more capacity - this field can be one of the following states: + // - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeInProgress" + // - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeFailed" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizePending" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeInProgress" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeFailed" + // When this field is not set, it means that no resize operation is in progress for the given PVC. + // + // A controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus + // should ignore the update for the purpose it was designed. For example - a controller that + // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid + // resources associated with PVC. + // + // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature. + // +featureGate=RecoverVolumeExpansionFailure + // +mapType=granular + // +optional + allocatedResourceStatuses?: {[string]: #ClaimResourceStatus} @go(AllocatedResourceStatuses,map[ResourceName]ClaimResourceStatus) @protobuf(7,bytes,rep) +} + +// +enum +#PersistentVolumeAccessMode: string // #enumPersistentVolumeAccessMode + +#enumPersistentVolumeAccessMode: + #ReadWriteOnce | + #ReadOnlyMany | + #ReadWriteMany | + #ReadWriteOncePod + +// can be mounted in read/write mode to exactly 1 host +#ReadWriteOnce: #PersistentVolumeAccessMode & "ReadWriteOnce" + +// can be mounted in read-only mode to many hosts +#ReadOnlyMany: #PersistentVolumeAccessMode & "ReadOnlyMany" + +// can be mounted in read/write mode to many hosts +#ReadWriteMany: #PersistentVolumeAccessMode & "ReadWriteMany" + +// can be mounted in read/write mode to exactly 1 pod +// cannot be used in combination with other access modes +#ReadWriteOncePod: #PersistentVolumeAccessMode & "ReadWriteOncePod" + +// +enum +#PersistentVolumePhase: string // #enumPersistentVolumePhase + +#enumPersistentVolumePhase: + #VolumePending | + #VolumeAvailable | + #VolumeBound | + #VolumeReleased | + #VolumeFailed + +// used for PersistentVolumes that are not available +#VolumePending: #PersistentVolumePhase & "Pending" + +// used for PersistentVolumes that are not yet bound +// Available volumes are held by the binder and matched to PersistentVolumeClaims +#VolumeAvailable: #PersistentVolumePhase & "Available" + +// used for PersistentVolumes that are bound +#VolumeBound: #PersistentVolumePhase & "Bound" + +// used for PersistentVolumes where the bound PersistentVolumeClaim was deleted +// released volumes must be recycled before becoming available again +// this phase is used by the persistent volume claim binder to signal to another process to reclaim the resource +#VolumeReleased: #PersistentVolumePhase & "Released" + +// used for PersistentVolumes that failed to be correctly recycled or deleted after being released from a claim +#VolumeFailed: #PersistentVolumePhase & "Failed" + +// +enum +#PersistentVolumeClaimPhase: string // #enumPersistentVolumeClaimPhase + +#enumPersistentVolumeClaimPhase: + #ClaimPending | + #ClaimBound | + #ClaimLost + +// used for PersistentVolumeClaims that are not yet bound +#ClaimPending: #PersistentVolumeClaimPhase & "Pending" + +// used for PersistentVolumeClaims that are bound +#ClaimBound: #PersistentVolumeClaimPhase & "Bound" + +// used for PersistentVolumeClaims that lost their underlying +// PersistentVolume. The claim was bound to a PersistentVolume and this +// volume does not exist any longer and all data on it was lost. +#ClaimLost: #PersistentVolumeClaimPhase & "Lost" + +// +enum +#HostPathType: string // #enumHostPathType + +#enumHostPathType: + #HostPathUnset | + #HostPathDirectoryOrCreate | + #HostPathDirectory | + #HostPathFileOrCreate | + #HostPathFile | + #HostPathSocket | + #HostPathCharDev | + #HostPathBlockDev + +// For backwards compatible, leave it empty if unset +#HostPathUnset: #HostPathType & "" + +// If nothing exists at the given path, an empty directory will be created there +// as needed with file mode 0755, having the same group and ownership with Kubelet. +#HostPathDirectoryOrCreate: #HostPathType & "DirectoryOrCreate" + +// A directory must exist at the given path +#HostPathDirectory: #HostPathType & "Directory" + +// If nothing exists at the given path, an empty file will be created there +// as needed with file mode 0644, having the same group and ownership with Kubelet. +#HostPathFileOrCreate: #HostPathType & "FileOrCreate" + +// A file must exist at the given path +#HostPathFile: #HostPathType & "File" + +// A UNIX socket must exist at the given path +#HostPathSocket: #HostPathType & "Socket" + +// A character device must exist at the given path +#HostPathCharDev: #HostPathType & "CharDevice" + +// A block device must exist at the given path +#HostPathBlockDev: #HostPathType & "BlockDevice" + +// Represents a host path mapped into a pod. +// Host path volumes do not support ownership management or SELinux relabeling. +#HostPathVolumeSource: { + // path of the directory on the host. + // If the path is a symlink, it will follow the link to the real path. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + path: string @go(Path) @protobuf(1,bytes,opt) + + // type for HostPath Volume + // Defaults to "" + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // +optional + type?: null | #HostPathType @go(Type,*HostPathType) @protobuf(2,bytes,opt) +} + +// Represents an empty directory for a pod. +// Empty directory volumes support ownership management and SELinux relabeling. +#EmptyDirVolumeSource: { + // medium represents what type of storage medium should back this directory. + // The default is "" which means to use the node's default medium. + // Must be an empty string (default) or Memory. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + medium?: #StorageMedium @go(Medium) @protobuf(1,bytes,opt,casttype=StorageMedium) + + // sizeLimit is the total amount of local storage required for this EmptyDir volume. + // The size limit is also applicable for memory medium. + // The maximum usage on memory medium EmptyDir would be the minimum value between + // the SizeLimit specified here and the sum of memory limits of all containers in a pod. + // The default is nil which means that the limit is undefined. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + sizeLimit?: null | resource.#Quantity @go(SizeLimit,*resource.Quantity) @protobuf(2,bytes,opt) +} + +// Represents a Glusterfs mount that lasts the lifetime of a pod. +// Glusterfs volumes do not support ownership management or SELinux relabeling. +#GlusterfsVolumeSource: { + // endpoints is the endpoint name that details Glusterfs topology. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + endpoints: string @go(EndpointsName) @protobuf(1,bytes,opt) + + // path is the Glusterfs volume path. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// Represents a Glusterfs mount that lasts the lifetime of a pod. +// Glusterfs volumes do not support ownership management or SELinux relabeling. +#GlusterfsPersistentVolumeSource: { + // endpoints is the endpoint name that details Glusterfs topology. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + endpoints: string @go(EndpointsName) @protobuf(1,bytes,opt) + + // path is the Glusterfs volume path. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // endpointsNamespace is the namespace that contains Glusterfs endpoint. + // If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + endpointsNamespace?: null | string @go(EndpointsNamespace,*string) @protobuf(4,bytes,opt) +} + +// Represents a Rados Block Device mount that lasts the lifetime of a pod. +// RBD volumes support ownership management and SELinux relabeling. +#RBDVolumeSource: { + // monitors is a collection of Ceph monitors. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + monitors: [...string] @go(CephMonitors,[]string) @protobuf(1,bytes,rep) + + // image is the rados image name. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + image: string @go(RBDImage) @protobuf(2,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // pool is the rados pool name. + // Default is rbd. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + pool?: string @go(RBDPool) @protobuf(4,bytes,opt) + + // user is the rados user name. + // Default is admin. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + user?: string @go(RadosUser) @protobuf(5,bytes,opt) + + // keyring is the path to key ring for RBDUser. + // Default is /etc/ceph/keyring. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + keyring?: string @go(Keyring) @protobuf(6,bytes,opt) + + // secretRef is name of the authentication secret for RBDUser. If provided + // overrides keyring. + // Default is nil. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(7,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(8,varint,opt) +} + +// Represents a Rados Block Device mount that lasts the lifetime of a pod. +// RBD volumes support ownership management and SELinux relabeling. +#RBDPersistentVolumeSource: { + // monitors is a collection of Ceph monitors. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + monitors: [...string] @go(CephMonitors,[]string) @protobuf(1,bytes,rep) + + // image is the rados image name. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + image: string @go(RBDImage) @protobuf(2,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // pool is the rados pool name. + // Default is rbd. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + pool?: string @go(RBDPool) @protobuf(4,bytes,opt) + + // user is the rados user name. + // Default is admin. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + user?: string @go(RadosUser) @protobuf(5,bytes,opt) + + // keyring is the path to key ring for RBDUser. + // Default is /etc/ceph/keyring. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + keyring?: string @go(Keyring) @protobuf(6,bytes,opt) + + // secretRef is name of the authentication secret for RBDUser. If provided + // overrides keyring. + // Default is nil. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(7,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(8,varint,opt) +} + +// Represents a cinder volume resource in Openstack. +// A Cinder volume must exist before mounting to a container. +// The volume must also be in the same region as the kubelet. +// Cinder volumes support ownership management and SELinux relabeling. +#CinderVolumeSource: { + // volumeID used to identify the volume in cinder. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretRef is optional: points to a secret object containing parameters used to connect + // to OpenStack. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(4,bytes,opt) +} + +// Represents a cinder volume resource in Openstack. +// A Cinder volume must exist before mounting to a container. +// The volume must also be in the same region as the kubelet. +// Cinder volumes support ownership management and SELinux relabeling. +#CinderPersistentVolumeSource: { + // volumeID used to identify the volume in cinder. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretRef is Optional: points to a secret object containing parameters used to connect + // to OpenStack. + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(4,bytes,opt) +} + +// Represents a Ceph Filesystem mount that lasts the lifetime of a pod +// Cephfs volumes do not support ownership management or SELinux relabeling. +#CephFSVolumeSource: { + // monitors is Required: Monitors is a collection of Ceph monitors + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + monitors: [...string] @go(Monitors,[]string) @protobuf(1,bytes,rep) + + // path is Optional: Used as the mounted root, rather than the full Ceph tree, default is / + // +optional + path?: string @go(Path) @protobuf(2,bytes,opt) + + // user is optional: User is the rados user name, default is admin + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretFile?: string @go(SecretFile) @protobuf(4,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) +} + +// SecretReference represents a Secret Reference. It has enough information to retrieve secret +// in any namespace +// +structType=atomic +#SecretReference: { + // name is unique within a namespace to reference a secret resource. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // namespace defines the space within which the secret name must be unique. + // +optional + namespace?: string @go(Namespace) @protobuf(2,bytes,opt) +} + +// Represents a Ceph Filesystem mount that lasts the lifetime of a pod +// Cephfs volumes do not support ownership management or SELinux relabeling. +#CephFSPersistentVolumeSource: { + // monitors is Required: Monitors is a collection of Ceph monitors + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + monitors: [...string] @go(Monitors,[]string) @protobuf(1,bytes,rep) + + // path is Optional: Used as the mounted root, rather than the full Ceph tree, default is / + // +optional + path?: string @go(Path) @protobuf(2,bytes,opt) + + // user is Optional: User is the rados user name, default is admin + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretFile?: string @go(SecretFile) @protobuf(4,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(5,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) +} + +// Represents a Flocker volume mounted by the Flocker agent. +// One and only one of datasetName and datasetUUID should be set. +// Flocker volumes do not support ownership management or SELinux relabeling. +#FlockerVolumeSource: { + // datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + // should be considered as deprecated + // +optional + datasetName?: string @go(DatasetName) @protobuf(1,bytes,opt) + + // datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset + // +optional + datasetUUID?: string @go(DatasetUUID) @protobuf(2,bytes,opt) +} + +// StorageMedium defines ways that storage can be allocated to a volume. +#StorageMedium: string // #enumStorageMedium + +#enumStorageMedium: + #StorageMediumDefault | + #StorageMediumMemory | + #StorageMediumHugePages | + #StorageMediumHugePagesPrefix + +#StorageMediumDefault: #StorageMedium & "" +#StorageMediumMemory: #StorageMedium & "Memory" +#StorageMediumHugePages: #StorageMedium & "HugePages" +#StorageMediumHugePagesPrefix: #StorageMedium & "HugePages-" + +// Protocol defines network protocols supported for things like container ports. +// +enum +#Protocol: string // #enumProtocol + +#enumProtocol: + #ProtocolTCP | + #ProtocolUDP | + #ProtocolSCTP + +// ProtocolTCP is the TCP protocol. +#ProtocolTCP: #Protocol & "TCP" + +// ProtocolUDP is the UDP protocol. +#ProtocolUDP: #Protocol & "UDP" + +// ProtocolSCTP is the SCTP protocol. +#ProtocolSCTP: #Protocol & "SCTP" + +// Represents a Persistent Disk resource in Google Compute Engine. +// +// A GCE PD must exist before mounting to a container. The disk must +// also be in the same GCE project and zone as the kubelet. A GCE PD +// can only be mounted as read/write once or read-only many times. GCE +// PDs support ownership management and SELinux relabeling. +#GCEPersistentDiskVolumeSource: { + // pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + pdName: string @go(PDName) @protobuf(1,bytes,opt) + + // fsType is filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // partition is the partition in the volume that you want to mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + partition?: int32 @go(Partition) @protobuf(3,varint,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) +} + +// Represents a Quobyte mount that lasts the lifetime of a pod. +// Quobyte volumes do not support ownership management or SELinux relabeling. +#QuobyteVolumeSource: { + // registry represents a single or multiple Quobyte Registry services + // specified as a string as host:port pair (multiple entries are separated with commas) + // which acts as the central registry for volumes + registry: string @go(Registry) @protobuf(1,bytes,opt) + + // volume is a string that references an already created Quobyte volume by name. + volume: string @go(Volume) @protobuf(2,bytes,opt) + + // readOnly here will force the Quobyte volume to be mounted with read-only permissions. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // user to map volume access to + // Defaults to serivceaccount user + // +optional + user?: string @go(User) @protobuf(4,bytes,opt) + + // group to map volume access to + // Default is no group + // +optional + group?: string @go(Group) @protobuf(5,bytes,opt) + + // tenant owning the given Quobyte volume in the Backend + // Used with dynamically provisioned Quobyte volumes, value is set by the plugin + // +optional + tenant?: string @go(Tenant) @protobuf(6,bytes,opt) +} + +// FlexPersistentVolumeSource represents a generic persistent volume resource that is +// provisioned/attached using an exec based plugin. +#FlexPersistentVolumeSource: { + // driver is the name of the driver to use for this volume. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // fsType is the Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the secret object containing + // sensitive information to pass to the plugin scripts. This may be + // empty if no secret object is specified. If the secret object + // contains more than one secret, all secrets are passed to the plugin + // scripts. + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(3,bytes,opt) + + // readOnly is Optional: defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // options is Optional: this field holds extra command options if any. + // +optional + options?: {[string]: string} @go(Options,map[string]string) @protobuf(5,bytes,rep) +} + +// FlexVolume represents a generic volume resource that is +// provisioned/attached using an exec based plugin. +#FlexVolumeSource: { + // driver is the name of the driver to use for this volume. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // secretRef is Optional: secretRef is reference to the secret object containing + // sensitive information to pass to the plugin scripts. This may be + // empty if no secret object is specified. If the secret object + // contains more than one secret, all secrets are passed to the plugin + // scripts. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(3,bytes,opt) + + // readOnly is Optional: defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // options is Optional: this field holds extra command options if any. + // +optional + options?: {[string]: string} @go(Options,map[string]string) @protobuf(5,bytes,rep) +} + +// Represents a Persistent Disk resource in AWS. +// +// An AWS EBS disk must exist before mounting to a container. The disk +// must also be in the same AWS zone as the kubelet. An AWS EBS disk +// can only be mounted as read/write once. AWS EBS volumes support +// ownership management and SELinux relabeling. +#AWSElasticBlockStoreVolumeSource: { + // volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // partition is the partition in the volume that you want to mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + // +optional + partition?: int32 @go(Partition) @protobuf(3,varint,opt) + + // readOnly value true will force the readOnly setting in VolumeMounts. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) +} + +// Represents a volume that is populated with the contents of a git repository. +// Git repo volumes do not support ownership management. +// Git repo volumes support SELinux relabeling. +// +// DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an +// EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir +// into the Pod's container. +#GitRepoVolumeSource: { + // repository is the URL + repository: string @go(Repository) @protobuf(1,bytes,opt) + + // revision is the commit hash for the specified revision. + // +optional + revision?: string @go(Revision) @protobuf(2,bytes,opt) + + // directory is the target directory name. + // Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + // git repository. Otherwise, if specified, the volume will contain the git repository in + // the subdirectory with the given name. + // +optional + directory?: string @go(Directory) @protobuf(3,bytes,opt) +} + +// Adapts a Secret into a volume. +// +// The contents of the target Secret's Data field will be presented in a volume +// as files using the keys in the Data field as the file names. +// Secret volumes support ownership management and SELinux relabeling. +#SecretVolumeSource: { + // secretName is the name of the secret in the pod's namespace to use. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + // +optional + secretName?: string @go(SecretName) @protobuf(1,bytes,opt) + + // items If unspecified, each key-value pair in the Data field of the referenced + // Secret will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the Secret, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // defaultMode is Optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values + // for mode bits. Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(3,bytes,opt) + + // optional field specify whether the Secret or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +#SecretVolumeSourceDefaultMode: int32 & 0o644 + +// Adapts a secret into a projected volume. +// +// The contents of the target Secret's Data field will be presented in a +// projected volume as files using the keys in the Data field as the file names. +// Note that this is identical to a secret volume source without the default +// mode. +#SecretProjection: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // Secret will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the Secret, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // optional field specify whether the Secret or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +// Represents an NFS mount that lasts the lifetime of a pod. +// NFS volumes do not support ownership management or SELinux relabeling. +#NFSVolumeSource: { + // server is the hostname or IP address of the NFS server. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + server: string @go(Server) @protobuf(1,bytes,opt) + + // path that is exported by the NFS server. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the NFS export to be mounted with read-only permissions. + // Defaults to false. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// Represents an ISCSI disk. +// ISCSI volumes can only be mounted as read/write once. +// ISCSI volumes support ownership management and SELinux relabeling. +#ISCSIVolumeSource: { + // targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + targetPortal: string @go(TargetPortal) @protobuf(1,bytes,opt) + + // iqn is the target iSCSI Qualified Name. + iqn: string @go(IQN) @protobuf(2,bytes,opt) + + // lun represents iSCSI Target Lun number. + lun: int32 @go(Lun) @protobuf(3,varint,opt) + + // iscsiInterface is the interface Name that uses an iSCSI transport. + // Defaults to 'default' (tcp). + // +optional + iscsiInterface?: string @go(ISCSIInterface) @protobuf(4,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(5,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) + + // portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + // +optional + portals?: [...string] @go(Portals,[]string) @protobuf(7,bytes,opt) + + // chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + // +optional + chapAuthDiscovery?: bool @go(DiscoveryCHAPAuth) @protobuf(8,varint,opt) + + // chapAuthSession defines whether support iSCSI Session CHAP authentication + // +optional + chapAuthSession?: bool @go(SessionCHAPAuth) @protobuf(11,varint,opt) + + // secretRef is the CHAP Secret for iSCSI target and initiator authentication + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(10,bytes,opt) + + // initiatorName is the custom iSCSI Initiator Name. + // If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + // : will be created for the connection. + // +optional + initiatorName?: null | string @go(InitiatorName,*string) @protobuf(12,bytes,opt) +} + +// ISCSIPersistentVolumeSource represents an ISCSI disk. +// ISCSI volumes can only be mounted as read/write once. +// ISCSI volumes support ownership management and SELinux relabeling. +#ISCSIPersistentVolumeSource: { + // targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + targetPortal: string @go(TargetPortal) @protobuf(1,bytes,opt) + + // iqn is Target iSCSI Qualified Name. + iqn: string @go(IQN) @protobuf(2,bytes,opt) + + // lun is iSCSI Target Lun number. + lun: int32 @go(Lun) @protobuf(3,varint,opt) + + // iscsiInterface is the interface Name that uses an iSCSI transport. + // Defaults to 'default' (tcp). + // +optional + iscsiInterface?: string @go(ISCSIInterface) @protobuf(4,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(5,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) + + // portals is the iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + // +optional + portals?: [...string] @go(Portals,[]string) @protobuf(7,bytes,opt) + + // chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + // +optional + chapAuthDiscovery?: bool @go(DiscoveryCHAPAuth) @protobuf(8,varint,opt) + + // chapAuthSession defines whether support iSCSI Session CHAP authentication + // +optional + chapAuthSession?: bool @go(SessionCHAPAuth) @protobuf(11,varint,opt) + + // secretRef is the CHAP Secret for iSCSI target and initiator authentication + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(10,bytes,opt) + + // initiatorName is the custom iSCSI Initiator Name. + // If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + // : will be created for the connection. + // +optional + initiatorName?: null | string @go(InitiatorName,*string) @protobuf(12,bytes,opt) +} + +// Represents a Fibre Channel volume. +// Fibre Channel volumes can only be mounted as read/write once. +// Fibre Channel volumes support ownership management and SELinux relabeling. +#FCVolumeSource: { + // targetWWNs is Optional: FC target worldwide names (WWNs) + // +optional + targetWWNs?: [...string] @go(TargetWWNs,[]string) @protobuf(1,bytes,rep) + + // lun is Optional: FC target lun number + // +optional + lun?: null | int32 @go(Lun,*int32) @protobuf(2,varint,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // wwids Optional: FC volume world wide identifiers (wwids) + // Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + // +optional + wwids?: [...string] @go(WWIDs,[]string) @protobuf(5,bytes,rep) +} + +// AzureFile represents an Azure File Service mount on the host and bind mount to the pod. +#AzureFileVolumeSource: { + // secretName is the name of secret that contains Azure Storage Account Name and Key + secretName: string @go(SecretName) @protobuf(1,bytes,opt) + + // shareName is the azure share Name + shareName: string @go(ShareName) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// AzureFile represents an Azure File Service mount on the host and bind mount to the pod. +#AzureFilePersistentVolumeSource: { + // secretName is the name of secret that contains Azure Storage Account Name and Key + secretName: string @go(SecretName) @protobuf(1,bytes,opt) + + // shareName is the azure Share Name + shareName: string @go(ShareName) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretNamespace is the namespace of the secret that contains Azure Storage Account Name and Key + // default is the same as the Pod + // +optional + secretNamespace?: null | string @go(SecretNamespace,*string) @protobuf(4,bytes,opt) +} + +// Represents a vSphere volume resource. +#VsphereVirtualDiskVolumeSource: { + // volumePath is the path that identifies vSphere volume vmdk + volumePath: string @go(VolumePath) @protobuf(1,bytes,opt) + + // fsType is filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // storagePolicyName is the storage Policy Based Management (SPBM) profile name. + // +optional + storagePolicyName?: string @go(StoragePolicyName) @protobuf(3,bytes,opt) + + // storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. + // +optional + storagePolicyID?: string @go(StoragePolicyID) @protobuf(4,bytes,opt) +} + +// Represents a Photon Controller persistent disk resource. +#PhotonPersistentDiskVolumeSource: { + // pdID is the ID that identifies Photon Controller persistent disk + pdID: string @go(PdID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + fsType?: string @go(FSType) @protobuf(2,bytes,opt) +} + +// +enum +#AzureDataDiskCachingMode: string // #enumAzureDataDiskCachingMode + +#enumAzureDataDiskCachingMode: + #AzureDataDiskCachingNone | + #AzureDataDiskCachingReadOnly | + #AzureDataDiskCachingReadWrite + +// +enum +#AzureDataDiskKind: string // #enumAzureDataDiskKind + +#enumAzureDataDiskKind: + #AzureSharedBlobDisk | + #AzureDedicatedBlobDisk | + #AzureManagedDisk + +#AzureDataDiskCachingNone: #AzureDataDiskCachingMode & "None" +#AzureDataDiskCachingReadOnly: #AzureDataDiskCachingMode & "ReadOnly" +#AzureDataDiskCachingReadWrite: #AzureDataDiskCachingMode & "ReadWrite" +#AzureSharedBlobDisk: #AzureDataDiskKind & "Shared" +#AzureDedicatedBlobDisk: #AzureDataDiskKind & "Dedicated" +#AzureManagedDisk: #AzureDataDiskKind & "Managed" + +// AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. +#AzureDiskVolumeSource: { + // diskName is the Name of the data disk in the blob storage + diskName: string @go(DiskName) @protobuf(1,bytes,opt) + + // diskURI is the URI of data disk in the blob storage + diskURI: string @go(DataDiskURI) @protobuf(2,bytes,opt) + + // cachingMode is the Host Caching mode: None, Read Only, Read Write. + // +optional + cachingMode?: null | #AzureDataDiskCachingMode @go(CachingMode,*AzureDataDiskCachingMode) @protobuf(3,bytes,opt,casttype=AzureDataDiskCachingMode) + + // fsType is Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(4,bytes,opt) + + // readOnly Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: null | bool @go(ReadOnly,*bool) @protobuf(5,varint,opt) + + // kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared + kind?: null | #AzureDataDiskKind @go(Kind,*AzureDataDiskKind) @protobuf(6,bytes,opt,casttype=AzureDataDiskKind) +} + +// PortworxVolumeSource represents a Portworx volume resource. +#PortworxVolumeSource: { + // volumeID uniquely identifies a Portworx volume + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fSType represents the filesystem type to mount + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// ScaleIOVolumeSource represents a persistent ScaleIO volume +#ScaleIOVolumeSource: { + // gateway is the host address of the ScaleIO API Gateway. + gateway: string @go(Gateway) @protobuf(1,bytes,opt) + + // system is the name of the storage system as configured in ScaleIO. + system: string @go(System) @protobuf(2,bytes,opt) + + // secretRef references to the secret for ScaleIO user and other + // sensitive information. If this is not provided, Login operation will fail. + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(3,bytes,opt) + + // sslEnabled Flag enable/disable SSL communication with Gateway, default false + // +optional + sslEnabled?: bool @go(SSLEnabled) @protobuf(4,varint,opt) + + // protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + // +optional + protectionDomain?: string @go(ProtectionDomain) @protobuf(5,bytes,opt) + + // storagePool is the ScaleIO Storage Pool associated with the protection domain. + // +optional + storagePool?: string @go(StoragePool) @protobuf(6,bytes,opt) + + // storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + // Default is ThinProvisioned. + // +optional + storageMode?: string @go(StorageMode) @protobuf(7,bytes,opt) + + // volumeName is the name of a volume already created in the ScaleIO system + // that is associated with this volume source. + volumeName?: string @go(VolumeName) @protobuf(8,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // Default is "xfs". + // +optional + fsType?: string @go(FSType) @protobuf(9,bytes,opt) + + // readOnly Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(10,varint,opt) +} + +// ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume +#ScaleIOPersistentVolumeSource: { + // gateway is the host address of the ScaleIO API Gateway. + gateway: string @go(Gateway) @protobuf(1,bytes,opt) + + // system is the name of the storage system as configured in ScaleIO. + system: string @go(System) @protobuf(2,bytes,opt) + + // secretRef references to the secret for ScaleIO user and other + // sensitive information. If this is not provided, Login operation will fail. + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(3,bytes,opt) + + // sslEnabled is the flag to enable/disable SSL communication with Gateway, default false + // +optional + sslEnabled?: bool @go(SSLEnabled) @protobuf(4,varint,opt) + + // protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + // +optional + protectionDomain?: string @go(ProtectionDomain) @protobuf(5,bytes,opt) + + // storagePool is the ScaleIO Storage Pool associated with the protection domain. + // +optional + storagePool?: string @go(StoragePool) @protobuf(6,bytes,opt) + + // storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + // Default is ThinProvisioned. + // +optional + storageMode?: string @go(StorageMode) @protobuf(7,bytes,opt) + + // volumeName is the name of a volume already created in the ScaleIO system + // that is associated with this volume source. + volumeName?: string @go(VolumeName) @protobuf(8,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // Default is "xfs" + // +optional + fsType?: string @go(FSType) @protobuf(9,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(10,varint,opt) +} + +// Represents a StorageOS persistent volume resource. +#StorageOSVolumeSource: { + // volumeName is the human-readable name of the StorageOS volume. Volume + // names are only unique within a namespace. + volumeName?: string @go(VolumeName) @protobuf(1,bytes,opt) + + // volumeNamespace specifies the scope of the volume within StorageOS. If no + // namespace is specified then the Pod's namespace will be used. This allows the + // Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + // Set VolumeName to any name to override the default behaviour. + // Set to "default" if you are not using namespaces within StorageOS. + // Namespaces that do not pre-exist within StorageOS will be created. + // +optional + volumeNamespace?: string @go(VolumeNamespace) @protobuf(2,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // secretRef specifies the secret to use for obtaining the StorageOS API + // credentials. If not specified, default values will be attempted. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) +} + +// Represents a StorageOS persistent volume resource. +#StorageOSPersistentVolumeSource: { + // volumeName is the human-readable name of the StorageOS volume. Volume + // names are only unique within a namespace. + volumeName?: string @go(VolumeName) @protobuf(1,bytes,opt) + + // volumeNamespace specifies the scope of the volume within StorageOS. If no + // namespace is specified then the Pod's namespace will be used. This allows the + // Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + // Set VolumeName to any name to override the default behaviour. + // Set to "default" if you are not using namespaces within StorageOS. + // Namespaces that do not pre-exist within StorageOS will be created. + // +optional + volumeNamespace?: string @go(VolumeNamespace) @protobuf(2,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // secretRef specifies the secret to use for obtaining the StorageOS API + // credentials. If not specified, default values will be attempted. + // +optional + secretRef?: null | #ObjectReference @go(SecretRef,*ObjectReference) @protobuf(5,bytes,opt) +} + +// Adapts a ConfigMap into a volume. +// +// The contents of the target ConfigMap's Data field will be presented in a +// volume as files using the keys in the Data field as the file names, unless +// the items element is populated with specific mappings of keys to paths. +// ConfigMap volumes support ownership management and SELinux relabeling. +#ConfigMapVolumeSource: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // ConfigMap will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the ConfigMap, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // defaultMode is optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(3,varint,opt) + + // optional specify whether the ConfigMap or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +#ConfigMapVolumeSourceDefaultMode: int32 & 0o644 + +// Adapts a ConfigMap into a projected volume. +// +// The contents of the target ConfigMap's Data field will be presented in a +// projected volume as files using the keys in the Data field as the file names, +// unless the items element is populated with specific mappings of keys to paths. +// Note that this is identical to a configmap volume source without the default +// mode. +#ConfigMapProjection: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // ConfigMap will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the ConfigMap, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // optional specify whether the ConfigMap or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +// ServiceAccountTokenProjection represents a projected service account token +// volume. This projection can be used to insert a service account token into +// the pods runtime filesystem for use against APIs (Kubernetes API Server or +// otherwise). +#ServiceAccountTokenProjection: { + // audience is the intended audience of the token. A recipient of a token + // must identify itself with an identifier specified in the audience of the + // token, and otherwise should reject the token. The audience defaults to the + // identifier of the apiserver. + // +optional + audience?: string @go(Audience) @protobuf(1,bytes,rep) + + // expirationSeconds is the requested duration of validity of the service + // account token. As the token approaches expiration, the kubelet volume + // plugin will proactively rotate the service account token. The kubelet will + // start trying to rotate the token if the token is older than 80 percent of + // its time to live or if the token is older than 24 hours.Defaults to 1 hour + // and must be at least 10 minutes. + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt) + + // path is the path relative to the mount point of the file to project the + // token into. + path: string @go(Path) @protobuf(3,bytes,opt) +} + +// Represents a projected volume source +#ProjectedVolumeSource: { + // sources is the list of volume projections + // +optional + sources: [...#VolumeProjection] @go(Sources,[]VolumeProjection) @protobuf(1,bytes,rep) + + // defaultMode are the mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(2,varint,opt) +} + +// Projection that may be projected along with other supported volume types +#VolumeProjection: { + // secret information about the secret data to project + // +optional + secret?: null | #SecretProjection @go(Secret,*SecretProjection) @protobuf(1,bytes,opt) + + // downwardAPI information about the downwardAPI data to project + // +optional + downwardAPI?: null | #DownwardAPIProjection @go(DownwardAPI,*DownwardAPIProjection) @protobuf(2,bytes,opt) + + // configMap information about the configMap data to project + // +optional + configMap?: null | #ConfigMapProjection @go(ConfigMap,*ConfigMapProjection) @protobuf(3,bytes,opt) + + // serviceAccountToken is information about the serviceAccountToken data to project + // +optional + serviceAccountToken?: null | #ServiceAccountTokenProjection @go(ServiceAccountToken,*ServiceAccountTokenProjection) @protobuf(4,bytes,opt) +} + +#ProjectedVolumeSourceDefaultMode: int32 & 0o644 + +// Maps a string key to a path within a volume. +#KeyToPath: { + // key is the key to project. + key: string @go(Key) @protobuf(1,bytes,opt) + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path: string @go(Path) @protobuf(2,bytes,opt) + + // mode is Optional: mode bits used to set permissions on this file. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + mode?: null | int32 @go(Mode,*int32) @protobuf(3,varint,opt) +} + +// Local represents directly-attached storage with node affinity (Beta feature) +#LocalVolumeSource: { + // path of the full path to the volume on the node. + // It can be either a directory or block device (disk, partition, ...). + path: string @go(Path) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // It applies only when the Path is a block device. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default value is to auto-select a filesystem if unspecified. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(2,bytes,opt) +} + +// Represents storage that is managed by an external CSI volume driver (Beta feature) +#CSIPersistentVolumeSource: { + // driver is the name of the driver to use for this volume. + // Required. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // volumeHandle is the unique volume name returned by the CSI volume + // plugin’s CreateVolume to refer to the volume on all subsequent calls. + // Required. + volumeHandle: string @go(VolumeHandle) @protobuf(2,bytes,opt) + + // readOnly value to pass to ControllerPublishVolumeRequest. + // Defaults to false (read/write). + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // fsType to mount. Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // +optional + fsType?: string @go(FSType) @protobuf(4,bytes,opt) + + // volumeAttributes of the volume to publish. + // +optional + volumeAttributes?: {[string]: string} @go(VolumeAttributes,map[string]string) @protobuf(5,bytes,rep) + + // controllerPublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // ControllerPublishVolume and ControllerUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + controllerPublishSecretRef?: null | #SecretReference @go(ControllerPublishSecretRef,*SecretReference) @protobuf(6,bytes,opt) + + // nodeStageSecretRef is a reference to the secret object containing sensitive + // information to pass to the CSI driver to complete the CSI NodeStageVolume + // and NodeStageVolume and NodeUnstageVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + nodeStageSecretRef?: null | #SecretReference @go(NodeStageSecretRef,*SecretReference) @protobuf(7,bytes,opt) + + // nodePublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodePublishVolume and NodeUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + nodePublishSecretRef?: null | #SecretReference @go(NodePublishSecretRef,*SecretReference) @protobuf(8,bytes,opt) + + // controllerExpandSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // ControllerExpandVolume call. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + controllerExpandSecretRef?: null | #SecretReference @go(ControllerExpandSecretRef,*SecretReference) @protobuf(9,bytes,opt) + + // nodeExpandSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodeExpandVolume call. + // This is a beta field which is enabled default by CSINodeExpandSecret feature gate. + // This field is optional, may be omitted if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +featureGate=CSINodeExpandSecret + // +optional + nodeExpandSecretRef?: null | #SecretReference @go(NodeExpandSecretRef,*SecretReference) @protobuf(10,bytes,opt) +} + +// Represents a source location of a volume to mount, managed by an external CSI driver +#CSIVolumeSource: { + // driver is the name of the CSI driver that handles this volume. + // Consult with your admin for the correct name as registered in the cluster. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // readOnly specifies a read-only configuration for the volume. + // Defaults to false (read/write). + // +optional + readOnly?: null | bool @go(ReadOnly,*bool) @protobuf(2,varint,opt) + + // fsType to mount. Ex. "ext4", "xfs", "ntfs". + // If not provided, the empty value is passed to the associated CSI driver + // which will determine the default filesystem to apply. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(3,bytes,opt) + + // volumeAttributes stores driver-specific properties that are passed to the CSI + // driver. Consult your driver's documentation for supported values. + // +optional + volumeAttributes?: {[string]: string} @go(VolumeAttributes,map[string]string) @protobuf(4,bytes,rep) + + // nodePublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodePublishVolume and NodeUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secret references are passed. + // +optional + nodePublishSecretRef?: null | #LocalObjectReference @go(NodePublishSecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) +} + +// Represents an ephemeral volume that is handled by a normal storage driver. +#EphemeralVolumeSource: { + // Will be used to create a stand-alone PVC to provision the volume. + // The pod in which this EphemeralVolumeSource is embedded will be the + // owner of the PVC, i.e. the PVC will be deleted together with the + // pod. The name of the PVC will be `-` where + // `` is the name from the `PodSpec.Volumes` array + // entry. Pod validation will reject the pod if the concatenated name + // is not valid for a PVC (for example, too long). + // + // An existing PVC with that name that is not owned by the pod + // will *not* be used for the pod to avoid using an unrelated + // volume by mistake. Starting the pod is then blocked until + // the unrelated PVC is removed. If such a pre-created PVC is + // meant to be used by the pod, the PVC has to updated with an + // owner reference to the pod once the pod exists. Normally + // this should not be necessary, but it may be useful when + // manually reconstructing a broken cluster. + // + // This field is read-only and no changes will be made by Kubernetes + // to the PVC after it has been created. + // + // Required, must not be nil. + volumeClaimTemplate?: null | #PersistentVolumeClaimTemplate @go(VolumeClaimTemplate,*PersistentVolumeClaimTemplate) @protobuf(1,bytes,opt) +} + +// PersistentVolumeClaimTemplate is used to produce +// PersistentVolumeClaim objects as part of an EphemeralVolumeSource. +#PersistentVolumeClaimTemplate: { + // May contain labels and annotations that will be copied into the PVC + // when creating it. No other fields are allowed and will be rejected during + // validation. + // + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The specification for the PersistentVolumeClaim. The entire content is + // copied unchanged into the PVC that gets created from this + // template. The same fields as in a PersistentVolumeClaim + // are also valid here. + spec: #PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes) +} + +// ContainerPort represents a network port in a single container. +#ContainerPort: { + // If specified, this must be an IANA_SVC_NAME and unique within the pod. Each + // named port in a pod must have a unique name. Name for the port that can be + // referred to by services. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // Number of port to expose on the host. + // If specified, this must be a valid port number, 0 < x < 65536. + // If HostNetwork is specified, this must match ContainerPort. + // Most containers do not need this. + // +optional + hostPort?: int32 @go(HostPort) @protobuf(2,varint,opt) + + // Number of port to expose on the pod's IP address. + // This must be a valid port number, 0 < x < 65536. + containerPort: int32 @go(ContainerPort) @protobuf(3,varint,opt) + + // Protocol for port. Must be UDP, TCP, or SCTP. + // Defaults to "TCP". + // +optional + // +default="TCP" + protocol?: #Protocol @go(Protocol) @protobuf(4,bytes,opt,casttype=Protocol) + + // What host IP to bind the external port to. + // +optional + hostIP?: string @go(HostIP) @protobuf(5,bytes,opt) +} + +// VolumeMount describes a mounting of a Volume within a container. +#VolumeMount: { + // This must match the Name of a Volume. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Mounted read-only if true, read-write otherwise (false or unspecified). + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt) + + // Path within the container at which the volume should be mounted. Must + // not contain ':'. + mountPath: string @go(MountPath) @protobuf(3,bytes,opt) + + // Path within the volume from which the container's volume should be mounted. + // Defaults to "" (volume's root). + // +optional + subPath?: string @go(SubPath) @protobuf(4,bytes,opt) + + // mountPropagation determines how mounts are propagated from the host + // to container and the other way around. + // When not set, MountPropagationNone is used. + // This field is beta in 1.10. + // +optional + mountPropagation?: null | #MountPropagationMode @go(MountPropagation,*MountPropagationMode) @protobuf(5,bytes,opt,casttype=MountPropagationMode) + + // Expanded path within the volume from which the container's volume should be mounted. + // Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + // Defaults to "" (volume's root). + // SubPathExpr and SubPath are mutually exclusive. + // +optional + subPathExpr?: string @go(SubPathExpr) @protobuf(6,bytes,opt) +} + +// MountPropagationMode describes mount propagation. +// +enum +#MountPropagationMode: string // #enumMountPropagationMode + +#enumMountPropagationMode: + #MountPropagationNone | + #MountPropagationHostToContainer | + #MountPropagationBidirectional + +// MountPropagationNone means that the volume in a container will +// not receive new mounts from the host or other containers, and filesystems +// mounted inside the container won't be propagated to the host or other +// containers. +// Note that this mode corresponds to "private" in Linux terminology. +#MountPropagationNone: #MountPropagationMode & "None" + +// MountPropagationHostToContainer means that the volume in a container will +// receive new mounts from the host or other containers, but filesystems +// mounted inside the container won't be propagated to the host or other +// containers. +// Note that this mode is recursively applied to all mounts in the volume +// ("rslave" in Linux terminology). +#MountPropagationHostToContainer: #MountPropagationMode & "HostToContainer" + +// MountPropagationBidirectional means that the volume in a container will +// receive new mounts from the host or other containers, and its own mounts +// will be propagated from the container to the host or other containers. +// Note that this mode is recursively applied to all mounts in the volume +// ("rshared" in Linux terminology). +#MountPropagationBidirectional: #MountPropagationMode & "Bidirectional" + +// volumeDevice describes a mapping of a raw block device within a container. +#VolumeDevice: { + // name must match the name of a persistentVolumeClaim in the pod + name: string @go(Name) @protobuf(1,bytes,opt) + + // devicePath is the path inside of the container that the device will be mapped to. + devicePath: string @go(DevicePath) @protobuf(2,bytes,opt) +} + +// EnvVar represents an environment variable present in a Container. +#EnvVar: { + // Name of the environment variable. Must be a C_IDENTIFIER. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Variable references $(VAR_NAME) are expanded + // using the previously defined environment variables in the container and + // any service environment variables. If a variable cannot be resolved, + // the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + // "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + // Escaped references will never be expanded, regardless of whether the variable + // exists or not. + // Defaults to "". + // +optional + value?: string @go(Value) @protobuf(2,bytes,opt) + + // Source for the environment variable's value. Cannot be used if value is not empty. + // +optional + valueFrom?: null | #EnvVarSource @go(ValueFrom,*EnvVarSource) @protobuf(3,bytes,opt) +} + +// EnvVarSource represents a source for the value of an EnvVar. +#EnvVarSource: { + // Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + // spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + // +optional + fieldRef?: null | #ObjectFieldSelector @go(FieldRef,*ObjectFieldSelector) @protobuf(1,bytes,opt) + + // Selects a resource of the container: only resources limits and requests + // (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + // +optional + resourceFieldRef?: null | #ResourceFieldSelector @go(ResourceFieldRef,*ResourceFieldSelector) @protobuf(2,bytes,opt) + + // Selects a key of a ConfigMap. + // +optional + configMapKeyRef?: null | #ConfigMapKeySelector @go(ConfigMapKeyRef,*ConfigMapKeySelector) @protobuf(3,bytes,opt) + + // Selects a key of a secret in the pod's namespace + // +optional + secretKeyRef?: null | #SecretKeySelector @go(SecretKeyRef,*SecretKeySelector) @protobuf(4,bytes,opt) +} + +// ObjectFieldSelector selects an APIVersioned field of an object. +// +structType=atomic +#ObjectFieldSelector: { + // Version of the schema the FieldPath is written in terms of, defaults to "v1". + // +optional + apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt) + + // Path of the field to select in the specified API version. + fieldPath: string @go(FieldPath) @protobuf(2,bytes,opt) +} + +// ResourceFieldSelector represents container resources (cpu, memory) and their output format +// +structType=atomic +#ResourceFieldSelector: { + // Container name: required for volumes, optional for env vars + // +optional + containerName?: string @go(ContainerName) @protobuf(1,bytes,opt) + + // Required: resource to select + "resource": string @go(Resource) @protobuf(2,bytes,opt) + + // Specifies the output format of the exposed resources, defaults to "1" + // +optional + divisor?: resource.#Quantity @go(Divisor) @protobuf(3,bytes,opt) +} + +// Selects a key from a ConfigMap. +// +structType=atomic +#ConfigMapKeySelector: { + #LocalObjectReference + + // The key to select. + key: string @go(Key) @protobuf(2,bytes,opt) + + // Specify whether the ConfigMap or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(3,varint,opt) +} + +// SecretKeySelector selects a key of a Secret. +// +structType=atomic +#SecretKeySelector: { + #LocalObjectReference + + // The key of the secret to select from. Must be a valid secret key. + key: string @go(Key) @protobuf(2,bytes,opt) + + // Specify whether the Secret or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(3,varint,opt) +} + +// EnvFromSource represents the source of a set of ConfigMaps +#EnvFromSource: { + // An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + // +optional + prefix?: string @go(Prefix) @protobuf(1,bytes,opt) + + // The ConfigMap to select from + // +optional + configMapRef?: null | #ConfigMapEnvSource @go(ConfigMapRef,*ConfigMapEnvSource) @protobuf(2,bytes,opt) + + // The Secret to select from + // +optional + secretRef?: null | #SecretEnvSource @go(SecretRef,*SecretEnvSource) @protobuf(3,bytes,opt) +} + +// ConfigMapEnvSource selects a ConfigMap to populate the environment +// variables with. +// +// The contents of the target ConfigMap's Data field will represent the +// key-value pairs as environment variables. +#ConfigMapEnvSource: { + #LocalObjectReference + + // Specify whether the ConfigMap must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(2,varint,opt) +} + +// SecretEnvSource selects a Secret to populate the environment +// variables with. +// +// The contents of the target Secret's Data field will represent the +// key-value pairs as environment variables. +#SecretEnvSource: { + #LocalObjectReference + + // Specify whether the Secret must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(2,varint,opt) +} + +// HTTPHeader describes a custom header to be used in HTTP probes +#HTTPHeader: { + // The header field name. + // This will be canonicalized upon output, so case-variant names will be understood as the same header. + name: string @go(Name) @protobuf(1,bytes,opt) + + // The header field value + value: string @go(Value) @protobuf(2,bytes,opt) +} + +// HTTPGetAction describes an action based on HTTP Get requests. +#HTTPGetAction: { + // Path to access on the HTTP server. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // Name or number of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port: intstr.#IntOrString @go(Port) @protobuf(2,bytes,opt) + + // Host name to connect to, defaults to the pod IP. You probably want to set + // "Host" in httpHeaders instead. + // +optional + host?: string @go(Host) @protobuf(3,bytes,opt) + + // Scheme to use for connecting to the host. + // Defaults to HTTP. + // +optional + scheme?: #URIScheme @go(Scheme) @protobuf(4,bytes,opt,casttype=URIScheme) + + // Custom headers to set in the request. HTTP allows repeated headers. + // +optional + httpHeaders?: [...#HTTPHeader] @go(HTTPHeaders,[]HTTPHeader) @protobuf(5,bytes,rep) +} + +// URIScheme identifies the scheme used for connection to a host for Get actions +// +enum +#URIScheme: string // #enumURIScheme + +#enumURIScheme: + #URISchemeHTTP | + #URISchemeHTTPS + +// URISchemeHTTP means that the scheme used will be http:// +#URISchemeHTTP: #URIScheme & "HTTP" + +// URISchemeHTTPS means that the scheme used will be https:// +#URISchemeHTTPS: #URIScheme & "HTTPS" + +// TCPSocketAction describes an action based on opening a socket +#TCPSocketAction: { + // Number or name of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port: intstr.#IntOrString @go(Port) @protobuf(1,bytes,opt) + + // Optional: Host name to connect to, defaults to the pod IP. + // +optional + host?: string @go(Host) @protobuf(2,bytes,opt) +} + +#GRPCAction: { + // Port number of the gRPC service. Number must be in the range 1 to 65535. + port: int32 @go(Port) @protobuf(1,bytes,opt) + + // Service is the name of the service to place in the gRPC HealthCheckRequest + // (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + // + // If this is not specified, the default behavior is defined by gRPC. + // +optional + // +default="" + service?: null | string @go(Service,*string) @protobuf(2,bytes,opt) +} + +// ExecAction describes a "run in container" action. +#ExecAction: { + // Command is the command line to execute inside the container, the working directory for the + // command is root ('/') in the container's filesystem. The command is simply exec'd, it is + // not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + // a shell, you need to explicitly call out to that shell. + // Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + // +optional + command?: [...string] @go(Command,[]string) @protobuf(1,bytes,rep) +} + +// Probe describes a health check to be performed against a container to determine whether it is +// alive or ready to receive traffic. +#Probe: { + #ProbeHandler + + // Number of seconds after the container has started before liveness probes are initiated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + initialDelaySeconds?: int32 @go(InitialDelaySeconds) @protobuf(2,varint,opt) + + // Number of seconds after which the probe times out. + // Defaults to 1 second. Minimum value is 1. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + timeoutSeconds?: int32 @go(TimeoutSeconds) @protobuf(3,varint,opt) + + // How often (in seconds) to perform the probe. + // Default to 10 seconds. Minimum value is 1. + // +optional + periodSeconds?: int32 @go(PeriodSeconds) @protobuf(4,varint,opt) + + // Minimum consecutive successes for the probe to be considered successful after having failed. + // Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + // +optional + successThreshold?: int32 @go(SuccessThreshold) @protobuf(5,varint,opt) + + // Minimum consecutive failures for the probe to be considered failed after having succeeded. + // Defaults to 3. Minimum value is 1. + // +optional + failureThreshold?: int32 @go(FailureThreshold) @protobuf(6,varint,opt) + + // Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + // The grace period is the duration in seconds after the processes running in the pod are sent + // a termination signal and the time when the processes are forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your process. + // If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + // value overrides the value provided by the pod spec. + // Value must be non-negative integer. The value zero indicates stop immediately via + // the kill signal (no opportunity to shut down). + // This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + // Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + // +optional + terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) @protobuf(7,varint,opt) +} + +// PullPolicy describes a policy for if/when to pull a container image +// +enum +#PullPolicy: string // #enumPullPolicy + +#enumPullPolicy: + #PullAlways | + #PullNever | + #PullIfNotPresent + +// PullAlways means that kubelet always attempts to pull the latest image. Container will fail If the pull fails. +#PullAlways: #PullPolicy & "Always" + +// PullNever means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present +#PullNever: #PullPolicy & "Never" + +// PullIfNotPresent means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails. +#PullIfNotPresent: #PullPolicy & "IfNotPresent" + +// ResourceResizeRestartPolicy specifies how to handle container resource resize. +#ResourceResizeRestartPolicy: string // #enumResourceResizeRestartPolicy + +#enumResourceResizeRestartPolicy: + #NotRequired | + #RestartContainer + +// 'NotRequired' means Kubernetes will try to resize the container +// without restarting it, if possible. Kubernetes may however choose to +// restart the container if it is unable to actuate resize without a +// restart. For e.g. the runtime doesn't support restart-free resizing. +#NotRequired: #ResourceResizeRestartPolicy & "NotRequired" + +// 'RestartContainer' means Kubernetes will resize the container in-place +// by stopping and starting the container when new resources are applied. +// This is needed for legacy applications. For e.g. java apps using the +// -xmxN flag which are unable to use resized memory without restarting. +#RestartContainer: #ResourceResizeRestartPolicy & "RestartContainer" + +// ContainerResizePolicy represents resource resize policy for the container. +#ContainerResizePolicy: { + // Name of the resource to which this resource resize policy applies. + // Supported values: cpu, memory. + resourceName: #ResourceName @go(ResourceName) @protobuf(1,bytes,opt,casttype=ResourceName) + + // Restart policy to apply when specified resource is resized. + // If not specified, it defaults to NotRequired. + restartPolicy: #ResourceResizeRestartPolicy @go(RestartPolicy) @protobuf(2,bytes,opt,casttype=ResourceResizeRestartPolicy) +} + +// PreemptionPolicy describes a policy for if/when to preempt a pod. +// +enum +#PreemptionPolicy: string // #enumPreemptionPolicy + +#enumPreemptionPolicy: + #PreemptLowerPriority | + #PreemptNever + +// PreemptLowerPriority means that pod can preempt other pods with lower priority. +#PreemptLowerPriority: #PreemptionPolicy & "PreemptLowerPriority" + +// PreemptNever means that pod never preempts other pods with lower priority. +#PreemptNever: #PreemptionPolicy & "Never" + +// TerminationMessagePolicy describes how termination messages are retrieved from a container. +// +enum +#TerminationMessagePolicy: string // #enumTerminationMessagePolicy + +#enumTerminationMessagePolicy: + #TerminationMessageReadFile | + #TerminationMessageFallbackToLogsOnError + +// TerminationMessageReadFile is the default behavior and will set the container status message to +// the contents of the container's terminationMessagePath when the container exits. +#TerminationMessageReadFile: #TerminationMessagePolicy & "File" + +// TerminationMessageFallbackToLogsOnError will read the most recent contents of the container logs +// for the container status message when the container exits with an error and the +// terminationMessagePath has no contents. +#TerminationMessageFallbackToLogsOnError: #TerminationMessagePolicy & "FallbackToLogsOnError" + +// Capability represent POSIX capabilities type +#Capability: string + +// Adds and removes POSIX capabilities from running containers. +#Capabilities: { + // Added capabilities + // +optional + add?: [...#Capability] @go(Add,[]Capability) @protobuf(1,bytes,rep,casttype=Capability) + + // Removed capabilities + // +optional + drop?: [...#Capability] @go(Drop,[]Capability) @protobuf(2,bytes,rep,casttype=Capability) +} + +// ResourceRequirements describes the compute resource requirements. +#ResourceRequirements: { + // Limits describes the maximum amount of compute resources allowed. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + limits?: #ResourceList @go(Limits) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Requests describes the minimum amount of compute resources required. + // If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + // otherwise to an implementation-defined value. Requests cannot exceed Limits. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + requests?: #ResourceList @go(Requests) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Claims lists the names of resources, defined in spec.resourceClaims, + // that are used by this container. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. It can only be set for containers. + // + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + claims?: [...#ResourceClaim] @go(Claims,[]ResourceClaim) @protobuf(3,bytes,opt) +} + +// ResourceClaim references one entry in PodSpec.ResourceClaims. +#ResourceClaim: { + // Name must match the name of one entry in pod.spec.resourceClaims of + // the Pod where this field is used. It makes that resource available + // inside a container. + name: string @go(Name) @protobuf(1,bytes,opt) +} + +// TerminationMessagePathDefault means the default path to capture the application termination message running in a container +#TerminationMessagePathDefault: "/dev/termination-log" + +// A single application container that you want to run within a pod. +#Container: { + // Name of the container specified as a DNS_LABEL. + // Each container in a pod must have a unique name (DNS_LABEL). + // Cannot be updated. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Container image name. + // More info: https://kubernetes.io/docs/concepts/containers/images + // This field is optional to allow higher level config management to default or override + // container images in workload controllers like Deployments and StatefulSets. + // +optional + image?: string @go(Image) @protobuf(2,bytes,opt) + + // Entrypoint array. Not executed within a shell. + // The container image's ENTRYPOINT is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + command?: [...string] @go(Command,[]string) @protobuf(3,bytes,rep) + + // Arguments to the entrypoint. + // The container image's CMD is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + args?: [...string] @go(Args,[]string) @protobuf(4,bytes,rep) + + // Container's working directory. + // If not specified, the container runtime's default will be used, which + // might be configured in the container image. + // Cannot be updated. + // +optional + workingDir?: string @go(WorkingDir) @protobuf(5,bytes,opt) + + // List of ports to expose from the container. Not specifying a port here + // DOES NOT prevent that port from being exposed. Any port which is + // listening on the default "0.0.0.0" address inside a container will be + // accessible from the network. + // Modifying this array with strategic merge patch may corrupt the data. + // For more information See https://github.com/kubernetes/kubernetes/issues/108255. + // Cannot be updated. + // +optional + // +patchMergeKey=containerPort + // +patchStrategy=merge + // +listType=map + // +listMapKey=containerPort + // +listMapKey=protocol + ports?: [...#ContainerPort] @go(Ports,[]ContainerPort) @protobuf(6,bytes,rep) + + // List of sources to populate environment variables in the container. + // The keys defined within a source must be a C_IDENTIFIER. All invalid keys + // will be reported as an event when the container is starting. When a key exists in multiple + // sources, the value associated with the last source will take precedence. + // Values defined by an Env with a duplicate key will take precedence. + // Cannot be updated. + // +optional + envFrom?: [...#EnvFromSource] @go(EnvFrom,[]EnvFromSource) @protobuf(19,bytes,rep) + + // List of environment variables to set in the container. + // Cannot be updated. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + env?: [...#EnvVar] @go(Env,[]EnvVar) @protobuf(7,bytes,rep) + + // Compute Resources required by this container. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(8,bytes,opt) + + // Resources resize policy for the container. + // +featureGate=InPlacePodVerticalScaling + // +optional + // +listType=atomic + resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep) + + // RestartPolicy defines the restart behavior of individual containers in a pod. + // This field may only be set for init containers, and the only allowed value is "Always". + // For non-init containers or when this field is not specified, + // the restart behavior is defined by the Pod's restart policy and the container type. + // Setting the RestartPolicy as "Always" for the init container will have the following effect: + // this init container will be continually restarted on + // exit until all regular containers have terminated. Once all regular + // containers have completed, all init containers with restartPolicy "Always" + // will be shut down. This lifecycle differs from normal init containers and + // is often referred to as a "sidecar" container. Although this init + // container still starts in the init container sequence, it does not wait + // for the container to complete before proceeding to the next init + // container. Instead, the next init container starts immediately after this + // init container is started, or after any startupProbe has successfully + // completed. + // +featureGate=SidecarContainers + // +optional + restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy) + + // Pod volumes to mount into the container's filesystem. + // Cannot be updated. + // +optional + // +patchMergeKey=mountPath + // +patchStrategy=merge + volumeMounts?: [...#VolumeMount] @go(VolumeMounts,[]VolumeMount) @protobuf(9,bytes,rep) + + // volumeDevices is the list of block devices to be used by the container. + // +patchMergeKey=devicePath + // +patchStrategy=merge + // +optional + volumeDevices?: [...#VolumeDevice] @go(VolumeDevices,[]VolumeDevice) @protobuf(21,bytes,rep) + + // Periodic probe of container liveness. + // Container will be restarted if the probe fails. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + livenessProbe?: null | #Probe @go(LivenessProbe,*Probe) @protobuf(10,bytes,opt) + + // Periodic probe of container service readiness. + // Container will be removed from service endpoints if the probe fails. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + readinessProbe?: null | #Probe @go(ReadinessProbe,*Probe) @protobuf(11,bytes,opt) + + // StartupProbe indicates that the Pod has successfully initialized. + // If specified, no other probes are executed until this completes successfully. + // If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. + // This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, + // when it might take a long time to load data or warm a cache, than during steady-state operation. + // This cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + startupProbe?: null | #Probe @go(StartupProbe,*Probe) @protobuf(22,bytes,opt) + + // Actions that the management system should take in response to container lifecycle events. + // Cannot be updated. + // +optional + lifecycle?: null | #Lifecycle @go(Lifecycle,*Lifecycle) @protobuf(12,bytes,opt) + + // Optional: Path at which the file to which the container's termination message + // will be written is mounted into the container's filesystem. + // Message written is intended to be brief final status, such as an assertion failure message. + // Will be truncated by the node if greater than 4096 bytes. The total message length across + // all containers will be limited to 12kb. + // Defaults to /dev/termination-log. + // Cannot be updated. + // +optional + terminationMessagePath?: string @go(TerminationMessagePath) @protobuf(13,bytes,opt) + + // Indicate how the termination message should be populated. File will use the contents of + // terminationMessagePath to populate the container status message on both success and failure. + // FallbackToLogsOnError will use the last chunk of container log output if the termination + // message file is empty and the container exited with an error. + // The log output is limited to 2048 bytes or 80 lines, whichever is smaller. + // Defaults to File. + // Cannot be updated. + // +optional + terminationMessagePolicy?: #TerminationMessagePolicy @go(TerminationMessagePolicy) @protobuf(20,bytes,opt,casttype=TerminationMessagePolicy) + + // Image pull policy. + // One of Always, Never, IfNotPresent. + // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + // +optional + imagePullPolicy?: #PullPolicy @go(ImagePullPolicy) @protobuf(14,bytes,opt,casttype=PullPolicy) + + // SecurityContext defines the security options the container should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + // +optional + securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt) + + // Whether this container should allocate a buffer for stdin in the container runtime. If this + // is not set, reads from stdin in the container will always result in EOF. + // Default is false. + // +optional + stdin?: bool @go(Stdin) @protobuf(16,varint,opt) + + // Whether the container runtime should close the stdin channel after it has been opened by + // a single attach. When stdin is true the stdin stream will remain open across multiple attach + // sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the + // first client attaches to stdin, and then remains open and accepts data until the client disconnects, + // at which time stdin is closed and remains closed until the container is restarted. If this + // flag is false, a container processes that reads from stdin will never receive an EOF. + // Default is false + // +optional + stdinOnce?: bool @go(StdinOnce) @protobuf(17,varint,opt) + + // Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. + // Default is false. + // +optional + tty?: bool @go(TTY) @protobuf(18,varint,opt) +} + +// ProbeHandler defines a specific action that should be taken in a probe. +// One and only one of the fields must be specified. +#ProbeHandler: { + // Exec specifies the action to take. + // +optional + exec?: null | #ExecAction @go(Exec,*ExecAction) @protobuf(1,bytes,opt) + + // HTTPGet specifies the http request to perform. + // +optional + httpGet?: null | #HTTPGetAction @go(HTTPGet,*HTTPGetAction) @protobuf(2,bytes,opt) + + // TCPSocket specifies an action involving a TCP port. + // +optional + tcpSocket?: null | #TCPSocketAction @go(TCPSocket,*TCPSocketAction) @protobuf(3,bytes,opt) + + // GRPC specifies an action involving a GRPC port. + // +optional + grpc?: null | #GRPCAction @go(GRPC,*GRPCAction) @protobuf(4,bytes,opt) +} + +// LifecycleHandler defines a specific action that should be taken in a lifecycle +// hook. One and only one of the fields, except TCPSocket must be specified. +#LifecycleHandler: { + // Exec specifies the action to take. + // +optional + exec?: null | #ExecAction @go(Exec,*ExecAction) @protobuf(1,bytes,opt) + + // HTTPGet specifies the http request to perform. + // +optional + httpGet?: null | #HTTPGetAction @go(HTTPGet,*HTTPGetAction) @protobuf(2,bytes,opt) + + // Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + // for the backward compatibility. There are no validation of this field and + // lifecycle hooks will fail in runtime when tcp handler is specified. + // +optional + tcpSocket?: null | #TCPSocketAction @go(TCPSocket,*TCPSocketAction) @protobuf(3,bytes,opt) +} + +// Lifecycle describes actions that the management system should take in response to container lifecycle +// events. For the PostStart and PreStop lifecycle handlers, management of the container blocks +// until the action is complete, unless the container process fails, in which case the handler is aborted. +#Lifecycle: { + // PostStart is called immediately after a container is created. If the handler fails, + // the container is terminated and restarted according to its restart policy. + // Other management of the container blocks until the hook completes. + // More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + // +optional + postStart?: null | #LifecycleHandler @go(PostStart,*LifecycleHandler) @protobuf(1,bytes,opt) + + // PreStop is called immediately before a container is terminated due to an + // API request or management event such as liveness/startup probe failure, + // preemption, resource contention, etc. The handler is not called if the + // container crashes or exits. The Pod's termination grace period countdown begins before the + // PreStop hook is executed. Regardless of the outcome of the handler, the + // container will eventually terminate within the Pod's termination grace + // period (unless delayed by finalizers). Other management of the container blocks until the hook completes + // or until the termination grace period is reached. + // More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + // +optional + preStop?: null | #LifecycleHandler @go(PreStop,*LifecycleHandler) @protobuf(2,bytes,opt) +} + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// ContainerStateWaiting is a waiting state of a container. +#ContainerStateWaiting: { + // (brief) reason the container is not yet running. + // +optional + reason?: string @go(Reason) @protobuf(1,bytes,opt) + + // Message regarding why the container is not yet running. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) +} + +// ContainerStateRunning is a running state of a container. +#ContainerStateRunning: { + // Time at which the container was last (re-)started + // +optional + startedAt?: metav1.#Time @go(StartedAt) @protobuf(1,bytes,opt) +} + +// ContainerStateTerminated is a terminated state of a container. +#ContainerStateTerminated: { + // Exit status from the last termination of the container + exitCode: int32 @go(ExitCode) @protobuf(1,varint,opt) + + // Signal from the last termination of the container + // +optional + signal?: int32 @go(Signal) @protobuf(2,varint,opt) + + // (brief) reason from the last termination of the container + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // Message regarding the last termination of the container + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) + + // Time at which previous execution of the container started + // +optional + startedAt?: metav1.#Time @go(StartedAt) @protobuf(5,bytes,opt) + + // Time at which the container last terminated + // +optional + finishedAt?: metav1.#Time @go(FinishedAt) @protobuf(6,bytes,opt) + + // Container's ID in the format '://' + // +optional + containerID?: string @go(ContainerID) @protobuf(7,bytes,opt) +} + +// ContainerState holds a possible state of container. +// Only one of its members may be specified. +// If none of them is specified, the default one is ContainerStateWaiting. +#ContainerState: { + // Details about a waiting container + // +optional + waiting?: null | #ContainerStateWaiting @go(Waiting,*ContainerStateWaiting) @protobuf(1,bytes,opt) + + // Details about a running container + // +optional + running?: null | #ContainerStateRunning @go(Running,*ContainerStateRunning) @protobuf(2,bytes,opt) + + // Details about a terminated container + // +optional + terminated?: null | #ContainerStateTerminated @go(Terminated,*ContainerStateTerminated) @protobuf(3,bytes,opt) +} + +// ContainerStatus contains details for the current status of this container. +#ContainerStatus: { + // Name is a DNS_LABEL representing the unique name of the container. + // Each container in a pod must have a unique name across all container types. + // Cannot be updated. + name: string @go(Name) @protobuf(1,bytes,opt) + + // State holds details about the container's current condition. + // +optional + state?: #ContainerState @go(State) @protobuf(2,bytes,opt) + + // LastTerminationState holds the last termination state of the container to + // help debug container crashes and restarts. This field is not + // populated if the container is still running and RestartCount is 0. + // +optional + lastState?: #ContainerState @go(LastTerminationState) @protobuf(3,bytes,opt) + + // Ready specifies whether the container is currently passing its readiness check. + // The value will change as readiness probes keep executing. If no readiness + // probes are specified, this field defaults to true once the container is + // fully started (see Started field). + // + // The value is typically used to determine whether a container is ready to + // accept traffic. + ready: bool @go(Ready) @protobuf(4,varint,opt) + + // RestartCount holds the number of times the container has been restarted. + // Kubelet makes an effort to always increment the value, but there + // are cases when the state may be lost due to node restarts and then the value + // may be reset to 0. The value is never negative. + restartCount: int32 @go(RestartCount) @protobuf(5,varint,opt) + + // Image is the name of container image that the container is running. + // The container image may not match the image used in the PodSpec, + // as it may have been resolved by the runtime. + // More info: https://kubernetes.io/docs/concepts/containers/images. + image: string @go(Image) @protobuf(6,bytes,opt) + + // ImageID is the image ID of the container's image. The image ID may not + // match the image ID of the image used in the PodSpec, as it may have been + // resolved by the runtime. + imageID: string @go(ImageID) @protobuf(7,bytes,opt) + + // ContainerID is the ID of the container in the format '://'. + // Where type is a container runtime identifier, returned from Version call of CRI API + // (for example "containerd"). + // +optional + containerID?: string @go(ContainerID) @protobuf(8,bytes,opt) + + // Started indicates whether the container has finished its postStart lifecycle hook + // and passed its startup probe. + // Initialized as false, becomes true after startupProbe is considered + // successful. Resets to false when the container is restarted, or if kubelet + // loses state temporarily. In both cases, startup probes will run again. + // Is always true when no startupProbe is defined and container is running and + // has passed the postStart lifecycle hook. The null value must be treated the + // same as false. + // +optional + started?: null | bool @go(Started,*bool) @protobuf(9,varint,opt) + + // AllocatedResources represents the compute resources allocated for this container by the + // node. Kubelet sets this value to Container.Resources.Requests upon successful pod admission + // and after successfully admitting desired pod resize. + // +featureGate=InPlacePodVerticalScaling + // +optional + allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(10,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Resources represents the compute resource requests and limits that have been successfully + // enacted on the running container after it has been started or has been successfully resized. + // +featureGate=InPlacePodVerticalScaling + // +optional + resources?: null | #ResourceRequirements @go(Resources,*ResourceRequirements) @protobuf(11,bytes,opt) +} + +// PodPhase is a label for the condition of a pod at the current time. +// +enum +#PodPhase: string // #enumPodPhase + +#enumPodPhase: + #PodPending | + #PodRunning | + #PodSucceeded | + #PodFailed | + #PodUnknown + +// PodPending means the pod has been accepted by the system, but one or more of the containers +// has not been started. This includes time before being bound to a node, as well as time spent +// pulling images onto the host. +#PodPending: #PodPhase & "Pending" + +// PodRunning means the pod has been bound to a node and all of the containers have been started. +// At least one container is still running or is in the process of being restarted. +#PodRunning: #PodPhase & "Running" + +// PodSucceeded means that all containers in the pod have voluntarily terminated +// with a container exit code of 0, and the system is not going to restart any of these containers. +#PodSucceeded: #PodPhase & "Succeeded" + +// PodFailed means that all containers in the pod have terminated, and at least one container has +// terminated in a failure (exited with a non-zero exit code or was stopped by the system). +#PodFailed: #PodPhase & "Failed" + +// PodUnknown means that for some reason the state of the pod could not be obtained, typically due +// to an error in communicating with the host of the pod. +// Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095) +#PodUnknown: #PodPhase & "Unknown" + +// PodConditionType is a valid value for PodCondition.Type +#PodConditionType: string // #enumPodConditionType + +#enumPodConditionType: + #ContainersReady | + #PodInitialized | + #PodReady | + #PodScheduled | + #DisruptionTarget + +// ContainersReady indicates whether all containers in the pod are ready. +#ContainersReady: #PodConditionType & "ContainersReady" + +// PodInitialized means that all init containers in the pod have started successfully. +#PodInitialized: #PodConditionType & "Initialized" + +// PodReady means the pod is able to service requests and should be added to the +// load balancing pools of all matching services. +#PodReady: #PodConditionType & "Ready" + +// PodScheduled represents status of the scheduling process for this pod. +#PodScheduled: #PodConditionType & "PodScheduled" + +// DisruptionTarget indicates the pod is about to be terminated due to a +// disruption (such as preemption, eviction API or garbage-collection). +#DisruptionTarget: #PodConditionType & "DisruptionTarget" + +// PodReasonUnschedulable reason in PodScheduled PodCondition means that the scheduler +// can't schedule the pod right now, for example due to insufficient resources in the cluster. +#PodReasonUnschedulable: "Unschedulable" + +// PodReasonSchedulingGated reason in PodScheduled PodCondition means that the scheduler +// skips scheduling the pod because one or more scheduling gates are still present. +#PodReasonSchedulingGated: "SchedulingGated" + +// PodReasonSchedulerError reason in PodScheduled PodCondition means that some internal error happens +// during scheduling, for example due to nodeAffinity parsing errors. +#PodReasonSchedulerError: "SchedulerError" + +// TerminationByKubelet reason in DisruptionTarget pod condition indicates that the termination +// is initiated by kubelet +#PodReasonTerminationByKubelet: "TerminationByKubelet" + +// PodReasonPreemptionByScheduler reason in DisruptionTarget pod condition indicates that the +// disruption was initiated by scheduler's preemption. +#PodReasonPreemptionByScheduler: "PreemptionByScheduler" + +// PodCondition contains details for the current condition of this pod. +#PodCondition: { + // Type is the type of the condition. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + type: #PodConditionType @go(Type) @protobuf(1,bytes,opt,casttype=PodConditionType) + + // Status is the status of the condition. + // Can be True, False, Unknown. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Last time we probed the condition. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // Last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // Unique, one-word, CamelCase reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// PodResizeStatus shows status of desired resize of a pod's containers. +#PodResizeStatus: string // #enumPodResizeStatus + +#enumPodResizeStatus: + #PodResizeStatusProposed | + #PodResizeStatusInProgress | + #PodResizeStatusDeferred | + #PodResizeStatusInfeasible + +// Pod resources resize has been requested and will be evaluated by node. +#PodResizeStatusProposed: #PodResizeStatus & "Proposed" + +// Pod resources resize has been accepted by node and is being actuated. +#PodResizeStatusInProgress: #PodResizeStatus & "InProgress" + +// Node cannot resize the pod at this time and will keep retrying. +#PodResizeStatusDeferred: #PodResizeStatus & "Deferred" + +// Requested pod resize is not feasible and will not be re-evaluated. +#PodResizeStatusInfeasible: #PodResizeStatus & "Infeasible" + +// RestartPolicy describes how the container should be restarted. +// Only one of the following restart policies may be specified. +// If none of the following policies is specified, the default one +// is RestartPolicyAlways. +// +enum +#RestartPolicy: string // #enumRestartPolicy + +#enumRestartPolicy: + #RestartPolicyAlways | + #RestartPolicyOnFailure | + #RestartPolicyNever + +#RestartPolicyAlways: #RestartPolicy & "Always" +#RestartPolicyOnFailure: #RestartPolicy & "OnFailure" +#RestartPolicyNever: #RestartPolicy & "Never" + +// ContainerRestartPolicy is the restart policy for a single container. +// This may only be set for init containers and only allowed value is "Always". +#ContainerRestartPolicy: string // #enumContainerRestartPolicy + +#enumContainerRestartPolicy: + #ContainerRestartPolicyAlways + +#ContainerRestartPolicyAlways: #ContainerRestartPolicy & "Always" + +// DNSPolicy defines how a pod's DNS will be configured. +// +enum +#DNSPolicy: string // #enumDNSPolicy + +#enumDNSPolicy: + #DNSClusterFirstWithHostNet | + #DNSClusterFirst | + #DNSDefault | + #DNSNone + +// DNSClusterFirstWithHostNet indicates that the pod should use cluster DNS +// first, if it is available, then fall back on the default +// (as determined by kubelet) DNS settings. +#DNSClusterFirstWithHostNet: #DNSPolicy & "ClusterFirstWithHostNet" + +// DNSClusterFirst indicates that the pod should use cluster DNS +// first unless hostNetwork is true, if it is available, then +// fall back on the default (as determined by kubelet) DNS settings. +#DNSClusterFirst: #DNSPolicy & "ClusterFirst" + +// DNSDefault indicates that the pod should use the default (as +// determined by kubelet) DNS settings. +#DNSDefault: #DNSPolicy & "Default" + +// DNSNone indicates that the pod should use empty DNS settings. DNS +// parameters such as nameservers and search paths should be defined via +// DNSConfig. +#DNSNone: #DNSPolicy & "None" + +// DefaultTerminationGracePeriodSeconds indicates the default duration in +// seconds a pod needs to terminate gracefully. +#DefaultTerminationGracePeriodSeconds: 30 + +// A node selector represents the union of the results of one or more label queries +// over a set of nodes; that is, it represents the OR of the selectors represented +// by the node selector terms. +// +structType=atomic +#NodeSelector: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms: [...#NodeSelectorTerm] @go(NodeSelectorTerms,[]NodeSelectorTerm) @protobuf(1,bytes,rep) +} + +// A null or empty node selector term matches no objects. The requirements of +// them are ANDed. +// The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. +// +structType=atomic +#NodeSelectorTerm: { + // A list of node selector requirements by node's labels. + // +optional + matchExpressions?: [...#NodeSelectorRequirement] @go(MatchExpressions,[]NodeSelectorRequirement) @protobuf(1,bytes,rep) + + // A list of node selector requirements by node's fields. + // +optional + matchFields?: [...#NodeSelectorRequirement] @go(MatchFields,[]NodeSelectorRequirement) @protobuf(2,bytes,rep) +} + +// A node selector requirement is a selector that contains values, a key, and an operator +// that relates the key and values. +#NodeSelectorRequirement: { + // The label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + operator: #NodeSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=NodeSelectorOperator) + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, the values + // array must have a single element, which will be interpreted as an integer. + // This array is replaced during a strategic merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A node selector operator is the set of operators that can be used in +// a node selector requirement. +// +enum +#NodeSelectorOperator: string // #enumNodeSelectorOperator + +#enumNodeSelectorOperator: + #NodeSelectorOpIn | + #NodeSelectorOpNotIn | + #NodeSelectorOpExists | + #NodeSelectorOpDoesNotExist | + #NodeSelectorOpGt | + #NodeSelectorOpLt + +#NodeSelectorOpIn: #NodeSelectorOperator & "In" +#NodeSelectorOpNotIn: #NodeSelectorOperator & "NotIn" +#NodeSelectorOpExists: #NodeSelectorOperator & "Exists" +#NodeSelectorOpDoesNotExist: #NodeSelectorOperator & "DoesNotExist" +#NodeSelectorOpGt: #NodeSelectorOperator & "Gt" +#NodeSelectorOpLt: #NodeSelectorOperator & "Lt" + +// A topology selector term represents the result of label queries. +// A null or empty topology selector term matches no objects. +// The requirements of them are ANDed. +// It provides a subset of functionality as NodeSelectorTerm. +// This is an alpha feature and may change in the future. +// +structType=atomic +#TopologySelectorTerm: { + // A list of topology selector requirements by labels. + // +optional + matchLabelExpressions?: [...#TopologySelectorLabelRequirement] @go(MatchLabelExpressions,[]TopologySelectorLabelRequirement) @protobuf(1,bytes,rep) +} + +// A topology selector requirement is a selector that matches given label. +// This is an alpha feature and may change in the future. +#TopologySelectorLabelRequirement: { + // The label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // An array of string values. One value must match the label to be selected. + // Each entry in Values is ORed. + values: [...string] @go(Values,[]string) @protobuf(2,bytes,rep) +} + +// Affinity is a group of affinity scheduling rules. +#Affinity: { + // Describes node affinity scheduling rules for the pod. + // +optional + nodeAffinity?: null | #NodeAffinity @go(NodeAffinity,*NodeAffinity) @protobuf(1,bytes,opt) + + // Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + // +optional + podAffinity?: null | #PodAffinity @go(PodAffinity,*PodAffinity) @protobuf(2,bytes,opt) + + // Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + // +optional + podAntiAffinity?: null | #PodAntiAffinity @go(PodAntiAffinity,*PodAntiAffinity) @protobuf(3,bytes,opt) +} + +// Pod affinity is a group of inter pod affinity scheduling rules. +#PodAffinity: { + // If the affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to a pod label update), the + // system may or may not try to eventually evict the pod from its node. + // When there are multiple elements, the lists of nodes corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be satisfied. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: [...#PodAffinityTerm] @go(RequiredDuringSchedulingIgnoredDuringExecution,[]PodAffinityTerm) @protobuf(1,bytes,rep) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#WeightedPodAffinityTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]WeightedPodAffinityTerm) @protobuf(2,bytes,rep) +} + +// Pod anti affinity is a group of inter pod anti affinity scheduling rules. +#PodAntiAffinity: { + // If the anti-affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to a pod label update), the + // system may or may not try to eventually evict the pod from its node. + // When there are multiple elements, the lists of nodes corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be satisfied. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: [...#PodAffinityTerm] @go(RequiredDuringSchedulingIgnoredDuringExecution,[]PodAffinityTerm) @protobuf(1,bytes,rep) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the anti-affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling anti-affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#WeightedPodAffinityTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]WeightedPodAffinityTerm) @protobuf(2,bytes,rep) +} + +// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) +#WeightedPodAffinityTerm: { + // weight associated with matching the corresponding podAffinityTerm, + // in the range 1-100. + weight: int32 @go(Weight) @protobuf(1,varint,opt) + + // Required. A pod affinity term, associated with the corresponding weight. + podAffinityTerm: #PodAffinityTerm @go(PodAffinityTerm) @protobuf(2,bytes,opt) +} + +// Defines a set of pods (namely those matching the labelSelector +// relative to the given namespace(s)) that this pod should be +// co-located (affinity) or not co-located (anti-affinity) with, +// where co-located is defined as running on a node whose value of +// the label with key matches that of any node on which +// a pod of the set of pods is running +#PodAffinityTerm: { + // A label query over a set of resources, in this case pods. + // +optional + labelSelector?: null | metav1.#LabelSelector @go(LabelSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // namespaces specifies a static list of namespace names that the term applies to. + // The term is applied to the union of the namespaces listed in this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means "this pod's namespace". + // +optional + namespaces?: [...string] @go(Namespaces,[]string) @protobuf(2,bytes,rep) + + // This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located is defined as running on a node + // whose value of the label with key topologyKey matches that of any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey: string @go(TopologyKey) @protobuf(3,bytes,opt) + + // A label query over the set of namespaces that the term applies to. + // The term is applied to the union of the namespaces selected by this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this pod's namespace". + // An empty selector ({}) matches all namespaces. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(4,bytes,opt) +} + +// Node affinity is a group of node affinity scheduling rules. +#NodeAffinity: { + // If the affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to an update), the system + // may or may not try to eventually evict the pod from its node. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: null | #NodeSelector @go(RequiredDuringSchedulingIgnoredDuringExecution,*NodeSelector) @protobuf(1,bytes,opt) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node matches the corresponding matchExpressions; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#PreferredSchedulingTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]PreferredSchedulingTerm) @protobuf(2,bytes,rep) +} + +// An empty preferred scheduling term matches all objects with implicit weight 0 +// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). +#PreferredSchedulingTerm: { + // Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + weight: int32 @go(Weight) @protobuf(1,varint,opt) + + // A node selector term, associated with the corresponding weight. + preference: #NodeSelectorTerm @go(Preference) @protobuf(2,bytes,opt) +} + +// The node this Taint is attached to has the "effect" on +// any pod that does not tolerate the Taint. +#Taint: { + // Required. The taint key to be applied to a node. + key: string @go(Key) @protobuf(1,bytes,opt) + + // The taint value corresponding to the taint key. + // +optional + value?: string @go(Value) @protobuf(2,bytes,opt) + + // Required. The effect of the taint on pods + // that do not tolerate the taint. + // Valid effects are NoSchedule, PreferNoSchedule and NoExecute. + effect: #TaintEffect @go(Effect) @protobuf(3,bytes,opt,casttype=TaintEffect) + + // TimeAdded represents the time at which the taint was added. + // It is only written for NoExecute taints. + // +optional + timeAdded?: null | metav1.#Time @go(TimeAdded,*metav1.Time) @protobuf(4,bytes,opt) +} + +// +enum +#TaintEffect: string // #enumTaintEffect + +#enumTaintEffect: + #TaintEffectNoSchedule | + #TaintEffectPreferNoSchedule | + #TaintEffectNoExecute + +// Do not allow new pods to schedule onto the node unless they tolerate the taint, +// but allow all pods submitted to Kubelet without going through the scheduler +// to start, and allow all already-running pods to continue running. +// Enforced by the scheduler. +#TaintEffectNoSchedule: #TaintEffect & "NoSchedule" + +// Like TaintEffectNoSchedule, but the scheduler tries not to schedule +// new pods onto the node, rather than prohibiting new pods from scheduling +// onto the node entirely. Enforced by the scheduler. +#TaintEffectPreferNoSchedule: #TaintEffect & "PreferNoSchedule" + +// Evict any already-running pods that do not tolerate the taint. +// Currently enforced by NodeController. +#TaintEffectNoExecute: #TaintEffect & "NoExecute" + +// The pod this Toleration is attached to tolerates any taint that matches +// the triple using the matching operator . +#Toleration: { + // Key is the taint key that the toleration applies to. Empty means match all taint keys. + // If the key is empty, operator must be Exists; this combination means to match all values and all keys. + // +optional + key?: string @go(Key) @protobuf(1,bytes,opt) + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + // +optional + operator?: #TolerationOperator @go(Operator) @protobuf(2,bytes,opt,casttype=TolerationOperator) + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise just a regular string. + // +optional + value?: string @go(Value) @protobuf(3,bytes,opt) + + // Effect indicates the taint effect to match. Empty means match all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + // +optional + effect?: #TaintEffect @go(Effect) @protobuf(4,bytes,opt,casttype=TaintEffect) + + // TolerationSeconds represents the period of time the toleration (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + // it is not set, which means tolerate the taint forever (do not evict). Zero and + // negative values will be treated as 0 (evict immediately) by the system. + // +optional + tolerationSeconds?: null | int64 @go(TolerationSeconds,*int64) @protobuf(5,varint,opt) +} + +// A toleration operator is the set of operators that can be used in a toleration. +// +enum +#TolerationOperator: string // #enumTolerationOperator + +#enumTolerationOperator: + #TolerationOpExists | + #TolerationOpEqual + +#TolerationOpExists: #TolerationOperator & "Exists" +#TolerationOpEqual: #TolerationOperator & "Equal" + +// PodReadinessGate contains the reference to a pod condition +#PodReadinessGate: { + // ConditionType refers to a condition in the pod's condition list with matching type. + conditionType: #PodConditionType @go(ConditionType) @protobuf(1,bytes,opt,casttype=PodConditionType) +} + +// PodSpec is a description of a pod. +#PodSpec: { + // List of volumes that can be mounted by containers belonging to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes + // +optional + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + volumes?: [...#Volume] @go(Volumes,[]Volume) @protobuf(1,bytes,rep) + + // List of initialization containers belonging to the pod. + // Init containers are executed in order prior to containers being started. If any + // init container fails, the pod is considered to have failed and is handled according + // to its restartPolicy. The name for an init container or normal container must be + // unique among all containers. + // Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. + // The resourceRequirements of an init container are taken into account during scheduling + // by finding the highest request/limit for each resource type, and then using the max of + // of that value or the sum of the normal containers. Limits are applied to init containers + // in a similar fashion. + // Init containers cannot currently be added or removed. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + // +patchMergeKey=name + // +patchStrategy=merge + initContainers?: [...#Container] @go(InitContainers,[]Container) @protobuf(20,bytes,rep) + + // List of containers belonging to the pod. + // Containers cannot currently be added or removed. + // There must be at least one container in a Pod. + // Cannot be updated. + // +patchMergeKey=name + // +patchStrategy=merge + containers: [...#Container] @go(Containers,[]Container) @protobuf(2,bytes,rep) + + // List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing + // pod to perform user-initiated actions such as debugging. This list cannot be specified when + // creating a pod, and it cannot be modified by updating the pod spec. In order to add an + // ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + ephemeralContainers?: [...#EphemeralContainer] @go(EphemeralContainers,[]EphemeralContainer) @protobuf(34,bytes,rep) + + // Restart policy for all containers within the pod. + // One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. + // Default to Always. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy + // +optional + restartPolicy?: #RestartPolicy @go(RestartPolicy) @protobuf(3,bytes,opt,casttype=RestartPolicy) + + // Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. + // Value must be non-negative integer. The value zero indicates stop immediately via + // the kill signal (no opportunity to shut down). + // If this value is nil, the default grace period will be used instead. + // The grace period is the duration in seconds after the processes running in the pod are sent + // a termination signal and the time when the processes are forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your process. + // Defaults to 30 seconds. + // +optional + terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) @protobuf(4,varint,opt) + + // Optional duration in seconds the pod may be active on the node relative to + // StartTime before the system will actively try to mark it failed and kill associated containers. + // Value must be a positive integer. + // +optional + activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(5,varint,opt) + + // Set DNS policy for the pod. + // Defaults to "ClusterFirst". + // Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. + // DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. + // To have DNS options set along with hostNetwork, you have to specify DNS policy + // explicitly to 'ClusterFirstWithHostNet'. + // +optional + dnsPolicy?: #DNSPolicy @go(DNSPolicy) @protobuf(6,bytes,opt,casttype=DNSPolicy) + + // NodeSelector is a selector which must be true for the pod to fit on a node. + // Selector which must match a node's labels for the pod to be scheduled on that node. + // More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + // +optional + // +mapType=atomic + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(7,bytes,rep) + + // ServiceAccountName is the name of the ServiceAccount to use to run this pod. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + // +optional + serviceAccountName?: string @go(ServiceAccountName) @protobuf(8,bytes,opt) + + // DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. + // Deprecated: Use serviceAccountName instead. + // +k8s:conversion-gen=false + // +optional + serviceAccount?: string @go(DeprecatedServiceAccount) @protobuf(9,bytes,opt) + + // AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. + // +optional + automountServiceAccountToken?: null | bool @go(AutomountServiceAccountToken,*bool) @protobuf(21,varint,opt) + + // NodeName is a request to schedule this pod onto a specific node. If it is non-empty, + // the scheduler simply schedules this pod onto that node, assuming that it fits resource + // requirements. + // +optional + nodeName?: string @go(NodeName) @protobuf(10,bytes,opt) + + // Host networking requested for this pod. Use the host's network namespace. + // If this option is set, the ports that will be used must be specified. + // Default to false. + // +k8s:conversion-gen=false + // +optional + hostNetwork?: bool @go(HostNetwork) @protobuf(11,varint,opt) + + // Use the host's pid namespace. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + hostPID?: bool @go(HostPID) @protobuf(12,varint,opt) + + // Use the host's ipc namespace. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + hostIPC?: bool @go(HostIPC) @protobuf(13,varint,opt) + + // Share a single process namespace between all of the containers in a pod. + // When this is set containers will be able to view and signal processes from other containers + // in the same pod, and the first process in each container will not be assigned PID 1. + // HostPID and ShareProcessNamespace cannot both be set. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + shareProcessNamespace?: null | bool @go(ShareProcessNamespace,*bool) @protobuf(27,varint,opt) + + // SecurityContext holds pod-level security attributes and common container settings. + // Optional: Defaults to empty. See type description for default values of each field. + // +optional + securityContext?: null | #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt) + + // ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. + // If specified, these secrets will be passed to individual puller implementations for them to use. + // More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + imagePullSecrets?: [...#LocalObjectReference] @go(ImagePullSecrets,[]LocalObjectReference) @protobuf(15,bytes,rep) + + // Specifies the hostname of the Pod + // If not specified, the pod's hostname will be set to a system-defined value. + // +optional + hostname?: string @go(Hostname) @protobuf(16,bytes,opt) + + // If specified, the fully qualified Pod hostname will be "...svc.". + // If not specified, the pod will not have a domainname at all. + // +optional + subdomain?: string @go(Subdomain) @protobuf(17,bytes,opt) + + // If specified, the pod's scheduling constraints + // +optional + affinity?: null | #Affinity @go(Affinity,*Affinity) @protobuf(18,bytes,opt) + + // If specified, the pod will be dispatched by specified scheduler. + // If not specified, the pod will be dispatched by default scheduler. + // +optional + schedulerName?: string @go(SchedulerName) @protobuf(19,bytes,opt) + + // If specified, the pod's tolerations. + // +optional + tolerations?: [...#Toleration] @go(Tolerations,[]Toleration) @protobuf(22,bytes,opt) + + // HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts + // file if specified. This is only valid for non-hostNetwork pods. + // +optional + // +patchMergeKey=ip + // +patchStrategy=merge + hostAliases?: [...#HostAlias] @go(HostAliases,[]HostAlias) @protobuf(23,bytes,rep) + + // If specified, indicates the pod's priority. "system-node-critical" and + // "system-cluster-critical" are two special keywords which indicate the + // highest priorities with the former being the highest priority. Any other + // name must be defined by creating a PriorityClass object with that name. + // If not specified, the pod priority will be default or zero if there is no + // default. + // +optional + priorityClassName?: string @go(PriorityClassName) @protobuf(24,bytes,opt) + + // The priority value. Various system components use this field to find the + // priority of the pod. When Priority Admission Controller is enabled, it + // prevents users from setting this field. The admission controller populates + // this field from PriorityClassName. + // The higher the value, the higher the priority. + // +optional + priority?: null | int32 @go(Priority,*int32) @protobuf(25,bytes,opt) + + // Specifies the DNS parameters of a pod. + // Parameters specified here will be merged to the generated DNS + // configuration based on DNSPolicy. + // +optional + dnsConfig?: null | #PodDNSConfig @go(DNSConfig,*PodDNSConfig) @protobuf(26,bytes,opt) + + // If specified, all readiness gates will be evaluated for pod readiness. + // A pod is ready when all its containers are ready AND + // all conditions specified in the readiness gates have status equal to "True" + // More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates + // +optional + readinessGates?: [...#PodReadinessGate] @go(ReadinessGates,[]PodReadinessGate) @protobuf(28,bytes,opt) + + // RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used + // to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. + // If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an + // empty definition that uses the default runtime handler. + // More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class + // +optional + runtimeClassName?: null | string @go(RuntimeClassName,*string) @protobuf(29,bytes,opt) + + // EnableServiceLinks indicates whether information about services should be injected into pod's + // environment variables, matching the syntax of Docker links. + // Optional: Defaults to true. + // +optional + enableServiceLinks?: null | bool @go(EnableServiceLinks,*bool) @protobuf(30,varint,opt) + + // PreemptionPolicy is the Policy for preempting pods with lower priority. + // One of Never, PreemptLowerPriority. + // Defaults to PreemptLowerPriority if unset. + // +optional + preemptionPolicy?: null | #PreemptionPolicy @go(PreemptionPolicy,*PreemptionPolicy) @protobuf(31,bytes,opt) + + // Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. + // This field will be autopopulated at admission time by the RuntimeClass admission controller. If + // the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. + // The RuntimeClass admission controller will reject Pod create requests which have the overhead already + // set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value + // defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. + // More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md + // +optional + overhead?: #ResourceList @go(Overhead) @protobuf(32,bytes,opt) + + // TopologySpreadConstraints describes how a group of pods ought to spread across topology + // domains. Scheduler will schedule pods in a way which abides by the constraints. + // All topologySpreadConstraints are ANDed. + // +optional + // +patchMergeKey=topologyKey + // +patchStrategy=merge + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + topologySpreadConstraints?: [...#TopologySpreadConstraint] @go(TopologySpreadConstraints,[]TopologySpreadConstraint) @protobuf(33,bytes,opt) + + // If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). + // In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). + // In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters to FQDN. + // If a pod does not have FQDN, this has no effect. + // Default to false. + // +optional + setHostnameAsFQDN?: null | bool @go(SetHostnameAsFQDN,*bool) @protobuf(35,varint,opt) + + // Specifies the OS of the containers in the pod. + // Some pod and container fields are restricted if this is set. + // + // If the OS field is set to linux, the following fields must be unset: + // -securityContext.windowsOptions + // + // If the OS field is set to windows, following fields must be unset: + // - spec.hostPID + // - spec.hostIPC + // - spec.hostUsers + // - spec.securityContext.seLinuxOptions + // - spec.securityContext.seccompProfile + // - spec.securityContext.fsGroup + // - spec.securityContext.fsGroupChangePolicy + // - spec.securityContext.sysctls + // - spec.shareProcessNamespace + // - spec.securityContext.runAsUser + // - spec.securityContext.runAsGroup + // - spec.securityContext.supplementalGroups + // - spec.containers[*].securityContext.seLinuxOptions + // - spec.containers[*].securityContext.seccompProfile + // - spec.containers[*].securityContext.capabilities + // - spec.containers[*].securityContext.readOnlyRootFilesystem + // - spec.containers[*].securityContext.privileged + // - spec.containers[*].securityContext.allowPrivilegeEscalation + // - spec.containers[*].securityContext.procMount + // - spec.containers[*].securityContext.runAsUser + // - spec.containers[*].securityContext.runAsGroup + // +optional + os?: null | #PodOS @go(OS,*PodOS) @protobuf(36,bytes,opt) + + // Use the host's user namespace. + // Optional: Default to true. + // If set to true or not present, the pod will be run in the host user namespace, useful + // for when the pod needs a feature only available to the host user namespace, such as + // loading a kernel module with CAP_SYS_MODULE. + // When set to false, a new userns is created for the pod. Setting false is useful for + // mitigating container breakout vulnerabilities even allowing users to run their + // containers as root without actually having root privileges on the host. + // This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature. + // +k8s:conversion-gen=false + // +optional + hostUsers?: null | bool @go(HostUsers,*bool) @protobuf(37,bytes,opt) + + // SchedulingGates is an opaque list of values that if specified will block scheduling the pod. + // If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the + // scheduler will not attempt to schedule the pod. + // + // SchedulingGates can only be set at pod creation time, and be removed only afterwards. + // + // This is a beta feature enabled by the PodSchedulingReadiness feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=PodSchedulingReadiness + // +optional + schedulingGates?: [...#PodSchedulingGate] @go(SchedulingGates,[]PodSchedulingGate) @protobuf(38,bytes,opt) + + // ResourceClaims defines which ResourceClaims must be allocated + // and reserved before the Pod is allowed to start. The resources + // will be made available to those containers which consume them + // by name. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. + // + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + resourceClaims?: [...#PodResourceClaim] @go(ResourceClaims,[]PodResourceClaim) @protobuf(39,bytes,rep) +} + +// PodResourceClaim references exactly one ResourceClaim through a ClaimSource. +// It adds a name to it that uniquely identifies the ResourceClaim inside the Pod. +// Containers that need access to the ResourceClaim reference it with this name. +#PodResourceClaim: { + // Name uniquely identifies this resource claim inside the pod. + // This must be a DNS_LABEL. + name: string @go(Name) @protobuf(1,bytes) + + // Source describes where to find the ResourceClaim. + source?: #ClaimSource @go(Source) @protobuf(2,bytes) +} + +// ClaimSource describes a reference to a ResourceClaim. +// +// Exactly one of these fields should be set. Consumers of this type must +// treat an empty object as if it has an unknown value. +#ClaimSource: { + // ResourceClaimName is the name of a ResourceClaim object in the same + // namespace as this pod. + resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(1,bytes,opt) + + // ResourceClaimTemplateName is the name of a ResourceClaimTemplate + // object in the same namespace as this pod. + // + // The template will be used to create a new ResourceClaim, which will + // be bound to this pod. When this pod is deleted, the ResourceClaim + // will also be deleted. The pod name and resource name, along with a + // generated component, will be used to form a unique name for the + // ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. + // + // This field is immutable and no changes will be made to the + // corresponding ResourceClaim by the control plane after creating the + // ResourceClaim. + resourceClaimTemplateName?: null | string @go(ResourceClaimTemplateName,*string) @protobuf(2,bytes,opt) +} + +// PodResourceClaimStatus is stored in the PodStatus for each PodResourceClaim +// which references a ResourceClaimTemplate. It stores the generated name for +// the corresponding ResourceClaim. +#PodResourceClaimStatus: { + // Name uniquely identifies this resource claim inside the pod. + // This must match the name of an entry in pod.spec.resourceClaims, + // which implies that the string must be a DNS_LABEL. + name: string @go(Name) @protobuf(1,bytes) + + // ResourceClaimName is the name of the ResourceClaim that was + // generated for the Pod in the namespace of the Pod. It this is + // unset, then generating a ResourceClaim was not necessary. The + // pod.spec.resourceClaims entry can be ignored in this case. + // + // +optional + resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(2,bytes,opt) +} + +// OSName is the set of OS'es that can be used in OS. +#OSName: string // #enumOSName + +#enumOSName: + #Linux | + #Windows + +#Linux: #OSName & "linux" +#Windows: #OSName & "windows" + +// PodOS defines the OS parameters of a pod. +#PodOS: { + // Name is the name of the operating system. The currently supported values are linux and windows. + // Additional value may be defined in future and can be one of: + // https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + // Clients should expect to handle additional values and treat unrecognized values in this field as os: null + name: #OSName @go(Name) @protobuf(1,bytes,opt) +} + +// PodSchedulingGate is associated to a Pod to guard its scheduling. +#PodSchedulingGate: { + // Name of the scheduling gate. + // Each scheduling gate must have a unique name field. + name: string @go(Name) @protobuf(1,bytes,opt) +} + +// +enum +#UnsatisfiableConstraintAction: string // #enumUnsatisfiableConstraintAction + +#enumUnsatisfiableConstraintAction: + #DoNotSchedule | + #ScheduleAnyway + +// DoNotSchedule instructs the scheduler not to schedule the pod +// when constraints are not satisfied. +#DoNotSchedule: #UnsatisfiableConstraintAction & "DoNotSchedule" + +// ScheduleAnyway instructs the scheduler to schedule the pod +// even if constraints are not satisfied. +#ScheduleAnyway: #UnsatisfiableConstraintAction & "ScheduleAnyway" + +// NodeInclusionPolicy defines the type of node inclusion policy +// +enum +#NodeInclusionPolicy: string // #enumNodeInclusionPolicy + +#enumNodeInclusionPolicy: + #NodeInclusionPolicyIgnore | + #NodeInclusionPolicyHonor + +// NodeInclusionPolicyIgnore means ignore this scheduling directive when calculating pod topology spread skew. +#NodeInclusionPolicyIgnore: #NodeInclusionPolicy & "Ignore" + +// NodeInclusionPolicyHonor means use this scheduling directive when calculating pod topology spread skew. +#NodeInclusionPolicyHonor: #NodeInclusionPolicy & "Honor" + +// TopologySpreadConstraint specifies how to spread matching pods among the given topology. +#TopologySpreadConstraint: { + // MaxSkew describes the degree to which pods may be unevenly distributed. + // When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + // between the number of matching pods in the target topology and the global minimum. + // The global minimum is the minimum number of matching pods in an eligible domain + // or zero if the number of eligible domains is less than MinDomains. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + // labelSelector spread as 2/2/1: + // In this case, the global minimum is 1. + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P | P P | P | + // +-------+-------+-------+ + // - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + // scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + // violate MaxSkew(1). + // - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + // When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + // to topologies that satisfy it. + // It's a required field. Default value is 1 and 0 is not allowed. + maxSkew: int32 @go(MaxSkew) @protobuf(1,varint,opt) + + // TopologyKey is the key of node labels. Nodes that have a label with this key + // and identical values are considered to be in the same topology. + // We consider each as a "bucket", and try to put balanced number + // of pods into each bucket. + // We define a domain as a particular instance of a topology. + // Also, we define an eligible domain as a domain whose nodes meet the requirements of + // nodeAffinityPolicy and nodeTaintsPolicy. + // e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + // And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + // It's a required field. + topologyKey: string @go(TopologyKey) @protobuf(2,bytes,opt) + + // WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + // the spread constraint. + // - DoNotSchedule (default) tells the scheduler not to schedule it. + // - ScheduleAnyway tells the scheduler to schedule the pod in any location, + // but giving higher precedence to topologies that would help reduce the + // skew. + // A constraint is considered "Unsatisfiable" for an incoming pod + // if and only if every possible node assignment for that pod would violate + // "MaxSkew" on some topology. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + // labelSelector spread as 3/1/1: + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P P | P | P | + // +-------+-------+-------+ + // If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + // to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + // MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + // won't make it *more* imbalanced. + // It's a required field. + whenUnsatisfiable: #UnsatisfiableConstraintAction @go(WhenUnsatisfiable) @protobuf(3,bytes,opt,casttype=UnsatisfiableConstraintAction) + + // LabelSelector is used to find matching pods. + // Pods that match this label selector are counted to determine the number of pods + // in their corresponding topology domain. + // +optional + labelSelector?: null | metav1.#LabelSelector @go(LabelSelector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // MinDomains indicates a minimum number of eligible domains. + // When the number of eligible domains with matching topology keys is less than minDomains, + // Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + // And when the number of eligible domains with matching topology keys equals or greater than minDomains, + // this value has no effect on scheduling. + // As a result, when the number of eligible domains is less than minDomains, + // scheduler won't schedule more than maxSkew Pods to those domains. + // If value is nil, the constraint behaves as if MinDomains is equal to 1. + // Valid values are integers greater than 0. + // When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + // + // For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + // labelSelector spread as 2/2/2: + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P | P P | P P | + // +-------+-------+-------+ + // The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + // In this situation, new pod with the same labelSelector cannot be scheduled, + // because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + // it will violate MaxSkew. + // + // This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). + // +optional + minDomains?: null | int32 @go(MinDomains,*int32) @protobuf(5,varint,opt) + + // NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + // when calculating pod topology spread skew. Options are: + // - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + // - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + // + // If this value is nil, the behavior is equivalent to the Honor policy. + // This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + // +optional + nodeAffinityPolicy?: null | #NodeInclusionPolicy @go(NodeAffinityPolicy,*NodeInclusionPolicy) @protobuf(6,bytes,opt) + + // NodeTaintsPolicy indicates how we will treat node taints when calculating + // pod topology spread skew. Options are: + // - Honor: nodes without taints, along with tainted nodes for which the incoming pod + // has a toleration, are included. + // - Ignore: node taints are ignored. All nodes are included. + // + // If this value is nil, the behavior is equivalent to the Ignore policy. + // This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + // +optional + nodeTaintsPolicy?: null | #NodeInclusionPolicy @go(NodeTaintsPolicy,*NodeInclusionPolicy) @protobuf(7,bytes,opt) + + // MatchLabelKeys is a set of pod label keys to select the pods over which + // spreading will be calculated. The keys are used to lookup values from the + // incoming pod labels, those key-value labels are ANDed with labelSelector + // to select the group of existing pods over which spreading will be calculated + // for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + // MatchLabelKeys cannot be set when LabelSelector isn't set. + // Keys that don't exist in the incoming pod labels will + // be ignored. A null or empty list means only match against labelSelector. + // + // This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + // +listType=atomic + // +optional + matchLabelKeys?: [...string] @go(MatchLabelKeys,[]string) @protobuf(8,bytes,opt) +} + +// The default value for enableServiceLinks attribute. +#DefaultEnableServiceLinks: true + +// HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the +// pod's hosts file. +#HostAlias: { + // IP address of the host file entry. + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // Hostnames for the above IP address. + hostnames?: [...string] @go(Hostnames,[]string) @protobuf(2,bytes,rep) +} + +// PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume +// when volume is mounted. +// +enum +#PodFSGroupChangePolicy: string // #enumPodFSGroupChangePolicy + +#enumPodFSGroupChangePolicy: + #FSGroupChangeOnRootMismatch | + #FSGroupChangeAlways + +// FSGroupChangeOnRootMismatch indicates that volume's ownership and permissions will be changed +// only when permission and ownership of root directory does not match with expected +// permissions on the volume. This can help shorten the time it takes to change +// ownership and permissions of a volume. +#FSGroupChangeOnRootMismatch: #PodFSGroupChangePolicy & "OnRootMismatch" + +// FSGroupChangeAlways indicates that volume's ownership and permissions +// should always be changed whenever volume is mounted inside a Pod. This the default +// behavior. +#FSGroupChangeAlways: #PodFSGroupChangePolicy & "Always" + +// PodSecurityContext holds pod-level security attributes and common container settings. +// Some fields are also present in container.securityContext. Field values of +// container.securityContext take precedence over field values of PodSecurityContext. +#PodSecurityContext: { + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seLinuxOptions?: null | #SELinuxOptions @go(SELinuxOptions,*SELinuxOptions) @protobuf(1,bytes,opt) + + // The Windows specific settings applied to all containers. + // If unspecified, the options within a container's SecurityContext will be used. + // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + // +optional + windowsOptions?: null | #WindowsSecurityContextOptions @go(WindowsOptions,*WindowsSecurityContextOptions) @protobuf(8,bytes,opt) + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsUser?: null | int64 @go(RunAsUser,*int64) @protobuf(2,varint,opt) + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsGroup?: null | int64 @go(RunAsGroup,*int64) @protobuf(6,varint,opt) + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to ensure that it + // does not run as UID 0 (root) and fail to start the container if it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsNonRoot?: null | bool @go(RunAsNonRoot,*bool) @protobuf(3,varint,opt) + + // A list of groups applied to the first process run in each container, in addition + // to the container's primary GID, the fsGroup (if specified), and group memberships + // defined in the container image for the uid of the container process. If unspecified, + // no additional groups are added to any container. Note that group memberships + // defined in the container image for the uid of the container process are still effective, + // even if they are not included in this list. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + supplementalGroups?: [...int64] @go(SupplementalGroups,[]int64) @protobuf(4,varint,rep) + + // A special supplemental group that applies to all containers in a pod. + // Some volume types allow the Kubelet to change the ownership of that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and permissions of any volume. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + fsGroup?: null | int64 @go(FSGroup,*int64) @protobuf(5,varint,opt) + + // Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + sysctls?: [...#Sysctl] @go(Sysctls,[]Sysctl) @protobuf(7,bytes,rep) + + // fsGroupChangePolicy defines behavior of changing ownership and permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and permissions). + // It will have no effect on ephemeral volume types such as: secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + fsGroupChangePolicy?: null | #PodFSGroupChangePolicy @go(FSGroupChangePolicy,*PodFSGroupChangePolicy) @protobuf(9,bytes,opt) + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seccompProfile?: null | #SeccompProfile @go(SeccompProfile,*SeccompProfile) @protobuf(10,bytes,opt) +} + +// SeccompProfile defines a pod/container's seccomp profile settings. +// Only one profile source may be set. +// +union +#SeccompProfile: { + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be used. + // RuntimeDefault - the container runtime default profile should be used. + // Unconfined - no profile should be applied. + // +unionDiscriminator + type: #SeccompProfileType @go(Type) @protobuf(1,bytes,opt,casttype=SeccompProfileType) + + // localhostProfile indicates a profile defined in a file on the node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any other type. + // +optional + localhostProfile?: null | string @go(LocalhostProfile,*string) @protobuf(2,bytes,opt) +} + +// SeccompProfileType defines the supported seccomp profile types. +// +enum +#SeccompProfileType: string // #enumSeccompProfileType + +#enumSeccompProfileType: + #SeccompProfileTypeUnconfined | + #SeccompProfileTypeRuntimeDefault | + #SeccompProfileTypeLocalhost + +// SeccompProfileTypeUnconfined indicates no seccomp profile is applied (A.K.A. unconfined). +#SeccompProfileTypeUnconfined: #SeccompProfileType & "Unconfined" + +// SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile. +#SeccompProfileTypeRuntimeDefault: #SeccompProfileType & "RuntimeDefault" + +// SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used. +// The file's location relative to /seccomp. +#SeccompProfileTypeLocalhost: #SeccompProfileType & "Localhost" + +// PodQOSClass defines the supported qos classes of Pods. +// +enum +#PodQOSClass: string // #enumPodQOSClass + +#enumPodQOSClass: + #PodQOSGuaranteed | + #PodQOSBurstable | + #PodQOSBestEffort + +// PodQOSGuaranteed is the Guaranteed qos class. +#PodQOSGuaranteed: #PodQOSClass & "Guaranteed" + +// PodQOSBurstable is the Burstable qos class. +#PodQOSBurstable: #PodQOSClass & "Burstable" + +// PodQOSBestEffort is the BestEffort qos class. +#PodQOSBestEffort: #PodQOSClass & "BestEffort" + +// PodDNSConfig defines the DNS parameters of a pod in addition to +// those generated from DNSPolicy. +#PodDNSConfig: { + // A list of DNS name server IP addresses. + // This will be appended to the base nameservers generated from DNSPolicy. + // Duplicated nameservers will be removed. + // +optional + nameservers?: [...string] @go(Nameservers,[]string) @protobuf(1,bytes,rep) + + // A list of DNS search domains for host-name lookup. + // This will be appended to the base search paths generated from DNSPolicy. + // Duplicated search paths will be removed. + // +optional + searches?: [...string] @go(Searches,[]string) @protobuf(2,bytes,rep) + + // A list of DNS resolver options. + // This will be merged with the base options generated from DNSPolicy. + // Duplicated entries will be removed. Resolution options given in Options + // will override those that appear in the base DNSPolicy. + // +optional + options?: [...#PodDNSConfigOption] @go(Options,[]PodDNSConfigOption) @protobuf(3,bytes,rep) +} + +// PodDNSConfigOption defines DNS resolver options of a pod. +#PodDNSConfigOption: { + // Required. + name?: string @go(Name) @protobuf(1,bytes,opt) + + // +optional + value?: null | string @go(Value,*string) @protobuf(2,bytes,opt) +} + +// PodIP represents a single IP address allocated to the pod. +#PodIP: { + // IP is the IP address assigned to the pod + ip?: string @go(IP) @protobuf(1,bytes,opt) +} + +// HostIP represents a single IP address allocated to the host. +#HostIP: { + // IP is the IP address assigned to the host + ip?: string @go(IP) @protobuf(1,bytes,opt) +} + +// EphemeralContainerCommon is a copy of all fields in Container to be inlined in +// EphemeralContainer. This separate type allows easy conversion from EphemeralContainer +// to Container and allows separate documentation for the fields of EphemeralContainer. +// When a new field is added to Container it must be added here as well. +#EphemeralContainerCommon: { + // Name of the ephemeral container specified as a DNS_LABEL. + // This name must be unique among all containers, init containers and ephemeral containers. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Container image name. + // More info: https://kubernetes.io/docs/concepts/containers/images + image?: string @go(Image) @protobuf(2,bytes,opt) + + // Entrypoint array. Not executed within a shell. + // The image's ENTRYPOINT is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + command?: [...string] @go(Command,[]string) @protobuf(3,bytes,rep) + + // Arguments to the entrypoint. + // The image's CMD is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + args?: [...string] @go(Args,[]string) @protobuf(4,bytes,rep) + + // Container's working directory. + // If not specified, the container runtime's default will be used, which + // might be configured in the container image. + // Cannot be updated. + // +optional + workingDir?: string @go(WorkingDir) @protobuf(5,bytes,opt) + + // Ports are not allowed for ephemeral containers. + // +optional + // +patchMergeKey=containerPort + // +patchStrategy=merge + // +listType=map + // +listMapKey=containerPort + // +listMapKey=protocol + ports?: [...#ContainerPort] @go(Ports,[]ContainerPort) @protobuf(6,bytes,rep) + + // List of sources to populate environment variables in the container. + // The keys defined within a source must be a C_IDENTIFIER. All invalid keys + // will be reported as an event when the container is starting. When a key exists in multiple + // sources, the value associated with the last source will take precedence. + // Values defined by an Env with a duplicate key will take precedence. + // Cannot be updated. + // +optional + envFrom?: [...#EnvFromSource] @go(EnvFrom,[]EnvFromSource) @protobuf(19,bytes,rep) + + // List of environment variables to set in the container. + // Cannot be updated. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + env?: [...#EnvVar] @go(Env,[]EnvVar) @protobuf(7,bytes,rep) + + // Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources + // already allocated to the pod. + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(8,bytes,opt) + + // Resources resize policy for the container. + // +featureGate=InPlacePodVerticalScaling + // +optional + // +listType=atomic + resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep) + + // Restart policy for the container to manage the restart behavior of each + // container within a pod. + // This may only be set for init containers. You cannot set this field on + // ephemeral containers. + // +featureGate=SidecarContainers + // +optional + restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy) + + // Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers. + // Cannot be updated. + // +optional + // +patchMergeKey=mountPath + // +patchStrategy=merge + volumeMounts?: [...#VolumeMount] @go(VolumeMounts,[]VolumeMount) @protobuf(9,bytes,rep) + + // volumeDevices is the list of block devices to be used by the container. + // +patchMergeKey=devicePath + // +patchStrategy=merge + // +optional + volumeDevices?: [...#VolumeDevice] @go(VolumeDevices,[]VolumeDevice) @protobuf(21,bytes,rep) + + // Probes are not allowed for ephemeral containers. + // +optional + livenessProbe?: null | #Probe @go(LivenessProbe,*Probe) @protobuf(10,bytes,opt) + + // Probes are not allowed for ephemeral containers. + // +optional + readinessProbe?: null | #Probe @go(ReadinessProbe,*Probe) @protobuf(11,bytes,opt) + + // Probes are not allowed for ephemeral containers. + // +optional + startupProbe?: null | #Probe @go(StartupProbe,*Probe) @protobuf(22,bytes,opt) + + // Lifecycle is not allowed for ephemeral containers. + // +optional + lifecycle?: null | #Lifecycle @go(Lifecycle,*Lifecycle) @protobuf(12,bytes,opt) + + // Optional: Path at which the file to which the container's termination message + // will be written is mounted into the container's filesystem. + // Message written is intended to be brief final status, such as an assertion failure message. + // Will be truncated by the node if greater than 4096 bytes. The total message length across + // all containers will be limited to 12kb. + // Defaults to /dev/termination-log. + // Cannot be updated. + // +optional + terminationMessagePath?: string @go(TerminationMessagePath) @protobuf(13,bytes,opt) + + // Indicate how the termination message should be populated. File will use the contents of + // terminationMessagePath to populate the container status message on both success and failure. + // FallbackToLogsOnError will use the last chunk of container log output if the termination + // message file is empty and the container exited with an error. + // The log output is limited to 2048 bytes or 80 lines, whichever is smaller. + // Defaults to File. + // Cannot be updated. + // +optional + terminationMessagePolicy?: #TerminationMessagePolicy @go(TerminationMessagePolicy) @protobuf(20,bytes,opt,casttype=TerminationMessagePolicy) + + // Image pull policy. + // One of Always, Never, IfNotPresent. + // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + // +optional + imagePullPolicy?: #PullPolicy @go(ImagePullPolicy) @protobuf(14,bytes,opt,casttype=PullPolicy) + + // Optional: SecurityContext defines the security options the ephemeral container should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + // +optional + securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt) + + // Whether this container should allocate a buffer for stdin in the container runtime. If this + // is not set, reads from stdin in the container will always result in EOF. + // Default is false. + // +optional + stdin?: bool @go(Stdin) @protobuf(16,varint,opt) + + // Whether the container runtime should close the stdin channel after it has been opened by + // a single attach. When stdin is true the stdin stream will remain open across multiple attach + // sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the + // first client attaches to stdin, and then remains open and accepts data until the client disconnects, + // at which time stdin is closed and remains closed until the container is restarted. If this + // flag is false, a container processes that reads from stdin will never receive an EOF. + // Default is false + // +optional + stdinOnce?: bool @go(StdinOnce) @protobuf(17,varint,opt) + + // Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. + // Default is false. + // +optional + tty?: bool @go(TTY) @protobuf(18,varint,opt) +} + +// An EphemeralContainer is a temporary container that you may add to an existing Pod for +// user-initiated activities such as debugging. Ephemeral containers have no resource or +// scheduling guarantees, and they will not be restarted when they exit or when a Pod is +// removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the +// Pod to exceed its resource allocation. +// +// To add an ephemeral container, use the ephemeralcontainers subresource of an existing +// Pod. Ephemeral containers may not be removed or restarted. +#EphemeralContainer: { + #EphemeralContainerCommon + + // If set, the name of the container from PodSpec that this ephemeral container targets. + // The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. + // If not set then the ephemeral container uses the namespaces configured in the Pod spec. + // + // The container runtime must implement support for this feature. If the runtime does not + // support namespace targeting then the result of setting this field is undefined. + // +optional + targetContainerName?: string @go(TargetContainerName) @protobuf(2,bytes,opt) +} + +// PodStatus represents information about the status of a pod. Status may trail the actual +// state of a system, especially if the node that hosts the pod cannot contact the control +// plane. +#PodStatus: { + // The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. + // The conditions array, the reason and message fields, and the individual container status + // arrays contain more detail about the pod's status. + // There are five possible phase values: + // + // Pending: The pod has been accepted by the Kubernetes system, but one or more of the + // container images has not been created. This includes time before being scheduled as + // well as time spent downloading images over the network, which could take a while. + // Running: The pod has been bound to a node, and all of the containers have been created. + // At least one container is still running, or is in the process of starting or restarting. + // Succeeded: All containers in the pod have terminated in success, and will not be restarted. + // Failed: All containers in the pod have terminated, and at least one container has + // terminated in failure. The container either exited with non-zero status or was terminated + // by the system. + // Unknown: For some reason the state of the pod could not be obtained, typically due to an + // error in communicating with the host of the pod. + // + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase + // +optional + phase?: #PodPhase @go(Phase) @protobuf(1,bytes,opt,casttype=PodPhase) + + // Current service state of pod. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#PodCondition] @go(Conditions,[]PodCondition) @protobuf(2,bytes,rep) + + // A human readable message indicating details about why the pod is in this condition. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // A brief CamelCase message indicating details about why the pod is in this state. + // e.g. 'Evicted' + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be + // scheduled right away as preemption victims receive their graceful termination periods. + // This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide + // to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to + // give the resources on this node to a higher priority pod that is created after preemption. + // As a result, this field may be different than PodSpec.nodeName when the pod is + // scheduled. + // +optional + nominatedNodeName?: string @go(NominatedNodeName) @protobuf(11,bytes,opt) + + // hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet. + // A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will + // not be updated even if there is a node is assigned to pod + // +optional + hostIP?: string @go(HostIP) @protobuf(5,bytes,opt) + + // hostIPs holds the IP addresses allocated to the host. If this field is specified, the first entry must + // match the hostIP field. This list is empty if the pod has not started yet. + // A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will + // not be updated even if there is a node is assigned to this pod. + // +optional + // +patchStrategy=merge + // +patchMergeKey=ip + // +listType=atomic + hostIPs?: [...#HostIP] @go(HostIPs,[]HostIP) @protobuf(16,bytes,rep) + + // podIP address allocated to the pod. Routable at least within the cluster. + // Empty if not yet allocated. + // +optional + podIP?: string @go(PodIP) @protobuf(6,bytes,opt) + + // podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must + // match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list + // is empty if no IPs have been allocated yet. + // +optional + // +patchStrategy=merge + // +patchMergeKey=ip + podIPs?: [...#PodIP] @go(PodIPs,[]PodIP) @protobuf(12,bytes,rep) + + // RFC 3339 date and time at which the object was acknowledged by the Kubelet. + // This is before the Kubelet pulled the container image(s) for the pod. + // +optional + startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(7,bytes,opt) + + // The list has one entry per init container in the manifest. The most recent successful + // init container will have ready = true, the most recently started container will have + // startTime set. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status + initContainerStatuses?: [...#ContainerStatus] @go(InitContainerStatuses,[]ContainerStatus) @protobuf(10,bytes,rep) + + // The list has one entry per container in the manifest. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status + // +optional + containerStatuses?: [...#ContainerStatus] @go(ContainerStatuses,[]ContainerStatus) @protobuf(8,bytes,rep) + + // The Quality of Service (QOS) classification assigned to the pod based on resource requirements + // See PodQOSClass type for available QOS classes + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes + // +optional + qosClass?: #PodQOSClass @go(QOSClass) @protobuf(9,bytes,rep) + + // Status for any ephemeral containers that have run in this pod. + // +optional + ephemeralContainerStatuses?: [...#ContainerStatus] @go(EphemeralContainerStatuses,[]ContainerStatus) @protobuf(13,bytes,rep) + + // Status of resources resize desired for pod's containers. + // It is empty if no resources resize is pending. + // Any changes to container resources will automatically set this to "Proposed" + // +featureGate=InPlacePodVerticalScaling + // +optional + resize?: #PodResizeStatus @go(Resize) @protobuf(14,bytes,opt,casttype=PodResizeStatus) + + // Status of resource claims. + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + resourceClaimStatuses?: [...#PodResourceClaimStatus] @go(ResourceClaimStatuses,[]PodResourceClaimStatus) @protobuf(15,bytes,rep) +} + +// PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded +#PodStatusResult: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Most recently observed status of the pod. + // This data may not be up to date. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #PodStatus @go(Status) @protobuf(2,bytes,opt) +} + +// Pod is a collection of containers that can run on a host. This resource is created +// by clients and scheduled onto hosts. +#Pod: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the pod. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #PodSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the pod. + // This data may not be up to date. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #PodStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodList is a list of Pods. +#PodList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of pods. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + items: [...#Pod] @go(Items,[]Pod) @protobuf(2,bytes,rep) +} + +// PodTemplateSpec describes the data a pod should have when created from a template +#PodTemplateSpec: { + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the pod. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #PodSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// PodTemplate describes a template for creating copies of a predefined pod. +#PodTemplate: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Template defines the pods that will be created from this pod template. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + template?: #PodTemplateSpec @go(Template) @protobuf(2,bytes,opt) +} + +// PodTemplateList is a list of PodTemplates. +#PodTemplateList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of pod templates + items: [...#PodTemplate] @go(Items,[]PodTemplate) @protobuf(2,bytes,rep) +} + +// ReplicationControllerSpec is the specification of a replication controller. +#ReplicationControllerSpec: { + // Replicas is the number of desired replicas. + // This is a pointer to distinguish between explicit zero and unspecified. + // Defaults to 1. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing, for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt) + + // Selector is a label query over pods that should match the Replicas count. + // If Selector is empty, it is defaulted to the labels present on the Pod template. + // Label keys and values that must match in order to be controlled by this replication + // controller, if empty defaulted to labels on Pod template. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + // +optional + // +mapType=atomic + selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep) + + // Template is the object that describes the pod that will be created if + // insufficient replicas are detected. This takes precedence over a TemplateRef. + // The only allowed template.spec.restartPolicy value is "Always". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template + // +optional + template?: null | #PodTemplateSpec @go(Template,*PodTemplateSpec) @protobuf(3,bytes,opt) +} + +// ReplicationControllerStatus represents the current status of a replication +// controller. +#ReplicationControllerStatus: { + // Replicas is the most recently observed number of replicas. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // The number of pods that have labels matching the labels of the pod template of the replication controller. + // +optional + fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt) + + // The number of ready replicas for this replication controller. + // +optional + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt) + + // The number of available replicas (ready for at least minReadySeconds) for this replication controller. + // +optional + availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt) + + // ObservedGeneration reflects the generation of the most recently observed replication controller. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // Represents the latest available observations of a replication controller's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ReplicationControllerCondition] @go(Conditions,[]ReplicationControllerCondition) @protobuf(6,bytes,rep) +} + +#ReplicationControllerConditionType: string // #enumReplicationControllerConditionType + +#enumReplicationControllerConditionType: + #ReplicationControllerReplicaFailure + +// ReplicationControllerReplicaFailure is added in a replication controller when one of its pods +// fails to be created due to insufficient quota, limit ranges, pod security policy, node selectors, +// etc. or deleted due to kubelet being down or finalizers are failing. +#ReplicationControllerReplicaFailure: #ReplicationControllerConditionType & "ReplicaFailure" + +// ReplicationControllerCondition describes the state of a replication controller at a certain point. +#ReplicationControllerCondition: { + // Type of replication controller condition. + type: #ReplicationControllerConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicationControllerConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // The last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ReplicationController represents the configuration of a replication controller. +#ReplicationController: { + metav1.#TypeMeta + + // If the Labels of a ReplicationController are empty, they are defaulted to + // be the same as the Pod(s) that the replication controller manages. + // Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the specification of the desired behavior of the replication controller. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ReplicationControllerSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is the most recently observed status of the replication controller. + // This data may be out of date by some window of time. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ReplicationControllerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ReplicationControllerList is a collection of replication controllers. +#ReplicationControllerList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of replication controllers. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller + items: [...#ReplicationController] @go(Items,[]ReplicationController) @protobuf(2,bytes,rep) +} + +// Session Affinity Type string +// +enum +#ServiceAffinity: string // #enumServiceAffinity + +#enumServiceAffinity: + #ServiceAffinityClientIP | + #ServiceAffinityNone + +// ServiceAffinityClientIP is the Client IP based. +#ServiceAffinityClientIP: #ServiceAffinity & "ClientIP" + +// ServiceAffinityNone - no session affinity. +#ServiceAffinityNone: #ServiceAffinity & "None" + +#DefaultClientIPServiceAffinitySeconds: int32 & 10800 + +// SessionAffinityConfig represents the configurations of session affinity. +#SessionAffinityConfig: { + // clientIP contains the configurations of Client IP based session affinity. + // +optional + clientIP?: null | #ClientIPConfig @go(ClientIP,*ClientIPConfig) @protobuf(1,bytes,opt) +} + +// ClientIPConfig represents the configurations of Client IP based session affinity. +#ClientIPConfig: { + // timeoutSeconds specifies the seconds of ClientIP type session sticky time. + // The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". + // Default value is 10800(for 3 hours). + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(1,varint,opt) +} + +// Service Type string describes ingress methods for a service +// +enum +#ServiceType: string // #enumServiceType + +#enumServiceType: + #ServiceTypeClusterIP | + #ServiceTypeNodePort | + #ServiceTypeLoadBalancer | + #ServiceTypeExternalName + +// ServiceTypeClusterIP means a service will only be accessible inside the +// cluster, via the cluster IP. +#ServiceTypeClusterIP: #ServiceType & "ClusterIP" + +// ServiceTypeNodePort means a service will be exposed on one port of +// every node, in addition to 'ClusterIP' type. +#ServiceTypeNodePort: #ServiceType & "NodePort" + +// ServiceTypeLoadBalancer means a service will be exposed via an +// external load balancer (if the cloud provider supports it), in addition +// to 'NodePort' type. +#ServiceTypeLoadBalancer: #ServiceType & "LoadBalancer" + +// ServiceTypeExternalName means a service consists of only a reference to +// an external name that kubedns or equivalent will return as a CNAME +// record, with no exposing or proxying of any pods involved. +#ServiceTypeExternalName: #ServiceType & "ExternalName" + +// ServiceInternalTrafficPolicy describes how nodes distribute service traffic they +// receive on the ClusterIP. +// +enum +#ServiceInternalTrafficPolicy: string // #enumServiceInternalTrafficPolicy + +#enumServiceInternalTrafficPolicy: + #ServiceInternalTrafficPolicyCluster | + #ServiceInternalTrafficPolicyLocal + +// ServiceInternalTrafficPolicyCluster routes traffic to all endpoints. +#ServiceInternalTrafficPolicyCluster: #ServiceInternalTrafficPolicy & "Cluster" + +// ServiceInternalTrafficPolicyLocal routes traffic only to endpoints on the same +// node as the client pod (dropping the traffic if there are no local endpoints). +#ServiceInternalTrafficPolicyLocal: #ServiceInternalTrafficPolicy & "Local" + +// for backwards compat +// +enum +#ServiceInternalTrafficPolicyType: #ServiceInternalTrafficPolicy // #enumServiceInternalTrafficPolicyType + +#enumServiceInternalTrafficPolicyType: + #ServiceInternalTrafficPolicyCluster | + #ServiceInternalTrafficPolicyLocal + +// ServiceExternalTrafficPolicy describes how nodes distribute service traffic they +// receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, +// and LoadBalancer IPs. +// +enum +#ServiceExternalTrafficPolicy: string // #enumServiceExternalTrafficPolicy + +#enumServiceExternalTrafficPolicy: + #ServiceExternalTrafficPolicyCluster | + #ServiceExternalTrafficPolicyLocal | + #ServiceExternalTrafficPolicyTypeLocal | + #ServiceExternalTrafficPolicyTypeCluster + +// ServiceExternalTrafficPolicyCluster routes traffic to all endpoints. +#ServiceExternalTrafficPolicyCluster: #ServiceExternalTrafficPolicy & "Cluster" + +// ServiceExternalTrafficPolicyLocal preserves the source IP of the traffic by +// routing only to endpoints on the same node as the traffic was received on +// (dropping the traffic if there are no local endpoints). +#ServiceExternalTrafficPolicyLocal: #ServiceExternalTrafficPolicy & "Local" + +// for backwards compat +// +enum +#ServiceExternalTrafficPolicyType: #ServiceExternalTrafficPolicy // #enumServiceExternalTrafficPolicyType + +#enumServiceExternalTrafficPolicyType: + #ServiceExternalTrafficPolicyCluster | + #ServiceExternalTrafficPolicyLocal | + #ServiceExternalTrafficPolicyTypeLocal | + #ServiceExternalTrafficPolicyTypeCluster + +#ServiceExternalTrafficPolicyTypeLocal: #ServiceExternalTrafficPolicy & "Local" +#ServiceExternalTrafficPolicyTypeCluster: #ServiceExternalTrafficPolicy & "Cluster" + +// LoadBalancerPortsError represents the condition of the requested ports +// on the cloud load balancer instance. +#LoadBalancerPortsError: "LoadBalancerPortsError" + +// LoadBalancerPortsErrorReason reason in ServiceStatus condition LoadBalancerPortsError +// means the LoadBalancer was not able to be configured correctly. +#LoadBalancerPortsErrorReason: "LoadBalancerMixedProtocolNotSupported" + +// ServiceStatus represents the current status of a service. +#ServiceStatus: { + // LoadBalancer contains the current status of the load-balancer, + // if one is present. + // +optional + loadBalancer?: #LoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt) + + // Current service state + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(2,bytes,rep) +} + +// LoadBalancerStatus represents the status of a load-balancer. +#LoadBalancerStatus: { + // Ingress is a list containing ingress points for the load-balancer. + // Traffic intended for the service should be sent to these ingress points. + // +optional + ingress?: [...#LoadBalancerIngress] @go(Ingress,[]LoadBalancerIngress) @protobuf(1,bytes,rep) +} + +// LoadBalancerIngress represents the status of a load-balancer ingress point: +// traffic intended for the service should be sent to an ingress point. +#LoadBalancerIngress: { + // IP is set for load-balancer ingress points that are IP based + // (typically GCE or OpenStack load-balancers) + // +optional + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // Hostname is set for load-balancer ingress points that are DNS based + // (typically AWS load-balancers) + // +optional + hostname?: string @go(Hostname) @protobuf(2,bytes,opt) + + // Ports is a list of records of service ports + // If used, every port defined in the service should have an entry in it + // +listType=atomic + // +optional + ports?: [...#PortStatus] @go(Ports,[]PortStatus) @protobuf(4,bytes,rep) +} + +// IPFamily represents the IP Family (IPv4 or IPv6). This type is used +// to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). +// +enum +#IPFamily: string // #enumIPFamily + +#enumIPFamily: + #IPv4Protocol | + #IPv6Protocol + +// IPv4Protocol indicates that this IP is IPv4 protocol +#IPv4Protocol: #IPFamily & "IPv4" + +// IPv6Protocol indicates that this IP is IPv6 protocol +#IPv6Protocol: #IPFamily & "IPv6" + +// IPFamilyPolicy represents the dual-stack-ness requested or required by a Service +// +enum +#IPFamilyPolicy: string // #enumIPFamilyPolicy + +#enumIPFamilyPolicy: + #IPFamilyPolicySingleStack | + #IPFamilyPolicyPreferDualStack | + #IPFamilyPolicyRequireDualStack + +// IPFamilyPolicySingleStack indicates that this service is required to have a single IPFamily. +// The IPFamily assigned is based on the default IPFamily used by the cluster +// or as identified by service.spec.ipFamilies field +#IPFamilyPolicySingleStack: #IPFamilyPolicy & "SingleStack" + +// IPFamilyPolicyPreferDualStack indicates that this service prefers dual-stack when +// the cluster is configured for dual-stack. If the cluster is not configured +// for dual-stack the service will be assigned a single IPFamily. If the IPFamily is not +// set in service.spec.ipFamilies then the service will be assigned the default IPFamily +// configured on the cluster +#IPFamilyPolicyPreferDualStack: #IPFamilyPolicy & "PreferDualStack" + +// IPFamilyPolicyRequireDualStack indicates that this service requires dual-stack. Using +// IPFamilyPolicyRequireDualStack on a single stack cluster will result in validation errors. The +// IPFamilies (and their order) assigned to this service is based on service.spec.ipFamilies. If +// service.spec.ipFamilies was not provided then it will be assigned according to how they are +// configured on the cluster. If service.spec.ipFamilies has only one entry then the alternative +// IPFamily will be added by apiserver +#IPFamilyPolicyRequireDualStack: #IPFamilyPolicy & "RequireDualStack" + +// for backwards compat +// +enum +#IPFamilyPolicyType: #IPFamilyPolicy // #enumIPFamilyPolicyType + +#enumIPFamilyPolicyType: + #IPFamilyPolicySingleStack | + #IPFamilyPolicyPreferDualStack | + #IPFamilyPolicyRequireDualStack + +// ServiceSpec describes the attributes that a user creates on a service. +#ServiceSpec: { + // The list of ports that are exposed by this service. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +patchMergeKey=port + // +patchStrategy=merge + // +listType=map + // +listMapKey=port + // +listMapKey=protocol + ports?: [...#ServicePort] @go(Ports,[]ServicePort) @protobuf(1,bytes,rep) + + // Route service traffic to pods with label keys and values matching this + // selector. If empty or not present, the service is assumed to have an + // external process managing its endpoints, which Kubernetes will not + // modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. + // Ignored if type is ExternalName. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/ + // +optional + // +mapType=atomic + selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep) + + // clusterIP is the IP address of the service and is usually assigned + // randomly. If an address is specified manually, is in-range (as per + // system configuration), and is not in use, it will be allocated to the + // service; otherwise creation of the service will fail. This field may not + // be changed through updates unless the type field is also being changed + // to ExternalName (which requires this field to be blank) or the type + // field is being changed from ExternalName (in which case this field may + // optionally be specified, as describe above). Valid values are "None", + // empty string (""), or a valid IP address. Setting this to "None" makes a + // "headless service" (no virtual IP), which is useful when direct endpoint + // connections are preferred and proxying is not required. Only applies to + // types ClusterIP, NodePort, and LoadBalancer. If this field is specified + // when creating a Service of type ExternalName, creation will fail. This + // field will be wiped when updating a Service to type ExternalName. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +optional + clusterIP?: string @go(ClusterIP) @protobuf(3,bytes,opt) + + // ClusterIPs is a list of IP addresses assigned to this service, and are + // usually assigned randomly. If an address is specified manually, is + // in-range (as per system configuration), and is not in use, it will be + // allocated to the service; otherwise creation of the service will fail. + // This field may not be changed through updates unless the type field is + // also being changed to ExternalName (which requires this field to be + // empty) or the type field is being changed from ExternalName (in which + // case this field may optionally be specified, as describe above). Valid + // values are "None", empty string (""), or a valid IP address. Setting + // this to "None" makes a "headless service" (no virtual IP), which is + // useful when direct endpoint connections are preferred and proxying is + // not required. Only applies to types ClusterIP, NodePort, and + // LoadBalancer. If this field is specified when creating a Service of type + // ExternalName, creation will fail. This field will be wiped when updating + // a Service to type ExternalName. If this field is not specified, it will + // be initialized from the clusterIP field. If this field is specified, + // clients must ensure that clusterIPs[0] and clusterIP have the same + // value. + // + // This field may hold a maximum of two entries (dual-stack IPs, in either order). + // These IPs must correspond to the values of the ipFamilies field. Both + // clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +listType=atomic + // +optional + clusterIPs?: [...string] @go(ClusterIPs,[]string) @protobuf(18,bytes,opt) + + // type determines how the Service is exposed. Defaults to ClusterIP. Valid + // options are ExternalName, ClusterIP, NodePort, and LoadBalancer. + // "ClusterIP" allocates a cluster-internal IP address for load-balancing + // to endpoints. Endpoints are determined by the selector or if that is not + // specified, by manual construction of an Endpoints object or + // EndpointSlice objects. If clusterIP is "None", no virtual IP is + // allocated and the endpoints are published as a set of endpoints rather + // than a virtual IP. + // "NodePort" builds on ClusterIP and allocates a port on every node which + // routes to the same endpoints as the clusterIP. + // "LoadBalancer" builds on NodePort and creates an external load-balancer + // (if supported in the current cloud) which routes to the same endpoints + // as the clusterIP. + // "ExternalName" aliases this service to the specified externalName. + // Several other fields do not apply to ExternalName services. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + // +optional + type?: #ServiceType @go(Type) @protobuf(4,bytes,opt,casttype=ServiceType) + + // externalIPs is a list of IP addresses for which nodes in the cluster + // will also accept traffic for this service. These IPs are not managed by + // Kubernetes. The user is responsible for ensuring that traffic arrives + // at a node with this IP. A common example is external load-balancers + // that are not part of the Kubernetes system. + // +optional + externalIPs?: [...string] @go(ExternalIPs,[]string) @protobuf(5,bytes,rep) + + // Supports "ClientIP" and "None". Used to maintain session affinity. + // Enable client IP based session affinity. + // Must be ClientIP or None. + // Defaults to None. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +optional + sessionAffinity?: #ServiceAffinity @go(SessionAffinity) @protobuf(7,bytes,opt,casttype=ServiceAffinity) + + // Only applies to Service Type: LoadBalancer. + // This feature depends on whether the underlying cloud-provider supports specifying + // the loadBalancerIP when a load balancer is created. + // This field will be ignored if the cloud-provider does not support the feature. + // Deprecated: This field was under-specified and its meaning varies across implementations. + // Using it is non-portable and it may not support dual-stack. + // Users are encouraged to use implementation-specific annotations when available. + // +optional + loadBalancerIP?: string @go(LoadBalancerIP) @protobuf(8,bytes,opt) + + // If specified and supported by the platform, this will restrict traffic through the cloud-provider + // load-balancer will be restricted to the specified client IPs. This field will be ignored if the + // cloud-provider does not support the feature." + // More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ + // +optional + loadBalancerSourceRanges?: [...string] @go(LoadBalancerSourceRanges,[]string) @protobuf(9,bytes,opt) + + // externalName is the external reference that discovery mechanisms will + // return as an alias for this service (e.g. a DNS CNAME record). No + // proxying will be involved. Must be a lowercase RFC-1123 hostname + // (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". + // +optional + externalName?: string @go(ExternalName) @protobuf(10,bytes,opt) + + // externalTrafficPolicy describes how nodes distribute service traffic they + // receive on one of the Service's "externally-facing" addresses (NodePorts, + // ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure + // the service in a way that assumes that external load balancers will take care + // of balancing the service traffic between nodes, and so each node will deliver + // traffic only to the node-local endpoints of the service, without masquerading + // the client source IP. (Traffic mistakenly sent to a node with no endpoints will + // be dropped.) The default value, "Cluster", uses the standard behavior of + // routing to all endpoints evenly (possibly modified by topology and other + // features). Note that traffic sent to an External IP or LoadBalancer IP from + // within the cluster will always get "Cluster" semantics, but clients sending to + // a NodePort from within the cluster may need to take traffic policy into account + // when picking a node. + // +optional + externalTrafficPolicy?: #ServiceExternalTrafficPolicy @go(ExternalTrafficPolicy) @protobuf(11,bytes,opt) + + // healthCheckNodePort specifies the healthcheck nodePort for the service. + // This only applies when type is set to LoadBalancer and + // externalTrafficPolicy is set to Local. If a value is specified, is + // in-range, and is not in use, it will be used. If not specified, a value + // will be automatically allocated. External systems (e.g. load-balancers) + // can use this port to determine if a given node holds endpoints for this + // service or not. If this field is specified when creating a Service + // which does not need it, creation will fail. This field will be wiped + // when updating a Service to no longer need it (e.g. changing type). + // This field cannot be updated once set. + // +optional + healthCheckNodePort?: int32 @go(HealthCheckNodePort) @protobuf(12,bytes,opt) + + // publishNotReadyAddresses indicates that any agent which deals with endpoints for this + // Service should disregard any indications of ready/not-ready. + // The primary use case for setting this field is for a StatefulSet's Headless Service to + // propagate SRV DNS records for its Pods for the purpose of peer discovery. + // The Kubernetes controllers that generate Endpoints and EndpointSlice resources for + // Services interpret this to mean that all endpoints are considered "ready" even if the + // Pods themselves are not. Agents which consume only Kubernetes generated endpoints + // through the Endpoints or EndpointSlice resources can safely assume this behavior. + // +optional + publishNotReadyAddresses?: bool @go(PublishNotReadyAddresses) @protobuf(13,varint,opt) + + // sessionAffinityConfig contains the configurations of session affinity. + // +optional + sessionAffinityConfig?: null | #SessionAffinityConfig @go(SessionAffinityConfig,*SessionAffinityConfig) @protobuf(14,bytes,opt) + + // IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this + // service. This field is usually assigned automatically based on cluster + // configuration and the ipFamilyPolicy field. If this field is specified + // manually, the requested family is available in the cluster, + // and ipFamilyPolicy allows it, it will be used; otherwise creation of + // the service will fail. This field is conditionally mutable: it allows + // for adding or removing a secondary IP family, but it does not allow + // changing the primary IP family of the Service. Valid values are "IPv4" + // and "IPv6". This field only applies to Services of types ClusterIP, + // NodePort, and LoadBalancer, and does apply to "headless" services. + // This field will be wiped when updating a Service to type ExternalName. + // + // This field may hold a maximum of two entries (dual-stack families, in + // either order). These families must correspond to the values of the + // clusterIPs field, if specified. Both clusterIPs and ipFamilies are + // governed by the ipFamilyPolicy field. + // +listType=atomic + // +optional + ipFamilies?: [...#IPFamily] @go(IPFamilies,[]IPFamily) @protobuf(19,bytes,opt,casttype=IPFamily) + + // IPFamilyPolicy represents the dual-stack-ness requested or required by + // this Service. If there is no value provided, then this field will be set + // to SingleStack. Services can be "SingleStack" (a single IP family), + // "PreferDualStack" (two IP families on dual-stack configured clusters or + // a single IP family on single-stack clusters), or "RequireDualStack" + // (two IP families on dual-stack configured clusters, otherwise fail). The + // ipFamilies and clusterIPs fields depend on the value of this field. This + // field will be wiped when updating a service to type ExternalName. + // +optional + ipFamilyPolicy?: null | #IPFamilyPolicy @go(IPFamilyPolicy,*IPFamilyPolicy) @protobuf(17,bytes,opt,casttype=IPFamilyPolicy) + + // allocateLoadBalancerNodePorts defines if NodePorts will be automatically + // allocated for services with type LoadBalancer. Default is "true". It + // may be set to "false" if the cluster load-balancer does not rely on + // NodePorts. If the caller requests specific NodePorts (by specifying a + // value), those requests will be respected, regardless of this field. + // This field may only be set for services with type LoadBalancer and will + // be cleared if the type is changed to any other type. + // +optional + allocateLoadBalancerNodePorts?: null | bool @go(AllocateLoadBalancerNodePorts,*bool) @protobuf(20,bytes,opt) + + // loadBalancerClass is the class of the load balancer implementation this Service belongs to. + // If specified, the value of this field must be a label-style identifier, with an optional prefix, + // e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. + // This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load + // balancer implementation is used, today this is typically done through the cloud provider integration, + // but should apply for any default implementation. If set, it is assumed that a load balancer + // implementation is watching for Services with a matching class. Any default load balancer + // implementation (e.g. cloud providers) should ignore Services that set this field. + // This field can only be set when creating or updating a Service to type 'LoadBalancer'. + // Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. + // +optional + loadBalancerClass?: null | string @go(LoadBalancerClass,*string) @protobuf(21,bytes,opt) + + // InternalTrafficPolicy describes how nodes distribute service traffic they + // receive on the ClusterIP. If set to "Local", the proxy will assume that pods + // only want to talk to endpoints of the service on the same node as the pod, + // dropping the traffic if there are no local endpoints. The default value, + // "Cluster", uses the standard behavior of routing to all endpoints evenly + // (possibly modified by topology and other features). + // +optional + internalTrafficPolicy?: null | #ServiceInternalTrafficPolicy @go(InternalTrafficPolicy,*ServiceInternalTrafficPolicy) @protobuf(22,bytes,opt) +} + +// ServicePort contains information on service's port. +#ServicePort: { + // The name of this port within the service. This must be a DNS_LABEL. + // All ports within a ServiceSpec must have unique names. When considering + // the endpoints for a Service, this must match the 'name' field in the + // EndpointPort. + // Optional if only one ServicePort is defined on this service. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". + // Default is TCP. + // +default="TCP" + // +optional + protocol?: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(6,bytes,opt) + + // The port that will be exposed by this service. + port: int32 @go(Port) @protobuf(3,varint,opt) + + // Number or name of the port to access on the pods targeted by the service. + // Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + // If this is a string, it will be looked up as a named port in the + // target Pod's container ports. If this is not specified, the value + // of the 'port' field is used (an identity map). + // This field is ignored for services with clusterIP=None, and should be + // omitted or set equal to the 'port' field. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + // +optional + targetPort?: intstr.#IntOrString @go(TargetPort) @protobuf(4,bytes,opt) + + // The port on each node on which this service is exposed when type is + // NodePort or LoadBalancer. Usually assigned by the system. If a value is + // specified, in-range, and not in use it will be used, otherwise the + // operation will fail. If not specified, a port will be allocated if this + // Service requires one. If this field is specified when creating a + // Service which does not need it, creation will fail. This field will be + // wiped when updating a Service to no longer need it (e.g. changing type + // from NodePort to ClusterIP). + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + // +optional + nodePort?: int32 @go(NodePort) @protobuf(5,varint,opt) +} + +// Service is a named abstraction of software service (for example, mysql) consisting of local port +// (for example 3306) that the proxy listens on, and the selector that determines which pods +// will answer requests sent through the proxy. +#Service: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of a service. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ServiceSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the service. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ServiceStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ClusterIPNone - do not assign a cluster IP +// no proxying required and no environment variables should be created for pods +#ClusterIPNone: "None" + +// ServiceList holds a list of services. +#ServiceList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of services + items: [...#Service] @go(Items,[]Service) @protobuf(2,bytes,rep) +} + +// ServiceAccount binds together: +// * a name, understood by users, and perhaps by peripheral systems, for an identity +// * a principal that can be authenticated and authorized +// * a set of secrets +#ServiceAccount: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. + // Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true". + // This field should not be used to find auto-generated service account token secrets for use outside of pods. + // Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. + // More info: https://kubernetes.io/docs/concepts/configuration/secret + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + secrets?: [...#ObjectReference] @go(Secrets,[]ObjectReference) @protobuf(2,bytes,rep) + + // ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images + // in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets + // can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. + // More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + // +optional + imagePullSecrets?: [...#LocalObjectReference] @go(ImagePullSecrets,[]LocalObjectReference) @protobuf(3,bytes,rep) + + // AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. + // Can be overridden at the pod level. + // +optional + automountServiceAccountToken?: null | bool @go(AutomountServiceAccountToken,*bool) @protobuf(4,varint,opt) +} + +// ServiceAccountList is a list of ServiceAccount objects +#ServiceAccountList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ServiceAccounts. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + items: [...#ServiceAccount] @go(Items,[]ServiceAccount) @protobuf(2,bytes,rep) +} + +// Endpoints is a collection of endpoints that implement the actual service. Example: +// +// Name: "mysvc", +// Subsets: [ +// { +// Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}], +// Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}] +// }, +// { +// Addresses: [{"ip": "10.10.3.3"}], +// Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}] +// }, +// ] +#Endpoints: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The set of all endpoints is the union of all subsets. Addresses are placed into + // subsets according to the IPs they share. A single address with multiple ports, + // some of which are ready and some of which are not (because they come from + // different containers) will result in the address being displayed in different + // subsets for the different ports. No address will appear in both Addresses and + // NotReadyAddresses in the same subset. + // Sets of addresses and ports that comprise a service. + // +optional + subsets?: [...#EndpointSubset] @go(Subsets,[]EndpointSubset) @protobuf(2,bytes,rep) +} + +// EndpointSubset is a group of addresses with a common set of ports. The +// expanded set of endpoints is the Cartesian product of Addresses x Ports. +// For example, given: +// +// { +// Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}], +// Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}] +// } +// +// The resulting set of endpoints can be viewed as: +// +// a: [ 10.10.1.1:8675, 10.10.2.2:8675 ], +// b: [ 10.10.1.1:309, 10.10.2.2:309 ] +#EndpointSubset: { + // IP addresses which offer the related ports that are marked as ready. These endpoints + // should be considered safe for load balancers and clients to utilize. + // +optional + addresses?: [...#EndpointAddress] @go(Addresses,[]EndpointAddress) @protobuf(1,bytes,rep) + + // IP addresses which offer the related ports but are not currently marked as ready + // because they have not yet finished starting, have recently failed a readiness check, + // or have recently failed a liveness check. + // +optional + notReadyAddresses?: [...#EndpointAddress] @go(NotReadyAddresses,[]EndpointAddress) @protobuf(2,bytes,rep) + + // Port numbers available on the related IP addresses. + // +optional + ports?: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep) +} + +// EndpointAddress is a tuple that describes single IP address. +// +structType=atomic +#EndpointAddress: { + // The IP of this endpoint. + // May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), + // or link-local multicast (224.0.0.0/24 or ff02::/16). + ip: string @go(IP) @protobuf(1,bytes,opt) + + // The Hostname of this endpoint + // +optional + hostname?: string @go(Hostname) @protobuf(3,bytes,opt) + + // Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node. + // +optional + nodeName?: null | string @go(NodeName,*string) @protobuf(4,bytes,opt) + + // Reference to object providing the endpoint. + // +optional + targetRef?: null | #ObjectReference @go(TargetRef,*ObjectReference) @protobuf(2,bytes,opt) +} + +// EndpointPort is a tuple that describes a single port. +// +structType=atomic +#EndpointPort: { + // The name of this port. This must match the 'name' field in the + // corresponding ServicePort. + // Must be a DNS_LABEL. + // Optional only if one port is defined. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The port number of the endpoint. + port: int32 @go(Port) @protobuf(2,varint,opt) + + // The IP protocol for this port. + // Must be UDP, TCP, or SCTP. + // Default is TCP. + // +optional + protocol?: #Protocol @go(Protocol) @protobuf(3,bytes,opt,casttype=Protocol) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes,opt) +} + +// EndpointsList is a list of endpoints. +#EndpointsList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of endpoints. + items: [...#Endpoints] @go(Items,[]Endpoints) @protobuf(2,bytes,rep) +} + +// NodeSpec describes the attributes that a node is created with. +#NodeSpec: { + // PodCIDR represents the pod IP range assigned to the node. + // +optional + podCIDR?: string @go(PodCIDR) @protobuf(1,bytes,opt) + + // podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this + // field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for + // each of IPv4 and IPv6. + // +optional + // +patchStrategy=merge + podCIDRs?: [...string] @go(PodCIDRs,[]string) @protobuf(7,bytes,opt) + + // ID of the node assigned by the cloud provider in the format: :// + // +optional + providerID?: string @go(ProviderID) @protobuf(3,bytes,opt) + + // Unschedulable controls node schedulability of new pods. By default, node is schedulable. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration + // +optional + unschedulable?: bool @go(Unschedulable) @protobuf(4,varint,opt) + + // If specified, the node's taints. + // +optional + taints?: [...#Taint] @go(Taints,[]Taint) @protobuf(5,bytes,opt) + + // Deprecated: Previously used to specify the source of the node's configuration for the DynamicKubeletConfig feature. This feature is removed. + // +optional + configSource?: null | #NodeConfigSource @go(ConfigSource,*NodeConfigSource) @protobuf(6,bytes,opt) + + // Deprecated. Not all kubelets will set this field. Remove field after 1.13. + // see: https://issues.k8s.io/61966 + // +optional + externalID?: string @go(DoNotUseExternalID) @protobuf(2,bytes,opt) +} + +// NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. +// This API is deprecated since 1.22 +#NodeConfigSource: { + // ConfigMap is a reference to a Node's ConfigMap + configMap?: null | #ConfigMapNodeConfigSource @go(ConfigMap,*ConfigMapNodeConfigSource) @protobuf(2,bytes,opt) +} + +// ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node. +// This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration +#ConfigMapNodeConfigSource: { + // Namespace is the metadata.namespace of the referenced ConfigMap. + // This field is required in all cases. + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // Name is the metadata.name of the referenced ConfigMap. + // This field is required in all cases. + name: string @go(Name) @protobuf(2,bytes,opt) + + // UID is the metadata.UID of the referenced ConfigMap. + // This field is forbidden in Node.Spec, and required in Node.Status. + // +optional + uid?: types.#UID @go(UID) @protobuf(3,bytes,opt) + + // ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. + // This field is forbidden in Node.Spec, and required in Node.Status. + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(4,bytes,opt) + + // KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure + // This field is required in all cases. + kubeletConfigKey: string @go(KubeletConfigKey) @protobuf(5,bytes,opt) +} + +// DaemonEndpoint contains information about a single Daemon endpoint. +#DaemonEndpoint: { + // Port number of the given endpoint. + Port: int32 @protobuf(1,varint,opt) +} + +// NodeDaemonEndpoints lists ports opened by daemons running on the Node. +#NodeDaemonEndpoints: { + // Endpoint on which Kubelet is listening. + // +optional + kubeletEndpoint?: #DaemonEndpoint @go(KubeletEndpoint) @protobuf(1,bytes,opt) +} + +// NodeSystemInfo is a set of ids/uuids to uniquely identify the node. +#NodeSystemInfo: { + // MachineID reported by the node. For unique machine identification + // in the cluster this field is preferred. Learn more from man(5) + // machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html + machineID: string @go(MachineID) @protobuf(1,bytes,opt) + + // SystemUUID reported by the node. For unique machine identification + // MachineID is preferred. This field is specific to Red Hat hosts + // https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid + systemUUID: string @go(SystemUUID) @protobuf(2,bytes,opt) + + // Boot ID reported by the node. + bootID: string @go(BootID) @protobuf(3,bytes,opt) + + // Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64). + kernelVersion: string @go(KernelVersion) @protobuf(4,bytes,opt) + + // OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)). + osImage: string @go(OSImage) @protobuf(5,bytes,opt) + + // ContainerRuntime Version reported by the node through runtime remote API (e.g. containerd://1.4.2). + containerRuntimeVersion: string @go(ContainerRuntimeVersion) @protobuf(6,bytes,opt) + + // Kubelet Version reported by the node. + kubeletVersion: string @go(KubeletVersion) @protobuf(7,bytes,opt) + + // KubeProxy Version reported by the node. + kubeProxyVersion: string @go(KubeProxyVersion) @protobuf(8,bytes,opt) + + // The Operating System reported by the node + operatingSystem: string @go(OperatingSystem) @protobuf(9,bytes,opt) + + // The Architecture reported by the node + architecture: string @go(Architecture) @protobuf(10,bytes,opt) +} + +// NodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource. +#NodeConfigStatus: { + // Assigned reports the checkpointed config the node will try to use. + // When Node.Spec.ConfigSource is updated, the node checkpoints the associated + // config payload to local disk, along with a record indicating intended + // config. The node refers to this record to choose its config checkpoint, and + // reports this record in Assigned. Assigned only updates in the status after + // the record has been checkpointed to disk. When the Kubelet is restarted, + // it tries to make the Assigned config the Active config by loading and + // validating the checkpointed payload identified by Assigned. + // +optional + assigned?: null | #NodeConfigSource @go(Assigned,*NodeConfigSource) @protobuf(1,bytes,opt) + + // Active reports the checkpointed config the node is actively using. + // Active will represent either the current version of the Assigned config, + // or the current LastKnownGood config, depending on whether attempting to use the + // Assigned config results in an error. + // +optional + active?: null | #NodeConfigSource @go(Active,*NodeConfigSource) @protobuf(2,bytes,opt) + + // LastKnownGood reports the checkpointed config the node will fall back to + // when it encounters an error attempting to use the Assigned config. + // The Assigned config becomes the LastKnownGood config when the node determines + // that the Assigned config is stable and correct. + // This is currently implemented as a 10-minute soak period starting when the local + // record of Assigned config is updated. If the Assigned config is Active at the end + // of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is + // reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, + // because the local default config is always assumed good. + // You should not make assumptions about the node's method of determining config stability + // and correctness, as this may change or become configurable in the future. + // +optional + lastKnownGood?: null | #NodeConfigSource @go(LastKnownGood,*NodeConfigSource) @protobuf(3,bytes,opt) + + // Error describes any problems reconciling the Spec.ConfigSource to the Active config. + // Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned + // record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting + // to load or validate the Assigned config, etc. + // Errors may occur at different points while syncing config. Earlier errors (e.g. download or + // checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across + // Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in + // a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error + // by fixing the config assigned in Spec.ConfigSource. + // You can find additional information for debugging by searching the error message in the Kubelet log. + // Error is a human-readable description of the error state; machines can check whether or not Error + // is empty, but should not rely on the stability of the Error text across Kubelet versions. + // +optional + error?: string @go(Error) @protobuf(4,bytes,opt) +} + +// NodeStatus is information about the current status of a node. +#NodeStatus: { + // Capacity represents the total resources of a node. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Allocatable represents the resources of a node that are available for scheduling. + // Defaults to Capacity. + // +optional + allocatable?: #ResourceList @go(Allocatable) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // NodePhase is the recently observed lifecycle phase of the node. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#phase + // The field is never populated, and now is deprecated. + // +optional + phase?: #NodePhase @go(Phase) @protobuf(3,bytes,opt,casttype=NodePhase) + + // Conditions is an array of current observed node conditions. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#condition + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#NodeCondition] @go(Conditions,[]NodeCondition) @protobuf(4,bytes,rep) + + // List of addresses reachable to the node. + // Queried from cloud provider, if available. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses + // Note: This field is declared as mergeable, but the merge key is not sufficiently + // unique, which can cause data corruption when it is merged. Callers should instead + // use a full-replacement patch. See https://pr.k8s.io/79391 for an example. + // Consumers should assume that addresses can change during the + // lifetime of a Node. However, there are some exceptions where this may not + // be possible, such as Pods that inherit a Node's address in its own status or + // consumers of the downward API (status.hostIP). + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + addresses?: [...#NodeAddress] @go(Addresses,[]NodeAddress) @protobuf(5,bytes,rep) + + // Endpoints of daemons running on the Node. + // +optional + daemonEndpoints?: #NodeDaemonEndpoints @go(DaemonEndpoints) @protobuf(6,bytes,opt) + + // Set of ids/uuids to uniquely identify the node. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#info + // +optional + nodeInfo?: #NodeSystemInfo @go(NodeInfo) @protobuf(7,bytes,opt) + + // List of container images on this node + // +optional + images?: [...#ContainerImage] @go(Images,[]ContainerImage) @protobuf(8,bytes,rep) + + // List of attachable volumes in use (mounted) by the node. + // +optional + volumesInUse?: [...#UniqueVolumeName] @go(VolumesInUse,[]UniqueVolumeName) @protobuf(9,bytes,rep) + + // List of volumes that are attached to the node. + // +optional + volumesAttached?: [...#AttachedVolume] @go(VolumesAttached,[]AttachedVolume) @protobuf(10,bytes,rep) + + // Status of the config assigned to the node via the dynamic Kubelet config feature. + // +optional + config?: null | #NodeConfigStatus @go(Config,*NodeConfigStatus) @protobuf(11,bytes,opt) +} + +#UniqueVolumeName: string + +// AttachedVolume describes a volume attached to a node +#AttachedVolume: { + // Name of the attached volume + name: #UniqueVolumeName @go(Name) @protobuf(1,bytes,rep) + + // DevicePath represents the device path where the volume should be available + devicePath: string @go(DevicePath) @protobuf(2,bytes,rep) +} + +// AvoidPods describes pods that should avoid this node. This is the value for a +// Node annotation with key scheduler.alpha.kubernetes.io/preferAvoidPods and +// will eventually become a field of NodeStatus. +#AvoidPods: { + // Bounded-sized list of signatures of pods that should avoid this node, sorted + // in timestamp order from oldest to newest. Size of the slice is unspecified. + // +optional + preferAvoidPods?: [...#PreferAvoidPodsEntry] @go(PreferAvoidPods,[]PreferAvoidPodsEntry) @protobuf(1,bytes,rep) +} + +// Describes a class of pods that should avoid this node. +#PreferAvoidPodsEntry: { + // The class of pods. + podSignature: #PodSignature @go(PodSignature) @protobuf(1,bytes,opt) + + // Time at which this entry was added to the list. + // +optional + evictionTime?: metav1.#Time @go(EvictionTime) @protobuf(2,bytes,opt) + + // (brief) reason why this entry was added to the list. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // Human readable message indicating why this entry was added to the list. + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) +} + +// Describes the class of pods that should avoid this node. +// Exactly one field should be set. +#PodSignature: { + // Reference to controller whose pods should avoid this node. + // +optional + podController?: null | metav1.#OwnerReference @go(PodController,*metav1.OwnerReference) @protobuf(1,bytes,opt) +} + +// Describe a container image +#ContainerImage: { + // Names by which this image is known. + // e.g. ["kubernetes.example/hyperkube:v1.0.7", "cloud-vendor.registry.example/cloud-vendor/hyperkube:v1.0.7"] + // +optional + names: [...string] @go(Names,[]string) @protobuf(1,bytes,rep) + + // The size of the image in bytes. + // +optional + sizeBytes?: int64 @go(SizeBytes) @protobuf(2,varint,opt) +} + +// +enum +#NodePhase: string // #enumNodePhase + +#enumNodePhase: + #NodePending | + #NodeRunning | + #NodeTerminated + +// NodePending means the node has been created/added by the system, but not configured. +#NodePending: #NodePhase & "Pending" + +// NodeRunning means the node has been configured and has Kubernetes components running. +#NodeRunning: #NodePhase & "Running" + +// NodeTerminated means the node has been removed from the cluster. +#NodeTerminated: #NodePhase & "Terminated" + +#NodeConditionType: string // #enumNodeConditionType + +#enumNodeConditionType: + #NodeReady | + #NodeMemoryPressure | + #NodeDiskPressure | + #NodePIDPressure | + #NodeNetworkUnavailable + +// NodeReady means kubelet is healthy and ready to accept pods. +#NodeReady: #NodeConditionType & "Ready" + +// NodeMemoryPressure means the kubelet is under pressure due to insufficient available memory. +#NodeMemoryPressure: #NodeConditionType & "MemoryPressure" + +// NodeDiskPressure means the kubelet is under pressure due to insufficient available disk. +#NodeDiskPressure: #NodeConditionType & "DiskPressure" + +// NodePIDPressure means the kubelet is under pressure due to insufficient available PID. +#NodePIDPressure: #NodeConditionType & "PIDPressure" + +// NodeNetworkUnavailable means that network for the node is not correctly configured. +#NodeNetworkUnavailable: #NodeConditionType & "NetworkUnavailable" + +// NodeCondition contains condition information for a node. +#NodeCondition: { + // Type of node condition. + type: #NodeConditionType @go(Type) @protobuf(1,bytes,opt,casttype=NodeConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Last time we got an update on a given condition. + // +optional + lastHeartbeatTime?: metav1.#Time @go(LastHeartbeatTime) @protobuf(3,bytes,opt) + + // Last time the condition transit from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // (brief) reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +#NodeAddressType: string // #enumNodeAddressType + +#enumNodeAddressType: + #NodeHostName | + #NodeInternalIP | + #NodeExternalIP | + #NodeInternalDNS | + #NodeExternalDNS + +// NodeHostName identifies a name of the node. Although every node can be assumed +// to have a NodeAddress of this type, its exact syntax and semantics are not +// defined, and are not consistent between different clusters. +#NodeHostName: #NodeAddressType & "Hostname" + +// NodeInternalIP identifies an IP address which is assigned to one of the node's +// network interfaces. Every node should have at least one address of this type. +// +// An internal IP is normally expected to be reachable from every other node, but +// may not be visible to hosts outside the cluster. By default it is assumed that +// kube-apiserver can reach node internal IPs, though it is possible to configure +// clusters where this is not the case. +// +// NodeInternalIP is the default type of node IP, and does not necessarily imply +// that the IP is ONLY reachable internally. If a node has multiple internal IPs, +// no specific semantics are assigned to the additional IPs. +#NodeInternalIP: #NodeAddressType & "InternalIP" + +// NodeExternalIP identifies an IP address which is, in some way, intended to be +// more usable from outside the cluster then an internal IP, though no specific +// semantics are defined. It may be a globally routable IP, though it is not +// required to be. +// +// External IPs may be assigned directly to an interface on the node, like a +// NodeInternalIP, or alternatively, packets sent to the external IP may be NAT'ed +// to an internal node IP rather than being delivered directly (making the IP less +// efficient for node-to-node traffic than a NodeInternalIP). +#NodeExternalIP: #NodeAddressType & "ExternalIP" + +// NodeInternalDNS identifies a DNS name which resolves to an IP address which has +// the characteristics of a NodeInternalIP. The IP it resolves to may or may not +// be a listed NodeInternalIP address. +#NodeInternalDNS: #NodeAddressType & "InternalDNS" + +// NodeExternalDNS identifies a DNS name which resolves to an IP address which has +// the characteristics of a NodeExternalIP. The IP it resolves to may or may not +// be a listed NodeExternalIP address. +#NodeExternalDNS: #NodeAddressType & "ExternalDNS" + +// NodeAddress contains information for the node's address. +#NodeAddress: { + // Node address type, one of Hostname, ExternalIP or InternalIP. + type: #NodeAddressType @go(Type) @protobuf(1,bytes,opt,casttype=NodeAddressType) + + // The node address. + address: string @go(Address) @protobuf(2,bytes,opt) +} + +// ResourceName is the name identifying various resources in a ResourceList. +#ResourceName: string // #enumResourceName + +#enumResourceName: + #ResourceCPU | + #ResourceMemory | + #ResourceStorage | + #ResourceEphemeralStorage | + #ResourcePods | + #ResourceServices | + #ResourceReplicationControllers | + #ResourceQuotas | + #ResourceSecrets | + #ResourceConfigMaps | + #ResourcePersistentVolumeClaims | + #ResourceServicesNodePorts | + #ResourceServicesLoadBalancers | + #ResourceRequestsCPU | + #ResourceRequestsMemory | + #ResourceRequestsStorage | + #ResourceRequestsEphemeralStorage | + #ResourceLimitsCPU | + #ResourceLimitsMemory | + #ResourceLimitsEphemeralStorage + +// CPU, in cores. (500m = .5 cores) +#ResourceCPU: #ResourceName & "cpu" + +// Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceMemory: #ResourceName & "memory" + +// Volume size, in bytes (e,g. 5Gi = 5GiB = 5 * 1024 * 1024 * 1024) +#ResourceStorage: #ResourceName & "storage" + +// Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +// The resource name for ResourceEphemeralStorage is alpha and it can change across releases. +#ResourceEphemeralStorage: #ResourceName & "ephemeral-storage" + +// Default namespace prefix. +#ResourceDefaultNamespacePrefix: "kubernetes.io/" + +// Name prefix for huge page resources (alpha). +#ResourceHugePagesPrefix: "hugepages-" + +// Name prefix for storage resource limits +#ResourceAttachableVolumesPrefix: "attachable-volumes-" + +// ResourceList is a set of (resource name, quantity) pairs. +#ResourceList: {[string]: resource.#Quantity} + +// Node is a worker node in Kubernetes. +// Each node will have a unique identifier in the cache (i.e. in etcd). +#Node: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of a node. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #NodeSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the node. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #NodeStatus @go(Status) @protobuf(3,bytes,opt) +} + +// NodeList is the whole list of all Nodes which have been registered with master. +#NodeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of nodes + items: [...#Node] @go(Items,[]Node) @protobuf(2,bytes,rep) +} + +// FinalizerName is the name identifying a finalizer during namespace lifecycle. +#FinalizerName: string // #enumFinalizerName + +#enumFinalizerName: + #FinalizerKubernetes + +#FinalizerKubernetes: #FinalizerName & "kubernetes" + +// NamespaceSpec describes the attributes on a Namespace. +#NamespaceSpec: { + // Finalizers is an opaque list of values that must be empty to permanently remove object from storage. + // More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/ + // +optional + finalizers?: [...#FinalizerName] @go(Finalizers,[]FinalizerName) @protobuf(1,bytes,rep,casttype=FinalizerName) +} + +// NamespaceStatus is information about the current status of a Namespace. +#NamespaceStatus: { + // Phase is the current lifecycle phase of the namespace. + // More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/ + // +optional + phase?: #NamespacePhase @go(Phase) @protobuf(1,bytes,opt,casttype=NamespacePhase) + + // Represents the latest available observations of a namespace's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#NamespaceCondition] @go(Conditions,[]NamespaceCondition) @protobuf(2,bytes,rep) +} + +// +enum +#NamespacePhase: string // #enumNamespacePhase + +#enumNamespacePhase: + #NamespaceActive | + #NamespaceTerminating + +// NamespaceActive means the namespace is available for use in the system +#NamespaceActive: #NamespacePhase & "Active" + +// NamespaceTerminating means the namespace is undergoing graceful termination +#NamespaceTerminating: #NamespacePhase & "Terminating" + +// NamespaceTerminatingCause is returned as a defaults.cause item when a change is +// forbidden due to the namespace being terminated. +#NamespaceTerminatingCause: metav1.#CauseType & "NamespaceTerminating" + +#NamespaceConditionType: string // #enumNamespaceConditionType + +#enumNamespaceConditionType: + #NamespaceDeletionDiscoveryFailure | + #NamespaceDeletionContentFailure | + #NamespaceDeletionGVParsingFailure | + #NamespaceContentRemaining | + #NamespaceFinalizersRemaining + +// NamespaceDeletionDiscoveryFailure contains information about namespace deleter errors during resource discovery. +#NamespaceDeletionDiscoveryFailure: #NamespaceConditionType & "NamespaceDeletionDiscoveryFailure" + +// NamespaceDeletionContentFailure contains information about namespace deleter errors during deletion of resources. +#NamespaceDeletionContentFailure: #NamespaceConditionType & "NamespaceDeletionContentFailure" + +// NamespaceDeletionGVParsingFailure contains information about namespace deleter errors parsing GV for legacy types. +#NamespaceDeletionGVParsingFailure: #NamespaceConditionType & "NamespaceDeletionGroupVersionParsingFailure" + +// NamespaceContentRemaining contains information about resources remaining in a namespace. +#NamespaceContentRemaining: #NamespaceConditionType & "NamespaceContentRemaining" + +// NamespaceFinalizersRemaining contains information about which finalizers are on resources remaining in a namespace. +#NamespaceFinalizersRemaining: #NamespaceConditionType & "NamespaceFinalizersRemaining" + +// NamespaceCondition contains details about state of namespace. +#NamespaceCondition: { + // Type of namespace controller condition. + type: #NamespaceConditionType @go(Type) @protobuf(1,bytes,opt,casttype=NamespaceConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// Namespace provides a scope for Names. +// Use of multiple namespaces is optional. +#Namespace: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of the Namespace. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #NamespaceSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status describes the current status of a Namespace. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #NamespaceStatus @go(Status) @protobuf(3,bytes,opt) +} + +// NamespaceList is a list of Namespaces. +#NamespaceList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of Namespace objects in the list. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + items: [...#Namespace] @go(Items,[]Namespace) @protobuf(2,bytes,rep) +} + +// Binding ties one object to another; for example, a pod is bound to a node by a scheduler. +// Deprecated in 1.7, please use the bindings subresource of pods instead. +#Binding: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The target object that you want to bind to the standard object. + target: #ObjectReference @go(Target) @protobuf(2,bytes,opt) +} + +// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out. +// +k8s:openapi-gen=false +#Preconditions: { + // Specifies the target UID. + // +optional + uid?: null | types.#UID @go(UID,*types.UID) @protobuf(1,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +// PodLogOptions is the query options for a Pod's logs REST call. +#PodLogOptions: { + metav1.#TypeMeta + + // The container for which to stream logs. Defaults to only container if there is one container in the pod. + // +optional + container?: string @go(Container) @protobuf(1,bytes,opt) + + // Follow the log stream of the pod. Defaults to false. + // +optional + follow?: bool @go(Follow) @protobuf(2,varint,opt) + + // Return previous terminated container logs. Defaults to false. + // +optional + previous?: bool @go(Previous) @protobuf(3,varint,opt) + + // A relative time in seconds before the current time from which to show logs. If this value + // precedes the time a pod was started, only logs since the pod start will be returned. + // If this value is in the future, no logs will be returned. + // Only one of sinceSeconds or sinceTime may be specified. + // +optional + sinceSeconds?: null | int64 @go(SinceSeconds,*int64) @protobuf(4,varint,opt) + + // An RFC3339 timestamp from which to show logs. If this value + // precedes the time a pod was started, only logs since the pod start will be returned. + // If this value is in the future, no logs will be returned. + // Only one of sinceSeconds or sinceTime may be specified. + // +optional + sinceTime?: null | metav1.#Time @go(SinceTime,*metav1.Time) @protobuf(5,bytes,opt) + + // If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line + // of log output. Defaults to false. + // +optional + timestamps?: bool @go(Timestamps) @protobuf(6,varint,opt) + + // If set, the number of lines from the end of the logs to show. If not specified, + // logs are shown from the creation of the container or sinceSeconds or sinceTime + // +optional + tailLines?: null | int64 @go(TailLines,*int64) @protobuf(7,varint,opt) + + // If set, the number of bytes to read from the server before terminating the + // log output. This may not display a complete final line of logging, and may return + // slightly more or slightly less than the specified limit. + // +optional + limitBytes?: null | int64 @go(LimitBytes,*int64) @protobuf(8,varint,opt) + + // insecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the + // serving certificate of the backend it is connecting to. This will make the HTTPS connection between the apiserver + // and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real + // kubelet. If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the + // connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept + // the actual log data coming from the real kubelet). + // +optional + insecureSkipTLSVerifyBackend?: bool @go(InsecureSkipTLSVerifyBackend) @protobuf(9,varint,opt) +} + +// PodAttachOptions is the query options to a Pod's remote attach call. +// --- +// TODO: merge w/ PodExecOptions below for stdin, stdout, etc +// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY +#PodAttachOptions: { + metav1.#TypeMeta + + // Stdin if true, redirects the standard input stream of the pod for this call. + // Defaults to false. + // +optional + stdin?: bool @go(Stdin) @protobuf(1,varint,opt) + + // Stdout if true indicates that stdout is to be redirected for the attach call. + // Defaults to true. + // +optional + stdout?: bool @go(Stdout) @protobuf(2,varint,opt) + + // Stderr if true indicates that stderr is to be redirected for the attach call. + // Defaults to true. + // +optional + stderr?: bool @go(Stderr) @protobuf(3,varint,opt) + + // TTY if true indicates that a tty will be allocated for the attach call. + // This is passed through the container runtime so the tty + // is allocated on the worker node by the container runtime. + // Defaults to false. + // +optional + tty?: bool @go(TTY) @protobuf(4,varint,opt) + + // The container in which to execute the command. + // Defaults to only container if there is only one container in the pod. + // +optional + container?: string @go(Container) @protobuf(5,bytes,opt) +} + +// PodExecOptions is the query options to a Pod's remote exec call. +// --- +// TODO: This is largely identical to PodAttachOptions above, make sure they stay in sync and see about merging +// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY +#PodExecOptions: { + metav1.#TypeMeta + + // Redirect the standard input stream of the pod for this call. + // Defaults to false. + // +optional + stdin?: bool @go(Stdin) @protobuf(1,varint,opt) + + // Redirect the standard output stream of the pod for this call. + // +optional + stdout?: bool @go(Stdout) @protobuf(2,varint,opt) + + // Redirect the standard error stream of the pod for this call. + // +optional + stderr?: bool @go(Stderr) @protobuf(3,varint,opt) + + // TTY if true indicates that a tty will be allocated for the exec call. + // Defaults to false. + // +optional + tty?: bool @go(TTY) @protobuf(4,varint,opt) + + // Container in which to execute the command. + // Defaults to only container if there is only one container in the pod. + // +optional + container?: string @go(Container) @protobuf(5,bytes,opt) + + // Command is the remote command to execute. argv array. Not executed within a shell. + command: [...string] @go(Command,[]string) @protobuf(6,bytes,rep) +} + +// PodPortForwardOptions is the query options to a Pod's port forward call +// when using WebSockets. +// The `port` query parameter must specify the port or +// ports (comma separated) to forward over. +// Port forwarding over SPDY does not use these options. It requires the port +// to be passed in the `port` header as part of request. +#PodPortForwardOptions: { + metav1.#TypeMeta + + // List of ports to forward + // Required when using WebSockets + // +optional + ports?: [...int32] @go(Ports,[]int32) @protobuf(1,varint,rep) +} + +// PodProxyOptions is the query options to a Pod's proxy call. +#PodProxyOptions: { + metav1.#TypeMeta + + // Path is the URL path to use for the current proxy request to pod. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// NodeProxyOptions is the query options to a Node's proxy call. +#NodeProxyOptions: { + metav1.#TypeMeta + + // Path is the URL path to use for the current proxy request to node. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// ServiceProxyOptions is the query options to a Service's proxy call. +#ServiceProxyOptions: { + metav1.#TypeMeta + + // Path is the part of URLs that include service endpoints, suffixes, + // and parameters to use for the current proxy request to service. + // For example, the whole request URL is + // http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. + // Path is _search?q=user:kimchy. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// ObjectReference contains enough information to let you inspect or modify the referred object. +// --- +// New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. +// 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. +// 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular +// restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". +// Those cannot be well described when embedded. +// 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. +// 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity +// during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple +// and the version of the actual struct is irrelevant. +// 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type +// will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. +// +// Instead of using this type, create a locally provided and used type that is well-focused on your reference. +// For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +structType=atomic +#ObjectReference: { + // Kind of the referent. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // Namespace of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + // +optional + namespace?: string @go(Namespace) @protobuf(2,bytes,opt) + + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + // +optional + name?: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // API version of the referent. + // +optional + apiVersion?: string @go(APIVersion) @protobuf(5,bytes,opt) + + // Specific resourceVersion to which this reference is made, if any. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(6,bytes,opt) + + // If referring to a piece of an object instead of an entire object, this string + // should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + // For example, if the object reference is to a container within a pod, this would take on a value like: + // "spec.containers{name}" (where "name" refers to the name of the container that triggered + // the event) or if no container name is specified "spec.containers[2]" (container with + // index 2 in this pod). This syntax is chosen only to have some well-defined way of + // referencing a part of an object. + // TODO: this design is not final and this field is subject to change in the future. + // +optional + fieldPath?: string @go(FieldPath) @protobuf(7,bytes,opt) +} + +// LocalObjectReference contains enough information to let you locate the +// referenced object inside the same namespace. +// +structType=atomic +#LocalObjectReference: { + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + // TODO: Add other useful fields. apiVersion, kind, uid? + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) +} + +// TypedLocalObjectReference contains enough information to let you locate the +// typed referenced object inside the same namespace. +// +structType=atomic +#TypedLocalObjectReference: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the core API group. + // For any other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) +} + +// SerializedReference is a reference to serialized object. +#SerializedReference: { + metav1.#TypeMeta + + // The reference to an object in the system. + // +optional + reference?: #ObjectReference @go(Reference) @protobuf(1,bytes,opt) +} + +// EventSource contains information for an event. +#EventSource: { + // Component from which the event is generated. + // +optional + component?: string @go(Component) @protobuf(1,bytes,opt) + + // Node name on which the event is generated. + // +optional + host?: string @go(Host) @protobuf(2,bytes,opt) +} + +// Information only and will not cause any problems +#EventTypeNormal: "Normal" + +// These events are to warn that something might go wrong +#EventTypeWarning: "Warning" + +// Event is a report of an event somewhere in the cluster. Events +// have a limited retention time and triggers and messages may evolve +// with time. Event consumers should not rely on the timing of an event +// with a given Reason reflecting a consistent underlying trigger, or the +// continued existence of events with that Reason. Events should be +// treated as informative, best-effort, supplemental data. +#Event: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The object that this event is about. + involvedObject: #ObjectReference @go(InvolvedObject) @protobuf(2,bytes,opt) + + // This should be a short, machine understandable string that gives the reason + // for the transition into the object's current status. + // TODO: provide exact specification for format. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // A human-readable description of the status of this operation. + // TODO: decide on maximum length. + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) + + // The component reporting this event. Should be a short machine understandable string. + // +optional + source?: #EventSource @go(Source) @protobuf(5,bytes,opt) + + // The time at which the event was first recorded. (Time of server receipt is in TypeMeta.) + // +optional + firstTimestamp?: metav1.#Time @go(FirstTimestamp) @protobuf(6,bytes,opt) + + // The time at which the most recent occurrence of this event was recorded. + // +optional + lastTimestamp?: metav1.#Time @go(LastTimestamp) @protobuf(7,bytes,opt) + + // The number of times this event has occurred. + // +optional + count?: int32 @go(Count) @protobuf(8,varint,opt) + + // Type of this event (Normal, Warning), new types could be added in the future + // +optional + type?: string @go(Type) @protobuf(9,bytes,opt) + + // Time when this Event was first observed. + // +optional + eventTime?: metav1.#MicroTime @go(EventTime) @protobuf(10,bytes,opt) + + // Data about the Event series this event represents or nil if it's a singleton Event. + // +optional + series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(11,bytes,opt) + + // What action was taken/failed regarding to the Regarding object. + // +optional + action?: string @go(Action) @protobuf(12,bytes,opt) + + // Optional secondary object for more complex actions. + // +optional + related?: null | #ObjectReference @go(Related,*ObjectReference) @protobuf(13,bytes,opt) + + // Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. + // +optional + reportingComponent: string @go(ReportingController) @protobuf(14,bytes,opt) + + // ID of the controller instance, e.g. `kubelet-xyzf`. + // +optional + reportingInstance: string @go(ReportingInstance) @protobuf(15,bytes,opt) +} + +// EventSeries contain information on series of events, i.e. thing that was/is happening +// continuously for some time. +#EventSeries: { + // Number of occurrences in this series up to the last heartbeat time + count?: int32 @go(Count) @protobuf(1,varint) + + // Time of the last occurrence observed + lastObservedTime?: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes) +} + +// EventList is a list of events. +#EventList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of events + items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep) +} + +// List holds a list of objects, which may not be known by the server. +#List: metav1.#List + +// LimitType is a type of object that is limited. It can be Pod, Container, PersistentVolumeClaim or +// a fully qualified resource name. +#LimitType: string // #enumLimitType + +#enumLimitType: + #LimitTypePod | + #LimitTypeContainer | + #LimitTypePersistentVolumeClaim + +// Limit that applies to all pods in a namespace +#LimitTypePod: #LimitType & "Pod" + +// Limit that applies to all containers in a namespace +#LimitTypeContainer: #LimitType & "Container" + +// Limit that applies to all persistent volume claims in a namespace +#LimitTypePersistentVolumeClaim: #LimitType & "PersistentVolumeClaim" + +// LimitRangeItem defines a min/max usage limit for any resource that matches on kind. +#LimitRangeItem: { + // Type of resource that this limit applies to. + type: #LimitType @go(Type) @protobuf(1,bytes,opt,casttype=LimitType) + + // Max usage constraints on this kind by resource name. + // +optional + max?: #ResourceList @go(Max) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Min usage constraints on this kind by resource name. + // +optional + min?: #ResourceList @go(Min) @protobuf(3,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Default resource requirement limit value by resource name if resource limit is omitted. + // +optional + default?: #ResourceList @go(Default) @protobuf(4,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // DefaultRequest is the default resource requirement request value by resource name if resource request is omitted. + // +optional + defaultRequest?: #ResourceList @go(DefaultRequest) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource. + // +optional + maxLimitRequestRatio?: #ResourceList @go(MaxLimitRequestRatio) @protobuf(6,bytes,rep,casttype=ResourceList,castkey=ResourceName) +} + +// LimitRangeSpec defines a min/max usage limit for resources that match on kind. +#LimitRangeSpec: { + // Limits is the list of LimitRangeItem objects that are enforced. + limits: [...#LimitRangeItem] @go(Limits,[]LimitRangeItem) @protobuf(1,bytes,rep) +} + +// LimitRange sets resource usage limits for each kind of resource in a Namespace. +#LimitRange: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the limits enforced. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #LimitRangeSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// LimitRangeList is a list of LimitRange items. +#LimitRangeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of LimitRange objects. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + items: [...#LimitRange] @go(Items,[]LimitRange) @protobuf(2,bytes,rep) +} + +// Pods, number +#ResourcePods: #ResourceName & "pods" + +// Services, number +#ResourceServices: #ResourceName & "services" + +// ReplicationControllers, number +#ResourceReplicationControllers: #ResourceName & "replicationcontrollers" + +// ResourceQuotas, number +#ResourceQuotas: #ResourceName & "resourcequotas" + +// ResourceSecrets, number +#ResourceSecrets: #ResourceName & "secrets" + +// ResourceConfigMaps, number +#ResourceConfigMaps: #ResourceName & "configmaps" + +// ResourcePersistentVolumeClaims, number +#ResourcePersistentVolumeClaims: #ResourceName & "persistentvolumeclaims" + +// ResourceServicesNodePorts, number +#ResourceServicesNodePorts: #ResourceName & "services.nodeports" + +// ResourceServicesLoadBalancers, number +#ResourceServicesLoadBalancers: #ResourceName & "services.loadbalancers" + +// CPU request, in cores. (500m = .5 cores) +#ResourceRequestsCPU: #ResourceName & "requests.cpu" + +// Memory request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceRequestsMemory: #ResourceName & "requests.memory" + +// Storage request, in bytes +#ResourceRequestsStorage: #ResourceName & "requests.storage" + +// Local ephemeral storage request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceRequestsEphemeralStorage: #ResourceName & "requests.ephemeral-storage" + +// CPU limit, in cores. (500m = .5 cores) +#ResourceLimitsCPU: #ResourceName & "limits.cpu" + +// Memory limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceLimitsMemory: #ResourceName & "limits.memory" + +// Local ephemeral storage limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceLimitsEphemeralStorage: #ResourceName & "limits.ephemeral-storage" + +// HugePages request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +// As burst is not supported for HugePages, we would only quota its request, and ignore the limit. +#ResourceRequestsHugePagesPrefix: "requests.hugepages-" + +// Default resource requests prefix +#DefaultResourceRequestsPrefix: "requests." + +// A ResourceQuotaScope defines a filter that must match each object tracked by a quota +// +enum +#ResourceQuotaScope: string // #enumResourceQuotaScope + +#enumResourceQuotaScope: + #ResourceQuotaScopeTerminating | + #ResourceQuotaScopeNotTerminating | + #ResourceQuotaScopeBestEffort | + #ResourceQuotaScopeNotBestEffort | + #ResourceQuotaScopePriorityClass | + #ResourceQuotaScopeCrossNamespacePodAffinity + +// Match all pod objects where spec.activeDeadlineSeconds >=0 +#ResourceQuotaScopeTerminating: #ResourceQuotaScope & "Terminating" + +// Match all pod objects where spec.activeDeadlineSeconds is nil +#ResourceQuotaScopeNotTerminating: #ResourceQuotaScope & "NotTerminating" + +// Match all pod objects that have best effort quality of service +#ResourceQuotaScopeBestEffort: #ResourceQuotaScope & "BestEffort" + +// Match all pod objects that do not have best effort quality of service +#ResourceQuotaScopeNotBestEffort: #ResourceQuotaScope & "NotBestEffort" + +// Match all pod objects that have priority class mentioned +#ResourceQuotaScopePriorityClass: #ResourceQuotaScope & "PriorityClass" + +// Match all pod objects that have cross-namespace pod (anti)affinity mentioned. +#ResourceQuotaScopeCrossNamespacePodAffinity: #ResourceQuotaScope & "CrossNamespacePodAffinity" + +// ResourceQuotaSpec defines the desired hard limits to enforce for Quota. +#ResourceQuotaSpec: { + // hard is the set of desired hard limits for each named resource. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + // +optional + hard?: #ResourceList @go(Hard) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // A collection of filters that must match each object tracked by a quota. + // If not specified, the quota matches all objects. + // +optional + scopes?: [...#ResourceQuotaScope] @go(Scopes,[]ResourceQuotaScope) @protobuf(2,bytes,rep,casttype=ResourceQuotaScope) + + // scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota + // but expressed using ScopeSelectorOperator in combination with possible values. + // For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. + // +optional + scopeSelector?: null | #ScopeSelector @go(ScopeSelector,*ScopeSelector) @protobuf(3,bytes,opt) +} + +// A scope selector represents the AND of the selectors represented +// by the scoped-resource selector requirements. +// +structType=atomic +#ScopeSelector: { + // A list of scope selector requirements by scope of the resources. + // +optional + matchExpressions?: [...#ScopedResourceSelectorRequirement] @go(MatchExpressions,[]ScopedResourceSelectorRequirement) @protobuf(1,bytes,rep) +} + +// A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator +// that relates the scope name and values. +#ScopedResourceSelectorRequirement: { + // The name of the scope that the selector applies to. + scopeName: #ResourceQuotaScope @go(ScopeName) @protobuf(1,bytes,opt) + + // Represents a scope's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. + operator: #ScopeSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=ScopedResourceSelectorOperator) + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. + // This array is replaced during a strategic merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A scope selector operator is the set of operators that can be used in +// a scope selector requirement. +// +enum +#ScopeSelectorOperator: string // #enumScopeSelectorOperator + +#enumScopeSelectorOperator: + #ScopeSelectorOpIn | + #ScopeSelectorOpNotIn | + #ScopeSelectorOpExists | + #ScopeSelectorOpDoesNotExist + +#ScopeSelectorOpIn: #ScopeSelectorOperator & "In" +#ScopeSelectorOpNotIn: #ScopeSelectorOperator & "NotIn" +#ScopeSelectorOpExists: #ScopeSelectorOperator & "Exists" +#ScopeSelectorOpDoesNotExist: #ScopeSelectorOperator & "DoesNotExist" + +// ResourceQuotaStatus defines the enforced hard limits and observed use. +#ResourceQuotaStatus: { + // Hard is the set of enforced hard limits for each named resource. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + // +optional + hard?: #ResourceList @go(Hard) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Used is the current observed total usage of the resource in the namespace. + // +optional + used?: #ResourceList @go(Used) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) +} + +// ResourceQuota sets aggregate quota restrictions enforced per namespace +#ResourceQuota: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the desired quota. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ResourceQuotaSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status defines the actual enforced quota and its current usage. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ResourceQuotaStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ResourceQuotaList is a list of ResourceQuota items. +#ResourceQuotaList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ResourceQuota objects. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + items: [...#ResourceQuota] @go(Items,[]ResourceQuota) @protobuf(2,bytes,rep) +} + +// Secret holds secret data of a certain type. The total bytes of the values in +// the Data field must be less than MaxSecretSize bytes. +#Secret: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Immutable, if set to true, ensures that data stored in the Secret cannot + // be updated (only object metadata can be modified). + // If not set to true, the field can be modified at any time. + // Defaulted to nil. + // +optional + immutable?: null | bool @go(Immutable,*bool) @protobuf(5,varint,opt) + + // Data contains the secret data. Each key must consist of alphanumeric + // characters, '-', '_' or '.'. The serialized form of the secret data is a + // base64 encoded string, representing the arbitrary (possibly non-string) + // data value here. Described in https://tools.ietf.org/html/rfc4648#section-4 + // +optional + data?: {[string]: bytes} @go(Data,map[string][]byte) @protobuf(2,bytes,rep) + + // stringData allows specifying non-binary secret data in string form. + // It is provided as a write-only input field for convenience. + // All keys and values are merged into the data field on write, overwriting any existing values. + // The stringData field is never output when reading from the API. + // +k8s:conversion-gen=false + // +optional + stringData?: {[string]: string} @go(StringData,map[string]string) @protobuf(4,bytes,rep) + + // Used to facilitate programmatic handling of secret data. + // More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types + // +optional + type?: #SecretType @go(Type) @protobuf(3,bytes,opt,casttype=SecretType) +} + +#MaxSecretSize: 1048576 + +#SecretType: string // #enumSecretType + +#enumSecretType: + #SecretTypeOpaque | + #SecretTypeServiceAccountToken | + #SecretTypeDockercfg | + #SecretTypeDockerConfigJson | + #SecretTypeBasicAuth | + #SecretTypeSSHAuth | + #SecretTypeTLS | + #SecretTypeBootstrapToken + +// SecretTypeOpaque is the default. Arbitrary user-defined data +#SecretTypeOpaque: #SecretType & "Opaque" + +// SecretTypeServiceAccountToken contains a token that identifies a service account to the API +// +// Required fields: +// - Secret.Annotations["kubernetes.io/service-account.name"] - the name of the ServiceAccount the token identifies +// - Secret.Annotations["kubernetes.io/service-account.uid"] - the UID of the ServiceAccount the token identifies +// - Secret.Data["token"] - a token that identifies the service account to the API +#SecretTypeServiceAccountToken: #SecretType & "kubernetes.io/service-account-token" + +// ServiceAccountNameKey is the key of the required annotation for SecretTypeServiceAccountToken secrets +#ServiceAccountNameKey: "kubernetes.io/service-account.name" + +// ServiceAccountUIDKey is the key of the required annotation for SecretTypeServiceAccountToken secrets +#ServiceAccountUIDKey: "kubernetes.io/service-account.uid" + +// ServiceAccountTokenKey is the key of the required data for SecretTypeServiceAccountToken secrets +#ServiceAccountTokenKey: "token" + +// ServiceAccountKubeconfigKey is the key of the optional kubeconfig data for SecretTypeServiceAccountToken secrets +#ServiceAccountKubeconfigKey: "kubernetes.kubeconfig" + +// ServiceAccountRootCAKey is the key of the optional root certificate authority for SecretTypeServiceAccountToken secrets +#ServiceAccountRootCAKey: "ca.crt" + +// ServiceAccountNamespaceKey is the key of the optional namespace to use as the default for namespaced API calls +#ServiceAccountNamespaceKey: "namespace" + +// SecretTypeDockercfg contains a dockercfg file that follows the same format rules as ~/.dockercfg +// +// Required fields: +// - Secret.Data[".dockercfg"] - a serialized ~/.dockercfg file +#SecretTypeDockercfg: #SecretType & "kubernetes.io/dockercfg" + +// DockerConfigKey is the key of the required data for SecretTypeDockercfg secrets +#DockerConfigKey: ".dockercfg" + +// SecretTypeDockerConfigJson contains a dockercfg file that follows the same format rules as ~/.docker/config.json +// +// Required fields: +// - Secret.Data[".dockerconfigjson"] - a serialized ~/.docker/config.json file +#SecretTypeDockerConfigJson: #SecretType & "kubernetes.io/dockerconfigjson" + +// DockerConfigJsonKey is the key of the required data for SecretTypeDockerConfigJson secrets +#DockerConfigJsonKey: ".dockerconfigjson" + +// SecretTypeBasicAuth contains data needed for basic authentication. +// +// Required at least one of fields: +// - Secret.Data["username"] - username used for authentication +// - Secret.Data["password"] - password or token needed for authentication +#SecretTypeBasicAuth: #SecretType & "kubernetes.io/basic-auth" + +// BasicAuthUsernameKey is the key of the username for SecretTypeBasicAuth secrets +#BasicAuthUsernameKey: "username" + +// BasicAuthPasswordKey is the key of the password or token for SecretTypeBasicAuth secrets +#BasicAuthPasswordKey: "password" + +// SecretTypeSSHAuth contains data needed for SSH authetication. +// +// Required field: +// - Secret.Data["ssh-privatekey"] - private SSH key needed for authentication +#SecretTypeSSHAuth: #SecretType & "kubernetes.io/ssh-auth" + +// SSHAuthPrivateKey is the key of the required SSH private key for SecretTypeSSHAuth secrets +#SSHAuthPrivateKey: "ssh-privatekey" + +// SecretTypeTLS contains information about a TLS client or server secret. It +// is primarily used with TLS termination of the Ingress resource, but may be +// used in other types. +// +// Required fields: +// - Secret.Data["tls.key"] - TLS private key. +// Secret.Data["tls.crt"] - TLS certificate. +// TODO: Consider supporting different formats, specifying CA/destinationCA. +#SecretTypeTLS: #SecretType & "kubernetes.io/tls" + +// TLSCertKey is the key for tls certificates in a TLS secret. +#TLSCertKey: "tls.crt" + +// TLSPrivateKeyKey is the key for the private key field in a TLS secret. +#TLSPrivateKeyKey: "tls.key" + +// SecretTypeBootstrapToken is used during the automated bootstrap process (first +// implemented by kubeadm). It stores tokens that are used to sign well known +// ConfigMaps. They are used for authn. +#SecretTypeBootstrapToken: #SecretType & "bootstrap.kubernetes.io/token" + +// SecretList is a list of Secret. +#SecretList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of secret objects. + // More info: https://kubernetes.io/docs/concepts/configuration/secret + items: [...#Secret] @go(Items,[]Secret) @protobuf(2,bytes,rep) +} + +// ConfigMap holds configuration data for pods to consume. +#ConfigMap: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Immutable, if set to true, ensures that data stored in the ConfigMap cannot + // be updated (only object metadata can be modified). + // If not set to true, the field can be modified at any time. + // Defaulted to nil. + // +optional + immutable?: null | bool @go(Immutable,*bool) @protobuf(4,varint,opt) + + // Data contains the configuration data. + // Each key must consist of alphanumeric characters, '-', '_' or '.'. + // Values with non-UTF-8 byte sequences must use the BinaryData field. + // The keys stored in Data must not overlap with the keys in + // the BinaryData field, this is enforced during validation process. + // +optional + data?: {[string]: string} @go(Data,map[string]string) @protobuf(2,bytes,rep) + + // BinaryData contains the binary data. + // Each key must consist of alphanumeric characters, '-', '_' or '.'. + // BinaryData can contain byte sequences that are not in the UTF-8 range. + // The keys stored in BinaryData must not overlap with the ones in + // the Data field, this is enforced during validation process. + // Using this field will require 1.10+ apiserver and + // kubelet. + // +optional + binaryData?: {[string]: bytes} @go(BinaryData,map[string][]byte) @protobuf(3,bytes,rep) +} + +// ConfigMapList is a resource containing a list of ConfigMap objects. +#ConfigMapList: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of ConfigMaps. + items: [...#ConfigMap] @go(Items,[]ConfigMap) @protobuf(2,bytes,rep) +} + +// Type and constants for component health validation. +#ComponentConditionType: string // #enumComponentConditionType + +#enumComponentConditionType: + #ComponentHealthy + +#ComponentHealthy: #ComponentConditionType & "Healthy" + +// Information about the condition of a component. +#ComponentCondition: { + // Type of condition for a component. + // Valid value: "Healthy" + type: #ComponentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ComponentConditionType) + + // Status of the condition for a component. + // Valid values for "Healthy": "True", "False", or "Unknown". + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Message about the condition for a component. + // For example, information about a health check. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // Condition error code for a component. + // For example, a health check error code. + // +optional + error?: string @go(Error) @protobuf(4,bytes,opt) +} + +// ComponentStatus (and ComponentStatusList) holds the cluster validation info. +// Deprecated: This API is deprecated in v1.19+ +#ComponentStatus: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // List of component conditions observed + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ComponentCondition] @go(Conditions,[]ComponentCondition) @protobuf(2,bytes,rep) +} + +// Status of all the conditions for the component as a list of ComponentStatus objects. +// Deprecated: This API is deprecated in v1.19+ +#ComponentStatusList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ComponentStatus objects. + items: [...#ComponentStatus] @go(Items,[]ComponentStatus) @protobuf(2,bytes,rep) +} + +// DownwardAPIVolumeSource represents a volume containing downward API info. +// Downward API volumes support ownership management and SELinux relabeling. +#DownwardAPIVolumeSource: { + // Items is a list of downward API volume file + // +optional + items?: [...#DownwardAPIVolumeFile] @go(Items,[]DownwardAPIVolumeFile) @protobuf(1,bytes,rep) + + // Optional: mode bits to use on created files by default. Must be a + // Optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(2,varint,opt) +} + +#DownwardAPIVolumeSourceDefaultMode: int32 & 0o644 + +// DownwardAPIVolumeFile represents information to create the file containing the pod field +#DownwardAPIVolumeFile: { + // Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..' + path: string @go(Path) @protobuf(1,bytes,opt) + + // Required: Selects a field of the pod: only annotations, labels, name and namespace are supported. + // +optional + fieldRef?: null | #ObjectFieldSelector @go(FieldRef,*ObjectFieldSelector) @protobuf(2,bytes,opt) + + // Selects a resource of the container: only resources limits and requests + // (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + // +optional + resourceFieldRef?: null | #ResourceFieldSelector @go(ResourceFieldRef,*ResourceFieldSelector) @protobuf(3,bytes,opt) + + // Optional: mode bits used to set permissions on this file, must be an octal value + // between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + mode?: null | int32 @go(Mode,*int32) @protobuf(4,varint,opt) +} + +// Represents downward API info for projecting into a projected volume. +// Note that this is identical to a downwardAPI volume source without the default +// mode. +#DownwardAPIProjection: { + // Items is a list of DownwardAPIVolume file + // +optional + items?: [...#DownwardAPIVolumeFile] @go(Items,[]DownwardAPIVolumeFile) @protobuf(1,bytes,rep) +} + +// SecurityContext holds security configuration that will be applied to a container. +// Some fields are present in both SecurityContext and PodSecurityContext. When both +// are set, the values in SecurityContext take precedence. +#SecurityContext: { + // The capabilities to add/drop when running containers. + // Defaults to the default set of capabilities granted by the container runtime. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + capabilities?: null | #Capabilities @go(Capabilities,*Capabilities) @protobuf(1,bytes,opt) + + // Run container in privileged mode. + // Processes in privileged containers are essentially equivalent to root on the host. + // Defaults to false. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + privileged?: null | bool @go(Privileged,*bool) @protobuf(2,varint,opt) + + // The SELinux context to be applied to the container. + // If unspecified, the container runtime will allocate a random SELinux context for each + // container. May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seLinuxOptions?: null | #SELinuxOptions @go(SELinuxOptions,*SELinuxOptions) @protobuf(3,bytes,opt) + + // The Windows specific settings applied to all containers. + // If unspecified, the options from the PodSecurityContext will be used. + // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + // +optional + windowsOptions?: null | #WindowsSecurityContextOptions @go(WindowsOptions,*WindowsSecurityContextOptions) @protobuf(10,bytes,opt) + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsUser?: null | int64 @go(RunAsUser,*int64) @protobuf(4,varint,opt) + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsGroup?: null | int64 @go(RunAsGroup,*int64) @protobuf(8,varint,opt) + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to ensure that it + // does not run as UID 0 (root) and fail to start the container if it does. + // If unset or false, no such validation will be performed. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsNonRoot?: null | bool @go(RunAsNonRoot,*bool) @protobuf(5,varint,opt) + + // Whether this container has a read-only root filesystem. + // Default is false. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + readOnlyRootFilesystem?: null | bool @go(ReadOnlyRootFilesystem,*bool) @protobuf(6,varint,opt) + + // AllowPrivilegeEscalation controls whether a process can gain more + // privileges than its parent process. This bool directly controls if + // the no_new_privs flag will be set on the container process. + // AllowPrivilegeEscalation is true always when the container is: + // 1) run as Privileged + // 2) has CAP_SYS_ADMIN + // Note that this field cannot be set when spec.os.name is windows. + // +optional + allowPrivilegeEscalation?: null | bool @go(AllowPrivilegeEscalation,*bool) @protobuf(7,varint,opt) + + // procMount denotes the type of proc mount to use for the containers. + // The default is DefaultProcMount which uses the container runtime defaults for + // readonly paths and masked paths. + // This requires the ProcMountType feature flag to be enabled. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + procMount?: null | #ProcMountType @go(ProcMount,*ProcMountType) @protobuf(9,bytes,opt) + + // The seccomp options to use by this container. If seccomp options are + // provided at both the pod & container level, the container options + // override the pod options. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seccompProfile?: null | #SeccompProfile @go(SeccompProfile,*SeccompProfile) @protobuf(11,bytes,opt) +} + +// +enum +#ProcMountType: string // #enumProcMountType + +#enumProcMountType: + #DefaultProcMount | + #UnmaskedProcMount + +// DefaultProcMount uses the container runtime defaults for readonly and masked +// paths for /proc. Most container runtimes mask certain paths in /proc to avoid +// accidental security exposure of special devices or information. +#DefaultProcMount: #ProcMountType & "Default" + +// UnmaskedProcMount bypasses the default masking behavior of the container +// runtime and ensures the newly created /proc the container stays in tact with +// no modifications. +#UnmaskedProcMount: #ProcMountType & "Unmasked" + +// SELinuxOptions are the labels to be applied to the container +#SELinuxOptions: { + // User is a SELinux user label that applies to the container. + // +optional + user?: string @go(User) @protobuf(1,bytes,opt) + + // Role is a SELinux role label that applies to the container. + // +optional + role?: string @go(Role) @protobuf(2,bytes,opt) + + // Type is a SELinux type label that applies to the container. + // +optional + type?: string @go(Type) @protobuf(3,bytes,opt) + + // Level is SELinux level label that applies to the container. + // +optional + level?: string @go(Level) @protobuf(4,bytes,opt) +} + +// WindowsSecurityContextOptions contain Windows-specific options and credentials. +#WindowsSecurityContextOptions: { + // GMSACredentialSpecName is the name of the GMSA credential spec to use. + // +optional + gmsaCredentialSpecName?: null | string @go(GMSACredentialSpecName,*string) @protobuf(1,bytes,opt) + + // GMSACredentialSpec is where the GMSA admission webhook + // (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + // GMSA credential spec named by the GMSACredentialSpecName field. + // +optional + gmsaCredentialSpec?: null | string @go(GMSACredentialSpec,*string) @protobuf(2,bytes,opt) + + // The UserName in Windows to run the entrypoint of the container process. + // Defaults to the user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsUserName?: null | string @go(RunAsUserName,*string) @protobuf(3,bytes,opt) + + // HostProcess determines if a container should be run as a 'Host Process' container. + // All of a Pod's containers must have the same effective HostProcess value + // (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + // In addition, if HostProcess is true then HostNetwork must also be set to true. + // +optional + hostProcess?: null | bool @go(HostProcess,*bool) @protobuf(4,bytes,opt) +} + +// RangeAllocation is not a public type. +#RangeAllocation: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Range is string that identifies the range represented by 'data'. + range: string @go(Range) @protobuf(2,bytes,opt) + + // Data is a bit array containing all allocated addresses in the previous segment. + data: bytes @go(Data,[]byte) @protobuf(3,bytes,opt) +} + +// DefaultSchedulerName defines the name of default scheduler. +#DefaultSchedulerName: "default-scheduler" + +// RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule +// corresponding to every RequiredDuringScheduling affinity rule. +// When the --hard-pod-affinity-weight scheduler flag is not specified, +// DefaultHardPodAffinityWeight defines the weight of the implicit PreferredDuringScheduling affinity rule. +#DefaultHardPodAffinitySymmetricWeight: int32 & 1 + +// Sysctl defines a kernel parameter to be set +#Sysctl: { + // Name of a property to set + name: string @go(Name) @protobuf(1,bytes,opt) + + // Value of a property to set + value: string @go(Value) @protobuf(2,bytes,opt) +} + +// NodeResources is an object for conveying resource information about a node. +// see https://kubernetes.io/docs/concepts/architecture/nodes/#capacity for more details. +#NodeResources: { + // Capacity represents the available resources of a node + Capacity: #ResourceList @protobuf(1,bytes,rep,name=capacity,casttype=ResourceList,castkey=ResourceName) +} + +// Enable stdin for remote command execution +#ExecStdinParam: "input" + +// Enable stdout for remote command execution +#ExecStdoutParam: "output" + +// Enable stderr for remote command execution +#ExecStderrParam: "error" + +// Enable TTY for remote command execution +#ExecTTYParam: "tty" + +// Command to run for remote command execution +#ExecCommandParam: "command" + +// Name of header that specifies stream type +#StreamType: "streamType" + +// Value for streamType header for stdin stream +#StreamTypeStdin: "stdin" + +// Value for streamType header for stdout stream +#StreamTypeStdout: "stdout" + +// Value for streamType header for stderr stream +#StreamTypeStderr: "stderr" + +// Value for streamType header for data stream +#StreamTypeData: "data" + +// Value for streamType header for error stream +#StreamTypeError: "error" + +// Value for streamType header for terminal resize stream +#StreamTypeResize: "resize" + +// Name of header that specifies the port being forwarded +#PortHeader: "port" + +// Name of header that specifies a request ID used to associate the error +// and data streams for a single forwarded connection +#PortForwardRequestIDHeader: "requestID" + +// MixedProtocolNotSupported error in PortStatus means that the cloud provider +// can't publish the port on the load balancer because mixed values of protocols +// on the same LoadBalancer type of Service are not supported by the cloud provider. +#MixedProtocolNotSupported: "MixedProtocolNotSupported" + +#PortStatus: { + // Port is the port number of the service port of which status is recorded here + port: int32 @go(Port) @protobuf(1,varint,opt) + + // Protocol is the protocol of the service port of which status is recorded here + // The supported values are: "TCP", "UDP", "SCTP" + protocol: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // Error is to record the problem with the service port + // The format of the error shall comply with the following rules: + // - built-in error values shall be specified in this file and those shall use + // CamelCase names + // - cloud provider specific error values must have names that comply with the + // format foo.example.com/CamelCase. + // --- + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +optional + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + error?: null | string @go(Error,*string) @protobuf(3,bytes,opt) +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue new file mode 100644 index 000000000..2a1f060b6 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue @@ -0,0 +1,59 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +#LabelHostname: "kubernetes.io/hostname" + +// Label value is the network location of kube-apiserver stored as +// Stored in APIServer Identity lease objects to view what address is used for peer proxy +#AnnotationPeerAdvertiseAddress: "kubernetes.io/peer-advertise-address" +#LabelTopologyZone: "topology.kubernetes.io/zone" +#LabelTopologyRegion: "topology.kubernetes.io/region" + +// These label have been deprecated since 1.17, but will be supported for +// the foreseeable future, to accommodate things like long-lived PVs that +// use them. New users should prefer the "topology.kubernetes.io/*" +// equivalents. +#LabelFailureDomainBetaZone: "failure-domain.beta.kubernetes.io/zone" +#LabelFailureDomainBetaRegion: "failure-domain.beta.kubernetes.io/region" + +// Retained for compat when vendored. Do not use these consts in new code. +#LabelZoneFailureDomain: "failure-domain.beta.kubernetes.io/zone" +#LabelZoneRegion: "failure-domain.beta.kubernetes.io/region" +#LabelZoneFailureDomainStable: "topology.kubernetes.io/zone" +#LabelZoneRegionStable: "topology.kubernetes.io/region" +#LabelInstanceType: "beta.kubernetes.io/instance-type" +#LabelInstanceTypeStable: "node.kubernetes.io/instance-type" +#LabelOSStable: "kubernetes.io/os" +#LabelArchStable: "kubernetes.io/arch" + +// LabelWindowsBuild is used on Windows nodes to specify the Windows build number starting with v1.17.0. +// It's in the format MajorVersion.MinorVersion.BuildNumber (for ex: 10.0.17763) +#LabelWindowsBuild: "node.kubernetes.io/windows-build" + +// LabelNamespaceSuffixKubelet is an allowed label namespace suffix kubelets can self-set ([*.]kubelet.kubernetes.io/*) +#LabelNamespaceSuffixKubelet: "kubelet.kubernetes.io" + +// LabelNamespaceSuffixNode is an allowed label namespace suffix kubelets can self-set ([*.]node.kubernetes.io/*) +#LabelNamespaceSuffixNode: "node.kubernetes.io" + +// LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled +#LabelNamespaceNodeRestriction: "node-restriction.kubernetes.io" + +// IsHeadlessService is added by Controller to an Endpoint denoting if its parent +// Service is Headless. The existence of this label can be used further by other +// controllers and kube-proxy to check if the Endpoint objects should be replicated when +// using Headless Services +#IsHeadlessService: "service.kubernetes.io/headless" + +// LabelNodeExcludeBalancers specifies that the node should not be considered as a target +// for external load-balancers which use nodes as a second hop (e.g. many cloud LBs which only +// understand nodes). For services that use externalTrafficPolicy=Local, this may mean that +// any backends on excluded nodes are not reachable by those external load-balancers. +// Implementations of this exclusion may vary based on provider. +#LabelNodeExcludeBalancers: "node.kubernetes.io/exclude-from-external-load-balancers" + +// LabelMetadataName is the label name which, in-tree, is used to automatically label namespaces, so they can be selected easily by tools which require definitive labels +#LabelMetadataName: "kubernetes.io/metadata.name" diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue new file mode 100644 index 000000000..b7c097336 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue @@ -0,0 +1,38 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +// TaintNodeNotReady will be added when node is not ready +// and removed when node becomes ready. +#TaintNodeNotReady: "node.kubernetes.io/not-ready" + +// TaintNodeUnreachable will be added when node becomes unreachable +// (corresponding to NodeReady status ConditionUnknown) +// and removed when node becomes reachable (NodeReady status ConditionTrue). +#TaintNodeUnreachable: "node.kubernetes.io/unreachable" + +// TaintNodeUnschedulable will be added when node becomes unschedulable +// and removed when node becomes schedulable. +#TaintNodeUnschedulable: "node.kubernetes.io/unschedulable" + +// TaintNodeMemoryPressure will be added when node has memory pressure +// and removed when node has enough memory. +#TaintNodeMemoryPressure: "node.kubernetes.io/memory-pressure" + +// TaintNodeDiskPressure will be added when node has disk pressure +// and removed when node has enough disk. +#TaintNodeDiskPressure: "node.kubernetes.io/disk-pressure" + +// TaintNodeNetworkUnavailable will be added when node's network is unavailable +// and removed when network becomes ready. +#TaintNodeNetworkUnavailable: "node.kubernetes.io/network-unavailable" + +// TaintNodePIDPressure will be added when node has pid pressure +// and removed when node has enough pid. +#TaintNodePIDPressure: "node.kubernetes.io/pid-pressure" + +// TaintNodeOutOfService can be added when node is out of service in case of +// a non-graceful shutdown +#TaintNodeOutOfService: "node.kubernetes.io/out-of-service" diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue new file mode 100644 index 000000000..1c83e8b4f --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/rbac/v1 + +package v1 + +#GroupName: "rbac.authorization.k8s.io" diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue new file mode 100644 index 000000000..521e355e9 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue @@ -0,0 +1,207 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/rbac/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +#APIGroupAll: "*" +#ResourceAll: "*" +#VerbAll: "*" +#NonResourceAll: "*" +#GroupKind: "Group" +#ServiceAccountKind: "ServiceAccount" +#UserKind: "User" + +// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false" +#AutoUpdateAnnotationKey: "rbac.authorization.kubernetes.io/autoupdate" + +// PolicyRule holds information that describes a policy rule, but does not contain information +// about who the rule applies to or which namespace the rule applies to. +#PolicyRule: { + // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. + // +optional + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. '*' represents all resources. + // +optional + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. + // +optional + resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep) + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path + // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. + // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. + // +optional + nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(5,bytes,rep) +} + +// Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, +// or a value for non-objects such as user and group names. +// +structType=atomic +#Subject: { + // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + // If the Authorizer does not recognized the kind value, the Authorizer should report an error. + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // APIGroup holds the API group of the referenced subject. + // Defaults to "" for ServiceAccount subjects. + // Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + // +optional + apiGroup?: string @go(APIGroup) @protobuf(2,bytes,opt.name=apiGroup) + + // Name of the object being referenced. + name: string @go(Name) @protobuf(3,bytes,opt) + + // Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + // the Authorizer should report an error. + // +optional + namespace?: string @go(Namespace) @protobuf(4,bytes,opt) +} + +// RoleRef contains information that points to the role being used +// +structType=atomic +#RoleRef: { + // APIGroup is the group for the resource being referenced + apiGroup: string @go(APIGroup) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) +} + +// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. +#Role: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Rules holds all the PolicyRules for this Role + // +optional + rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep) +} + +// RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. +// It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given +// namespace only have effect in that namespace. +#RoleBinding: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Subjects holds references to the objects the role applies to. + // +optional + subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep) + + // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. + // If the RoleRef cannot be resolved, the Authorizer must return an error. + // This field is immutable. + roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt) +} + +// RoleBindingList is a collection of RoleBindings +#RoleBindingList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of RoleBindings + items: [...#RoleBinding] @go(Items,[]RoleBinding) @protobuf(2,bytes,rep) +} + +// RoleList is a collection of Roles +#RoleList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of Roles + items: [...#Role] @go(Items,[]Role) @protobuf(2,bytes,rep) +} + +// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding. +#ClusterRole: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Rules holds all the PolicyRules for this ClusterRole + // +optional + rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep) + + // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. + // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be + // stomped by the controller. + // +optional + aggregationRule?: null | #AggregationRule @go(AggregationRule,*AggregationRule) @protobuf(3,bytes,opt) +} + +// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole +#AggregationRule: { + // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. + // If any of the selectors match, then the ClusterRole's permissions will be added + // +optional + clusterRoleSelectors?: [...metav1.#LabelSelector] @go(ClusterRoleSelectors,[]metav1.LabelSelector) @protobuf(1,bytes,rep) +} + +// ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, +// and adds who information via Subject. +#ClusterRoleBinding: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Subjects holds references to the objects the role applies to. + // +optional + subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep) + + // RoleRef can only reference a ClusterRole in the global namespace. + // If the RoleRef cannot be resolved, the Authorizer must return an error. + // This field is immutable. + roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt) +} + +// ClusterRoleBindingList is a collection of ClusterRoleBindings +#ClusterRoleBindingList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ClusterRoleBindings + items: [...#ClusterRoleBinding] @go(Items,[]ClusterRoleBinding) @protobuf(2,bytes,rep) +} + +// ClusterRoleList is a collection of ClusterRoles +#ClusterRoleList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ClusterRoles + items: [...#ClusterRole] @go(Items,[]ClusterRole) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue new file mode 100644 index 000000000..cef44ba5c --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue @@ -0,0 +1,47 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// Scale is used for getting and setting the base-10 scaled value. +// Base-2 scales are omitted for mathematical simplicity. +// See Quantity.ScaledValue for more details. +#Scale: int32 // #enumScale + +#enumScale: + #Nano | + #Micro | + #Milli | + #Kilo | + #Mega | + #Giga | + #Tera | + #Peta | + #Exa + +#values_Scale: { + Nano: #Nano + Micro: #Micro + Milli: #Milli + Kilo: #Kilo + Mega: #Mega + Giga: #Giga + Tera: #Tera + Peta: #Peta + Exa: #Exa +} + +#Nano: #Scale & -9 +#Micro: #Scale & -6 +#Milli: #Scale & -3 +#Kilo: #Scale & 3 +#Mega: #Scale & 6 +#Giga: #Scale & 9 +#Tera: #Scale & 12 +#Peta: #Scale & 15 +#Exa: #Scale & 18 + +// infDecAmount implements common operations over an inf.Dec that are specific to the quantity +// representation. +_#infDecAmount: string diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue new file mode 100644 index 000000000..711f2096f --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue @@ -0,0 +1,13 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64. +// It is also the maximum decimal digits that can be represented with an int64. +_#maxInt64Factors: 18 + +_#mostNegative: -9223372036854775808 + +_#mostPositive: 9223372036854775807 diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue new file mode 100644 index 000000000..9d9713a1b --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue @@ -0,0 +1,107 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// Quantity is a fixed-point representation of a number. +// It provides convenient marshaling/unmarshaling in JSON and YAML, +// in addition to String() and AsInt64() accessors. +// +// The serialization format is: +// +// ``` +// ::= +// +// (Note that may be empty, from the "" case in .) +// +// ::= 0 | 1 | ... | 9 +// ::= | +// ::= | . | . | . +// ::= "+" | "-" +// ::= | +// ::= | | +// ::= Ki | Mi | Gi | Ti | Pi | Ei +// +// (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html) +// +// ::= m | "" | k | M | G | T | P | E +// +// (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) +// +// ::= "e" | "E" +// ``` +// +// No matter which of the three exponent forms is used, no quantity may represent +// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal +// places. Numbers larger or more precise will be capped or rounded up. +// (E.g.: 0.1m will rounded up to 1m.) +// This may be extended in the future if we require larger or smaller quantities. +// +// When a Quantity is parsed from a string, it will remember the type of suffix +// it had, and will use the same type again when it is serialized. +// +// Before serializing, Quantity will be put in "canonical form". +// This means that Exponent/suffix will be adjusted up or down (with a +// corresponding increase or decrease in Mantissa) such that: +// +// - No precision is lost +// - No fractional digits will be emitted +// - The exponent (or suffix) is as large as possible. +// +// The sign will be omitted unless the number is negative. +// +// Examples: +// +// - 1.5 will be serialized as "1500m" +// - 1.5Gi will be serialized as "1536Mi" +// +// Note that the quantity will NEVER be internally represented by a +// floating point number. That is the whole point of this exercise. +// +// Non-canonical values will still parse as long as they are well formed, +// but will be re-emitted in their canonical form. (So always use canonical +// form, or don't diff.) +// +// This format is intended to make it difficult to use these numbers without +// writing some sort of special handling code in the hopes that that will +// cause implementors to also use a fixed point implementation. +// +// +protobuf=true +// +protobuf.embed=string +// +protobuf.options.marshal=false +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen=true +// +k8s:openapi-gen=true +#Quantity: _ + +// CanonicalValue allows a quantity amount to be converted to a string. +#CanonicalValue: _ + +// Format lists the three possible formattings of a quantity. +#Format: string // #enumFormat + +#enumFormat: + #DecimalExponent | + #BinarySI | + #DecimalSI + +#DecimalExponent: #Format & "DecimalExponent" +#BinarySI: #Format & "BinarySI" +#DecimalSI: #Format & "DecimalSI" + +// splitREString is used to separate a number from its suffix; as such, +// this is overly permissive, but that's OK-- it will be checked later. +_#splitREString: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + +_#int64QuantityExpectedBytes: 18 + +// QuantityValue makes it possible to use a Quantity as value for a command +// line parameter. +// +// +protobuf=true +// +protobuf.embed=string +// +protobuf.options.marshal=false +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen=true +#QuantityValue: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue new file mode 100644 index 000000000..b40d68ec1 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +_#suffix: string + +// suffixer can interpret and construct suffixes. +_#suffixer: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue new file mode 100644 index 000000000..25ea8ecf1 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Duration is a wrapper around time.Duration which supports correct +// marshaling to YAML and JSON. In particular, it marshals into strings, which +// can be used as map keys in json. +#Duration: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue new file mode 100644 index 000000000..7ff538603 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue @@ -0,0 +1,48 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// GroupResource specifies a Group and a Resource, but does not force a version. This is useful for identifying +// concepts during lookup stages without having partially valid types +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupResource: { + group: string @go(Group) @protobuf(1,bytes,opt) + resource: string @go(Resource) @protobuf(2,bytes,opt) +} + +// GroupVersionResource unambiguously identifies a resource. It doesn't anonymously include GroupVersion +// to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersionResource: { + group: string @go(Group) @protobuf(1,bytes,opt) + version: string @go(Version) @protobuf(2,bytes,opt) + resource: string @go(Resource) @protobuf(3,bytes,opt) +} + +// GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying +// concepts during lookup stages without having partially valid types +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupKind: { + group: string @go(Group) @protobuf(1,bytes,opt) + kind: string @go(Kind) @protobuf(2,bytes,opt) +} + +// GroupVersionKind unambiguously identifies a kind. It doesn't anonymously include GroupVersion +// to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersionKind: { + group: string @go(Group) @protobuf(1,bytes,opt) + version: string @go(Version) @protobuf(2,bytes,opt) + kind: string @go(Kind) @protobuf(3,bytes,opt) +} + +// GroupVersion contains the "group" and the "version", which uniquely identifies the API. +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersion: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue new file mode 100644 index 000000000..f3c39a466 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue @@ -0,0 +1,33 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// TODO: move this, Object, List, and Type to a different package +#ObjectMetaAccessor: _ + +// Object lets you work with object metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field (Name, UID, Namespace on lists) will be a no-op and return +// a default value. +#Object: _ + +// ListMetaAccessor retrieves the list interface from an object +#ListMetaAccessor: _ + +// Common lets you work with core metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field will be a no-op and return a default value. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#Common: _ + +// ListInterface lets you work with list metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field will be a no-op and return a default value. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#ListInterface: _ + +// Type exposes the type and APIVersion of versioned or internal API objects. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#Type: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue new file mode 100644 index 000000000..3c067bae3 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +#RFC3339Micro: "2006-01-02T15:04:05.000000Z07:00" + +// MicroTime is version of Time with microsecond level precision. +// +// +protobuf.options.marshal=false +// +protobuf.as=Timestamp +// +protobuf.options.(gogoproto.goproto_stringer)=false +#MicroTime: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue new file mode 100644 index 000000000..39d23b288 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +#GroupName: "meta.k8s.io" + +#WatchEventKind: "WatchEvent" diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue new file mode 100644 index 000000000..b3c8ec266 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Time is a wrapper around time.Time which supports correct +// marshaling to YAML and JSON. Wrappers are provided for many +// of the factory methods that the time package offers. +// +// +protobuf.options.marshal=false +// +protobuf.as=Timestamp +// +protobuf.options.(gogoproto.goproto_stringer)=false +#Time: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue new file mode 100644 index 000000000..835392730 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue @@ -0,0 +1,21 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Timestamp is a struct that is equivalent to Time, but intended for +// protobuf marshalling/unmarshalling. It is generated into a serialization +// that matches Time. Do not use in Go structs. +#Timestamp: { + // Represents seconds of UTC time since Unix epoch + // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + // 9999-12-31T23:59:59Z inclusive. + seconds: int64 @go(Seconds) @protobuf(1,varint,opt) + + // Non-negative fractions of a second at nanosecond resolution. Negative + // second values with fractions must still have non-negative nanos values + // that count forward in time. Must be from 0 to 999,999,999 + // inclusive. This field may be limited in precision depending on context. + nanos: int32 @go(Nanos) @protobuf(2,varint,opt) +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue new file mode 100644 index 000000000..a0deb7c90 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue @@ -0,0 +1,1561 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +// Package v1 contains API types that are common to all versions. +// +// The package contains two categories of types: +// - external (serialized) types that lack their own version (e.g TypeMeta) +// - internal (never-serialized) types that are needed by several different +// api groups, and so live here, to avoid duplication and/or import loops +// (e.g. LabelSelector). +// +// In the future, we will probably move these categories of objects into +// separate packages. +package v1 + +import ( + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/runtime" +) + +// TypeMeta describes an individual object in an API response or request +// with strings representing the type of the object and its API schema version. +// Structures that are versioned or persisted should inline TypeMeta. +// +// +k8s:deepcopy-gen=false +#TypeMeta: { + // Kind is a string value representing the REST resource this object represents. + // Servers may infer this from the endpoint the client submits requests to. + // Cannot be updated. + // In CamelCase. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // APIVersion defines the versioned schema of this representation of an object. + // Servers should convert recognized schemas to the latest internal value, and + // may reject unrecognized values. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + // +optional + apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt) +} + +// ListMeta describes metadata that synthetic resources must have, including lists and +// various status objects. A resource may have only one of {ObjectMeta, ListMeta}. +#ListMeta: { + // Deprecated: selfLink is a legacy read-only field that is no longer populated by the system. + // +optional + selfLink?: string @go(SelfLink) @protobuf(1,bytes,opt) + + // String that identifies the server's internal version of this object that + // can be used by clients to determine when objects have changed. + // Value must be treated as opaque by clients and passed unmodified back to the server. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(2,bytes,opt) + + // continue may be set if the user set a limit on the number of items returned, and indicates that + // the server has more data available. The value is opaque and may be used to issue another request + // to the endpoint that served this list to retrieve the next set of available objects. Continuing a + // consistent list may not be possible if the server configuration has changed or more than a few + // minutes have passed. The resourceVersion field returned when using this continue value will be + // identical to the value in the first response, unless you have received this token from an error + // message. + continue?: string @go(Continue) @protobuf(3,bytes,opt) + + // remainingItemCount is the number of subsequent items in the list which are not included in this + // list response. If the list request contained label or field selectors, then the number of + // remaining items is unknown and the field will be left unset and omitted during serialization. + // If the list is complete (either because it is not chunking or because this is the last chunk), + // then there are no more remaining items and this field will be left unset and omitted during + // serialization. + // Servers older than v1.15 do not set this field. + // The intended use of the remainingItemCount is *estimating* the size of a collection. Clients + // should not rely on the remainingItemCount to be set or to be exact. + // +optional + remainingItemCount?: null | int64 @go(RemainingItemCount,*int64) @protobuf(4,bytes,opt) +} + +#ObjectNameField: "metadata.name" + +#FinalizerOrphanDependents: "orphan" +#FinalizerDeleteDependents: "foregroundDeletion" + +// ObjectMeta is metadata that all persisted resources must have, which includes all objects +// users must create. +#ObjectMeta: { + // Name must be unique within a namespace. Is required when creating resources, although + // some resources may allow a client to request the generation of an appropriate name + // automatically. Name is primarily intended for creation idempotence and configuration + // definition. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // GenerateName is an optional prefix, used by the server, to generate a unique + // name ONLY IF the Name field has not been provided. + // If this field is used, the name returned to the client will be different + // than the name passed. This value will also be combined with a unique suffix. + // The provided value has the same validation rules as the Name field, + // and may be truncated by the length of the suffix required to make the value + // unique on the server. + // + // If this field is specified and the generated name exists, the server will return a 409. + // + // Applied only if Name is not specified. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency + // +optional + generateName?: string @go(GenerateName) @protobuf(2,bytes,opt) + + // Namespace defines the space within which each name must be unique. An empty namespace is + // equivalent to the "default" namespace, but "default" is the canonical representation. + // Not all objects are required to be scoped to a namespace - the value of this field for + // those objects will be empty. + // + // Must be a DNS_LABEL. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces + // +optional + namespace?: string @go(Namespace) @protobuf(3,bytes,opt) + + // Deprecated: selfLink is a legacy read-only field that is no longer populated by the system. + // +optional + selfLink?: string @go(SelfLink) @protobuf(4,bytes,opt) + + // UID is the unique in time and space value for this object. It is typically generated by + // the server on successful creation of a resource and is not allowed to change on PUT + // operations. + // + // Populated by the system. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(5,bytes,opt,casttype=k8s.io/kubernetes/pkg/types.UID) + + // An opaque value that represents the internal version of this object that can + // be used by clients to determine when objects have changed. May be used for optimistic + // concurrency, change detection, and the watch operation on a resource or set of resources. + // Clients must treat these values as opaque and passed unmodified back to the server. + // They may only be valid for a particular resource or set of resources. + // + // Populated by the system. + // Read-only. + // Value must be treated as opaque by clients and . + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(6,bytes,opt) + + // A sequence number representing a specific generation of the desired state. + // Populated by the system. Read-only. + // +optional + generation?: int64 @go(Generation) @protobuf(7,varint,opt) + + // CreationTimestamp is a timestamp representing the server time when this object was + // created. It is not guaranteed to be set in happens-before order across separate operations. + // Clients may not set this value. It is represented in RFC3339 form and is in UTC. + // + // Populated by the system. + // Read-only. + // Null for lists. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + creationTimestamp?: #Time @go(CreationTimestamp) @protobuf(8,bytes,opt) + + // DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This + // field is set by the server when a graceful deletion is requested by the user, and is not + // directly settable by a client. The resource is expected to be deleted (no longer visible + // from resource lists, and not reachable by name) after the time in this field, once the + // finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. + // Once the deletionTimestamp is set, this value may not be unset or be set further into the + // future, although it may be shortened or the resource may be deleted prior to this time. + // For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react + // by sending a graceful termination signal to the containers in the pod. After that 30 seconds, + // the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, + // remove the pod from the API. In the presence of network partitions, this object may still + // exist after this timestamp, until an administrator or automated process can determine the + // resource is fully terminated. + // If not set, graceful deletion of the object has not been requested. + // + // Populated by the system when a graceful deletion is requested. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + deletionTimestamp?: null | #Time @go(DeletionTimestamp,*Time) @protobuf(9,bytes,opt) + + // Number of seconds allowed for this object to gracefully terminate before + // it will be removed from the system. Only set when deletionTimestamp is also set. + // May only be shortened. + // Read-only. + // +optional + deletionGracePeriodSeconds?: null | int64 @go(DeletionGracePeriodSeconds,*int64) @protobuf(10,varint,opt) + + // Map of string keys and values that can be used to organize and categorize + // (scope and select) objects. May match selectors of replication controllers + // and services. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + // +optional + labels?: {[string]: string} @go(Labels,map[string]string) @protobuf(11,bytes,rep) + + // Annotations is an unstructured key value map stored with a resource that may be + // set by external tools to store and retrieve arbitrary metadata. They are not + // queryable and should be preserved when modifying objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + // +optional + annotations?: {[string]: string} @go(Annotations,map[string]string) @protobuf(12,bytes,rep) + + // List of objects depended by this object. If ALL objects in the list have + // been deleted, this object will be garbage collected. If this object is managed by a controller, + // then an entry in this list will point to this controller, with the controller field set to true. + // There cannot be more than one managing controller. + // +optional + // +patchMergeKey=uid + // +patchStrategy=merge + ownerReferences?: [...#OwnerReference] @go(OwnerReferences,[]OwnerReference) @protobuf(13,bytes,rep) + + // Must be empty before the object is deleted from the registry. Each entry + // is an identifier for the responsible component that will remove the entry + // from the list. If the deletionTimestamp of the object is non-nil, entries + // in this list can only be removed. + // Finalizers may be processed and removed in any order. Order is NOT enforced + // because it introduces significant risk of stuck finalizers. + // finalizers is a shared field, any actor with permission can reorder it. + // If the finalizer list is processed in order, then this can lead to a situation + // in which the component responsible for the first finalizer in the list is + // waiting for a signal (field value, external system, or other) produced by a + // component responsible for a finalizer later in the list, resulting in a deadlock. + // Without enforced ordering finalizers are free to order amongst themselves and + // are not vulnerable to ordering changes in the list. + // +optional + // +patchStrategy=merge + finalizers?: [...string] @go(Finalizers,[]string) @protobuf(14,bytes,rep) + + // ManagedFields maps workflow-id and version to the set of fields + // that are managed by that workflow. This is mostly for internal + // housekeeping, and users typically shouldn't need to set or + // understand this field. A workflow can be the user's name, a + // controller's name, or the name of a specific apply path like + // "ci-cd". The set of fields is always in the version that the + // workflow used when modifying the object. + // + // +optional + managedFields?: [...#ManagedFieldsEntry] @go(ManagedFields,[]ManagedFieldsEntry) @protobuf(17,bytes,rep) +} + +// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients +#NamespaceDefault: "default" + +// NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces +#NamespaceAll: "" + +// NamespaceNone is the argument for a context when there is no namespace. +#NamespaceNone: "" + +// NamespaceSystem is the system namespace where we place system components. +#NamespaceSystem: "kube-system" + +// NamespacePublic is the namespace where we place public info (ConfigMaps) +#NamespacePublic: "kube-public" + +// OwnerReference contains enough information to let you identify an owning +// object. An owning object must be in the same namespace as the dependent, or +// be cluster-scoped, so there is no namespace field. +// +structType=atomic +#OwnerReference: { + // API version of the referent. + apiVersion: string @go(APIVersion) @protobuf(5,bytes,opt) + + // Kind of the referent. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + name: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + uid: types.#UID @go(UID) @protobuf(4,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // If true, this reference points to the managing controller. + // +optional + controller?: null | bool @go(Controller,*bool) @protobuf(6,varint,opt) + + // If true, AND if the owner has the "foregroundDeletion" finalizer, then + // the owner cannot be deleted from the key-value store until this + // reference is removed. + // See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + // for how the garbage collector interacts with this field and enforces the foreground deletion. + // Defaults to false. + // To set this field, a user needs "delete" permission of the owner, + // otherwise 422 (Unprocessable Entity) will be returned. + // +optional + blockOwnerDeletion?: null | bool @go(BlockOwnerDeletion,*bool) @protobuf(7,varint,opt) +} + +// ListOptions is the query options to a standard REST list call. +#ListOptions: { + #TypeMeta + + // A selector to restrict the list of returned objects by their labels. + // Defaults to everything. + // +optional + labelSelector?: string @go(LabelSelector) @protobuf(1,bytes,opt) + + // A selector to restrict the list of returned objects by their fields. + // Defaults to everything. + // +optional + fieldSelector?: string @go(FieldSelector) @protobuf(2,bytes,opt) + + // Watch for changes to the described resources and return them as a stream of + // add, update, and remove notifications. Specify resourceVersion. + // +optional + watch?: bool @go(Watch) @protobuf(3,varint,opt) + + // allowWatchBookmarks requests watch events with type "BOOKMARK". + // Servers that do not implement bookmarks may ignore this flag and + // bookmarks are sent at the server's discretion. Clients should not + // assume bookmarks are returned at any specific interval, nor may they + // assume the server will send any BOOKMARK event during a session. + // If this is not a watch, this field is ignored. + // +optional + allowWatchBookmarks?: bool @go(AllowWatchBookmarks) @protobuf(9,varint,opt) + + // resourceVersion sets a constraint on what resource versions a request may be served from. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(4,bytes,opt) + + // resourceVersionMatch determines how resourceVersion is applied to list calls. + // It is highly recommended that resourceVersionMatch be set for list calls where + // resourceVersion is set + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersionMatch?: #ResourceVersionMatch @go(ResourceVersionMatch) @protobuf(10,bytes,opt,casttype=ResourceVersionMatch) + + // Timeout for the list/watch call. + // This limits the duration of the call, regardless of any activity or inactivity. + // +optional + timeoutSeconds?: null | int64 @go(TimeoutSeconds,*int64) @protobuf(5,varint,opt) + + // limit is a maximum number of responses to return for a list call. If more items exist, the + // server will set the `continue` field on the list metadata to a value that can be used with the + // same initial query to retrieve the next set of results. Setting a limit may return fewer than + // the requested amount of items (up to zero items) in the event all requested objects are + // filtered out and clients should only use the presence of the continue field to determine whether + // more results are available. Servers may choose not to support the limit argument and will return + // all of the available results. If limit is specified and the continue field is empty, clients may + // assume that no more results are available. This field is not supported if watch is true. + // + // The server guarantees that the objects returned when using continue will be identical to issuing + // a single list call without a limit - that is, no objects created, modified, or deleted after the + // first request is issued will be included in any subsequent continued requests. This is sometimes + // referred to as a consistent snapshot, and ensures that a client that is using limit to receive + // smaller chunks of a very large result can ensure they see all possible objects. If objects are + // updated during a chunked list the version of the object that was present at the time the first list + // result was calculated is returned. + limit?: int64 @go(Limit) @protobuf(7,varint,opt) + + // The continue option should be set when retrieving more results from the server. Since this value is + // server defined, clients may only use the continue value from a previous query result with identical + // query parameters (except for the value of continue) and the server may reject a continue value it + // does not recognize. If the specified continue value is no longer valid whether due to expiration + // (generally five to fifteen minutes) or a configuration change on the server, the server will + // respond with a 410 ResourceExpired error together with a continue token. If the client needs a + // consistent list, it must restart their list without the continue field. Otherwise, the client may + // send another list request with the token received with the 410 error, the server will respond with + // a list starting from the next key, but from the latest snapshot, which is inconsistent from the + // previous list results - objects that are created, modified, or deleted after the first list request + // will be included in the response, as long as their keys are after the "next key". + // + // This field is not supported when watch is true. Clients may start a watch from the last + // resourceVersion value returned by the server and not miss any modifications. + continue?: string @go(Continue) @protobuf(8,bytes,opt) + + // `sendInitialEvents=true` may be set together with `watch=true`. + // In that case, the watch stream will begin with synthetic events to + // produce the current state of objects in the collection. Once all such + // events have been sent, a synthetic "Bookmark" event will be sent. + // The bookmark will report the ResourceVersion (RV) corresponding to the + // set of objects, and be marked with `"k8s.io/initial-events-end": "true"` annotation. + // Afterwards, the watch stream will proceed as usual, sending watch events + // corresponding to changes (subsequent to the RV) to objects watched. + // + // When `sendInitialEvents` option is set, we require `resourceVersionMatch` + // option to also be set. The semantic of the watch request is as following: + // - `resourceVersionMatch` = NotOlderThan + // is interpreted as "data at least as new as the provided `resourceVersion`" + // and the bookmark event is send when the state is synced + // to a `resourceVersion` at least as fresh as the one provided by the ListOptions. + // If `resourceVersion` is unset, this is interpreted as "consistent read" and the + // bookmark event is send when the state is synced at least to the moment + // when request started being processed. + // - `resourceVersionMatch` set to any other value or unset + // Invalid error is returned. + // + // Defaults to true if `resourceVersion=""` or `resourceVersion="0"` (for backward + // compatibility reasons) and to false otherwise. + // +optional + sendInitialEvents?: null | bool @go(SendInitialEvents,*bool) @protobuf(11,varint,opt) +} + +// resourceVersionMatch specifies how the resourceVersion parameter is applied. resourceVersionMatch +// may only be set if resourceVersion is also set. +// +// "NotOlderThan" matches data at least as new as the provided resourceVersion. +// "Exact" matches data at the exact resourceVersion provided. +// +// See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for +// details. +#ResourceVersionMatch: string // #enumResourceVersionMatch + +#enumResourceVersionMatch: + #ResourceVersionMatchNotOlderThan | + #ResourceVersionMatchExact + +// ResourceVersionMatchNotOlderThan matches data at least as new as the provided +// resourceVersion. +#ResourceVersionMatchNotOlderThan: #ResourceVersionMatch & "NotOlderThan" + +// ResourceVersionMatchExact matches data at the exact resourceVersion +// provided. +#ResourceVersionMatchExact: #ResourceVersionMatch & "Exact" + +// GetOptions is the standard query options to the standard REST get call. +#GetOptions: { + #TypeMeta + + // resourceVersion sets a constraint on what resource versions a request may be served from. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(1,bytes,opt) +} + +// DeletionPropagation decides if a deletion will propagate to the dependents of +// the object, and how the garbage collector will handle the propagation. +#DeletionPropagation: string // #enumDeletionPropagation + +#enumDeletionPropagation: + #DeletePropagationOrphan | + #DeletePropagationBackground | + #DeletePropagationForeground + +// Orphans the dependents. +#DeletePropagationOrphan: #DeletionPropagation & "Orphan" + +// Deletes the object from the key-value store, the garbage collector will +// delete the dependents in the background. +#DeletePropagationBackground: #DeletionPropagation & "Background" + +// The object exists in the key-value store until the garbage collector +// deletes all the dependents whose ownerReference.blockOwnerDeletion=true +// from the key-value store. API sever will put the "foregroundDeletion" +// finalizer on the object, and sets its deletionTimestamp. This policy is +// cascading, i.e., the dependents will be deleted with Foreground. +#DeletePropagationForeground: #DeletionPropagation & "Foreground" + +// DryRunAll means to complete all processing stages, but don't +// persist changes to storage. +#DryRunAll: "All" + +// DeleteOptions may be provided when deleting an API object. +#DeleteOptions: { + #TypeMeta + + // The duration in seconds before the object should be deleted. Value must be non-negative integer. + // The value zero indicates delete immediately. If this value is nil, the default grace period for the + // specified type will be used. + // Defaults to a per object value if not specified. zero means delete immediately. + // +optional + gracePeriodSeconds?: null | int64 @go(GracePeriodSeconds,*int64) @protobuf(1,varint,opt) + + // Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be + // returned. + // +k8s:conversion-gen=false + // +optional + preconditions?: null | #Preconditions @go(Preconditions,*Preconditions) @protobuf(2,bytes,opt) + + // Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. + // Should the dependent objects be orphaned. If true/false, the "orphan" + // finalizer will be added to/removed from the object's finalizers list. + // Either this field or PropagationPolicy may be set, but not both. + // +optional + orphanDependents?: null | bool @go(OrphanDependents,*bool) @protobuf(3,varint,opt) + + // Whether and how garbage collection will be performed. + // Either this field or OrphanDependents may be set, but not both. + // The default policy is decided by the existing finalizer set in the + // metadata.finalizers and the resource-specific default policy. + // Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - + // allow the garbage collector to delete the dependents in the background; + // 'Foreground' - a cascading policy that deletes all dependents in the + // foreground. + // +optional + propagationPolicy?: null | #DeletionPropagation @go(PropagationPolicy,*DeletionPropagation) @protobuf(4,varint,opt) + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(5,bytes,rep) +} + +// FieldValidationIgnore ignores unknown/duplicate fields +#FieldValidationIgnore: "Ignore" + +// FieldValidationWarn responds with a warning, but successfully serve the request +#FieldValidationWarn: "Warn" + +// FieldValidationStrict fails the request on unknown/duplicate fields +#FieldValidationStrict: "Strict" + +// CreateOptions may be provided when creating an API object. +#CreateOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. + // +optional + fieldManager?: string @go(FieldManager) @protobuf(3,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(4,bytes) +} + +// PatchOptions may be provided when patching an API object. +// PatchOptions is meant to be a superset of UpdateOptions. +#PatchOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // Force is going to "force" Apply requests. It means user will + // re-acquire conflicting fields owned by other people. Force + // flag must be unset for non-apply patch requests. + // +optional + force?: null | bool @go(Force,*bool) @protobuf(2,varint,opt) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. This + // field is required for apply requests + // (application/apply-patch) but optional for non-apply patch + // types (JsonPatch, MergePatch, StrategicMergePatch). + // +optional + fieldManager?: string @go(FieldManager) @protobuf(3,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(4,bytes) +} + +// ApplyOptions may be provided when applying an API object. +// FieldManager is required for apply requests. +// ApplyOptions is equivalent to PatchOptions. It is provided as a convenience with documentation +// that speaks specifically to how the options fields relate to apply. +#ApplyOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // Force is going to "force" Apply requests. It means user will + // re-acquire conflicting fields owned by other people. + force: bool @go(Force) @protobuf(2,varint,opt) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. This + // field is required. + fieldManager: string @go(FieldManager) @protobuf(3,bytes) +} + +// UpdateOptions may be provided when updating an API object. +// All fields in UpdateOptions should also be present in PatchOptions. +#UpdateOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. + // +optional + fieldManager?: string @go(FieldManager) @protobuf(2,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(3,bytes) +} + +// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out. +#Preconditions: { + // Specifies the target UID. + // +optional + uid?: null | types.#UID @go(UID,*types.UID) @protobuf(1,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // Specifies the target ResourceVersion + // +optional + resourceVersion?: null | string @go(ResourceVersion,*string) @protobuf(2,bytes,opt) +} + +// Status is a return value for calls that don't return other objects. +#Status: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Status of the operation. + // One of: "Success" or "Failure". + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: string @go(Status) @protobuf(2,bytes,opt) + + // A human-readable description of the status of this operation. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // A machine-readable description of why this operation is in the + // "Failure" status. If this value is empty there + // is no information available. A Reason clarifies an HTTP status + // code but does not override it. + // +optional + reason?: #StatusReason @go(Reason) @protobuf(4,bytes,opt,casttype=StatusReason) + + // Extended data associated with the reason. Each reason may define its + // own extended details. This field is optional and the data returned + // is not guaranteed to conform to any schema except that defined by + // the reason type. + // +optional + details?: null | #StatusDetails @go(Details,*StatusDetails) @protobuf(5,bytes,opt) + + // Suggested HTTP return code for this status, 0 if not set. + // +optional + code?: int32 @go(Code) @protobuf(6,varint,opt) +} + +// StatusDetails is a set of additional properties that MAY be set by the +// server to provide additional information about a response. The Reason +// field of a Status object defines what attributes will be set. Clients +// must ignore fields that do not match the defined type of each attribute, +// and should assume that any attribute may be empty, invalid, or under +// defined. +#StatusDetails: { + // The name attribute of the resource associated with the status StatusReason + // (when there is a single name which can be described). + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The group attribute of the resource associated with the status StatusReason. + // +optional + group?: string @go(Group) @protobuf(2,bytes,opt) + + // The kind attribute of the resource associated with the status StatusReason. + // On some operations may differ from the requested resource Kind. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(3,bytes,opt) + + // UID of the resource. + // (when there is a single resource which can be described). + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(6,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // The Causes array includes more details associated with the StatusReason + // failure. Not all StatusReasons may provide detailed causes. + // +optional + causes?: [...#StatusCause] @go(Causes,[]StatusCause) @protobuf(4,bytes,rep) + + // If specified, the time in seconds before the operation should be retried. Some errors may indicate + // the client must take an alternate action - for those errors this field may indicate how long to wait + // before taking the alternate action. + // +optional + retryAfterSeconds?: int32 @go(RetryAfterSeconds) @protobuf(5,varint,opt) +} + +#StatusSuccess: "Success" +#StatusFailure: "Failure" + +// StatusReason is an enumeration of possible failure causes. Each StatusReason +// must map to a single HTTP status code, but multiple reasons may map +// to the same HTTP status code. +// TODO: move to apiserver +#StatusReason: string // #enumStatusReason + +#enumStatusReason: + #StatusReasonUnknown | + #StatusReasonUnauthorized | + #StatusReasonForbidden | + #StatusReasonNotFound | + #StatusReasonAlreadyExists | + #StatusReasonConflict | + #StatusReasonGone | + #StatusReasonInvalid | + #StatusReasonServerTimeout | + #StatusReasonTimeout | + #StatusReasonTooManyRequests | + #StatusReasonBadRequest | + #StatusReasonMethodNotAllowed | + #StatusReasonNotAcceptable | + #StatusReasonRequestEntityTooLarge | + #StatusReasonUnsupportedMediaType | + #StatusReasonInternalError | + #StatusReasonExpired | + #StatusReasonServiceUnavailable + +// StatusReasonUnknown means the server has declined to indicate a specific reason. +// The details field may contain other information about this error. +// Status code 500. +#StatusReasonUnknown: #StatusReason & "" + +// StatusReasonUnauthorized means the server can be reached and understood the request, but requires +// the user to present appropriate authorization credentials (identified by the WWW-Authenticate header) +// in order for the action to be completed. If the user has specified credentials on the request, the +// server considers them insufficient. +// Status code 401 +#StatusReasonUnauthorized: #StatusReason & "Unauthorized" + +// StatusReasonForbidden means the server can be reached and understood the request, but refuses +// to take any further action. It is the result of the server being configured to deny access for some reason +// to the requested resource by the client. +// Details (optional): +// "kind" string - the kind attribute of the forbidden resource +// on some operations may differ from the requested +// resource. +// "id" string - the identifier of the forbidden resource +// Status code 403 +#StatusReasonForbidden: #StatusReason & "Forbidden" + +// StatusReasonNotFound means one or more resources required for this operation +// could not be found. +// Details (optional): +// "kind" string - the kind attribute of the missing resource +// on some operations may differ from the requested +// resource. +// "id" string - the identifier of the missing resource +// Status code 404 +#StatusReasonNotFound: #StatusReason & "NotFound" + +// StatusReasonAlreadyExists means the resource you are creating already exists. +// Details (optional): +// "kind" string - the kind attribute of the conflicting resource +// "id" string - the identifier of the conflicting resource +// Status code 409 +#StatusReasonAlreadyExists: #StatusReason & "AlreadyExists" + +// StatusReasonConflict means the requested operation cannot be completed +// due to a conflict in the operation. The client may need to alter the +// request. Each resource may define custom details that indicate the +// nature of the conflict. +// Status code 409 +#StatusReasonConflict: #StatusReason & "Conflict" + +// StatusReasonGone means the item is no longer available at the server and no +// forwarding address is known. +// Status code 410 +#StatusReasonGone: #StatusReason & "Gone" + +// StatusReasonInvalid means the requested create or update operation cannot be +// completed due to invalid data provided as part of the request. The client may +// need to alter the request. When set, the client may use the StatusDetails +// message field as a summary of the issues encountered. +// Details (optional): +// "kind" string - the kind attribute of the invalid resource +// "id" string - the identifier of the invalid resource +// "causes" - one or more StatusCause entries indicating the data in the +// provided resource that was invalid. The code, message, and +// field attributes will be set. +// Status code 422 +#StatusReasonInvalid: #StatusReason & "Invalid" + +// StatusReasonServerTimeout means the server can be reached and understood the request, +// but cannot complete the action in a reasonable time. The client should retry the request. +// This is may be due to temporary server load or a transient communication issue with +// another server. Status code 500 is used because the HTTP spec provides no suitable +// server-requested client retry and the 5xx class represents actionable errors. +// Details (optional): +// "kind" string - the kind attribute of the resource being acted on. +// "id" string - the operation that is being attempted. +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 500 +#StatusReasonServerTimeout: #StatusReason & "ServerTimeout" + +// StatusReasonTimeout means that the request could not be completed within the given time. +// Clients can get this response only when they specified a timeout param in the request, +// or if the server cannot complete the operation within a reasonable amount of time. +// The request might succeed with an increased value of timeout param. The client *should* +// wait at least the number of seconds specified by the retryAfterSeconds field. +// Details (optional): +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 504 +#StatusReasonTimeout: #StatusReason & "Timeout" + +// StatusReasonTooManyRequests means the server experienced too many requests within a +// given window and that the client must wait to perform the action again. A client may +// always retry the request that led to this error, although the client should wait at least +// the number of seconds specified by the retryAfterSeconds field. +// Details (optional): +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 429 +#StatusReasonTooManyRequests: #StatusReason & "TooManyRequests" + +// StatusReasonBadRequest means that the request itself was invalid, because the request +// doesn't make any sense, for example deleting a read-only object. This is different than +// StatusReasonInvalid above which indicates that the API call could possibly succeed, but the +// data was invalid. API calls that return BadRequest can never succeed. +// Status code 400 +#StatusReasonBadRequest: #StatusReason & "BadRequest" + +// StatusReasonMethodNotAllowed means that the action the client attempted to perform on the +// resource was not supported by the code - for instance, attempting to delete a resource that +// can only be created. API calls that return MethodNotAllowed can never succeed. +// Status code 405 +#StatusReasonMethodNotAllowed: #StatusReason & "MethodNotAllowed" + +// StatusReasonNotAcceptable means that the accept types indicated by the client were not acceptable +// to the server - for instance, attempting to receive protobuf for a resource that supports only json and yaml. +// API calls that return NotAcceptable can never succeed. +// Status code 406 +#StatusReasonNotAcceptable: #StatusReason & "NotAcceptable" + +// StatusReasonRequestEntityTooLarge means that the request entity is too large. +// Status code 413 +#StatusReasonRequestEntityTooLarge: #StatusReason & "RequestEntityTooLarge" + +// StatusReasonUnsupportedMediaType means that the content type sent by the client is not acceptable +// to the server - for instance, attempting to send protobuf for a resource that supports only json and yaml. +// API calls that return UnsupportedMediaType can never succeed. +// Status code 415 +#StatusReasonUnsupportedMediaType: #StatusReason & "UnsupportedMediaType" + +// StatusReasonInternalError indicates that an internal error occurred, it is unexpected +// and the outcome of the call is unknown. +// Details (optional): +// "causes" - The original error +// Status code 500 +#StatusReasonInternalError: #StatusReason & "InternalError" + +// StatusReasonExpired indicates that the request is invalid because the content you are requesting +// has expired and is no longer available. It is typically associated with watches that can't be +// serviced. +// Status code 410 (gone) +#StatusReasonExpired: #StatusReason & "Expired" + +// StatusReasonServiceUnavailable means that the request itself was valid, +// but the requested service is unavailable at this time. +// Retrying the request after some time might succeed. +// Status code 503 +#StatusReasonServiceUnavailable: #StatusReason & "ServiceUnavailable" + +// StatusCause provides more information about an api.Status failure, including +// cases when multiple errors are encountered. +#StatusCause: { + // A machine-readable description of the cause of the error. If this value is + // empty there is no information available. + // +optional + reason?: #CauseType @go(Type) @protobuf(1,bytes,opt,casttype=CauseType) + + // A human-readable description of the cause of the error. This field may be + // presented as-is to a reader. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) + + // The field of the resource that has caused this error, as named by its JSON + // serialization. May include dot and postfix notation for nested attributes. + // Arrays are zero-indexed. Fields may appear more than once in an array of + // causes due to fields having multiple errors. + // Optional. + // + // Examples: + // "name" - the field "name" on the current resource + // "items[0].name" - the field "name" on the first array entry in "items" + // +optional + field?: string @go(Field) @protobuf(3,bytes,opt) +} + +// CauseType is a machine readable value providing more detail about what +// occurred in a status response. An operation may have multiple causes for a +// status (whether Failure or Success). +#CauseType: string // #enumCauseType + +#enumCauseType: + #CauseTypeFieldValueNotFound | + #CauseTypeFieldValueRequired | + #CauseTypeFieldValueDuplicate | + #CauseTypeFieldValueInvalid | + #CauseTypeFieldValueNotSupported | + #CauseTypeForbidden | + #CauseTypeTooLong | + #CauseTypeTooMany | + #CauseTypeInternal | + #CauseTypeTypeInvalid | + #CauseTypeUnexpectedServerResponse | + #CauseTypeFieldManagerConflict | + #CauseTypeResourceVersionTooLarge + +// CauseTypeFieldValueNotFound is used to report failure to find a requested value +// (e.g. looking up an ID). +#CauseTypeFieldValueNotFound: #CauseType & "FieldValueNotFound" + +// CauseTypeFieldValueRequired is used to report required values that are not +// provided (e.g. empty strings, null values, or empty arrays). +#CauseTypeFieldValueRequired: #CauseType & "FieldValueRequired" + +// CauseTypeFieldValueDuplicate is used to report collisions of values that must be +// unique (e.g. unique IDs). +#CauseTypeFieldValueDuplicate: #CauseType & "FieldValueDuplicate" + +// CauseTypeFieldValueInvalid is used to report malformed values (e.g. failed regex +// match). +#CauseTypeFieldValueInvalid: #CauseType & "FieldValueInvalid" + +// CauseTypeFieldValueNotSupported is used to report valid (as per formatting rules) +// values that can not be handled (e.g. an enumerated string). +#CauseTypeFieldValueNotSupported: #CauseType & "FieldValueNotSupported" + +// CauseTypeForbidden is used to report valid (as per formatting rules) +// values which would be accepted under some conditions, but which are not +// permitted by the current conditions (such as security policy). See +// Forbidden(). +#CauseTypeForbidden: #CauseType & "FieldValueForbidden" + +// CauseTypeTooLong is used to report that the given value is too long. +// This is similar to ErrorTypeInvalid, but the error will not include the +// too-long value. See TooLong(). +#CauseTypeTooLong: #CauseType & "FieldValueTooLong" + +// CauseTypeTooMany is used to report "too many". This is used to +// report that a given list has too many items. This is similar to FieldValueTooLong, +// but the error indicates quantity instead of length. +#CauseTypeTooMany: #CauseType & "FieldValueTooMany" + +// CauseTypeInternal is used to report other errors that are not related +// to user input. See InternalError(). +#CauseTypeInternal: #CauseType & "InternalError" + +// CauseTypeTypeInvalid is for the value did not match the schema type for that field +#CauseTypeTypeInvalid: #CauseType & "FieldValueTypeInvalid" + +// CauseTypeUnexpectedServerResponse is used to report when the server responded to the client +// without the expected return type. The presence of this cause indicates the error may be +// due to an intervening proxy or the server software malfunctioning. +#CauseTypeUnexpectedServerResponse: #CauseType & "UnexpectedServerResponse" + +// FieldManagerConflict is used to report when another client claims to manage this field, +// It should only be returned for a request using server-side apply. +#CauseTypeFieldManagerConflict: #CauseType & "FieldManagerConflict" + +// CauseTypeResourceVersionTooLarge is used to report that the requested resource version +// is newer than the data observed by the API server, so the request cannot be served. +#CauseTypeResourceVersionTooLarge: #CauseType & "ResourceVersionTooLarge" + +// List holds a list of objects, which may not be known by the server. +#List: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of objects + items: [...runtime.#RawExtension] @go(Items,[]runtime.RawExtension) @protobuf(2,bytes,rep) +} + +// APIVersions lists the versions that are available, to allow clients to +// discover the API at /api, which is the root path of the legacy v1 API. +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#APIVersions: { + #TypeMeta + + // versions are the api versions that are available. + versions: [...string] @go(Versions,[]string) @protobuf(1,bytes,rep) + + // a map of client CIDR to server address that is serving this group. + // This is to help clients reach servers in the most network-efficient way possible. + // Clients can use the appropriate server address as per the CIDR that they match. + // In case of multiple matches, clients should use the longest matching CIDR. + // The server returns only those CIDRs that it thinks that the client can match. + // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. + // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP. + serverAddressByClientCIDRs: [...#ServerAddressByClientCIDR] @go(ServerAddressByClientCIDRs,[]ServerAddressByClientCIDR) @protobuf(2,bytes,rep) +} + +// APIGroupList is a list of APIGroup, to allow clients to discover the API at +// /apis. +#APIGroupList: { + #TypeMeta + + // groups is a list of APIGroup. + groups: [...#APIGroup] @go(Groups,[]APIGroup) @protobuf(1,bytes,rep) +} + +// APIGroup contains the name, the supported versions, and the preferred version +// of a group. +#APIGroup: { + #TypeMeta + + // name is the name of the group. + name: string @go(Name) @protobuf(1,bytes,opt) + + // versions are the versions supported in this group. + versions: [...#GroupVersionForDiscovery] @go(Versions,[]GroupVersionForDiscovery) @protobuf(2,bytes,rep) + + // preferredVersion is the version preferred by the API server, which + // probably is the storage version. + // +optional + preferredVersion?: #GroupVersionForDiscovery @go(PreferredVersion) @protobuf(3,bytes,opt) + + // a map of client CIDR to server address that is serving this group. + // This is to help clients reach servers in the most network-efficient way possible. + // Clients can use the appropriate server address as per the CIDR that they match. + // In case of multiple matches, clients should use the longest matching CIDR. + // The server returns only those CIDRs that it thinks that the client can match. + // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. + // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP. + // +optional + serverAddressByClientCIDRs?: [...#ServerAddressByClientCIDR] @go(ServerAddressByClientCIDRs,[]ServerAddressByClientCIDR) @protobuf(4,bytes,rep) +} + +// ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match. +#ServerAddressByClientCIDR: { + // The CIDR with which clients can match their IP to figure out the server address that they should use. + clientCIDR: string @go(ClientCIDR) @protobuf(1,bytes,opt) + + // Address of this server, suitable for a client that matches the above CIDR. + // This can be a hostname, hostname:port, IP or IP:port. + serverAddress: string @go(ServerAddress) @protobuf(2,bytes,opt) +} + +// GroupVersion contains the "group/version" and "version" string of a version. +// It is made a struct to keep extensibility. +#GroupVersionForDiscovery: { + // groupVersion specifies the API group and version in the form "group/version" + groupVersion: string @go(GroupVersion) @protobuf(1,bytes,opt) + + // version specifies the version in the form of "version". This is to save + // the clients the trouble of splitting the GroupVersion. + version: string @go(Version) @protobuf(2,bytes,opt) +} + +// APIResource specifies the name of a resource and whether it is namespaced. +#APIResource: { + // name is the plural name of the resource. + name: string @go(Name) @protobuf(1,bytes,opt) + + // singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely. + // The singularName is more correct for reporting status on a single item and both singular and plural are allowed + // from the kubectl CLI interface. + singularName: string @go(SingularName) @protobuf(6,bytes,opt) + + // namespaced indicates if a resource is namespaced or not. + namespaced: bool @go(Namespaced) @protobuf(2,varint,opt) + + // group is the preferred group of the resource. Empty implies the group of the containing resource list. + // For subresources, this may have a different value, for example: Scale". + group?: string @go(Group) @protobuf(8,bytes,opt) + + // version is the preferred version of the resource. Empty implies the version of the containing resource list + // For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)". + version?: string @go(Version) @protobuf(9,bytes,opt) + + // kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo') + kind: string @go(Kind) @protobuf(3,bytes,opt) + + // verbs is a list of supported kube verbs (this includes get, list, watch, create, + // update, patch, delete, deletecollection, and proxy) + verbs: #Verbs @go(Verbs) @protobuf(4,bytes,opt) + + // shortNames is a list of suggested short names of the resource. + shortNames?: [...string] @go(ShortNames,[]string) @protobuf(5,bytes,rep) + + // categories is a list of the grouped resources this resource belongs to (e.g. 'all') + categories?: [...string] @go(Categories,[]string) @protobuf(7,bytes,rep) + + // The hash value of the storage version, the version this resource is + // converted to when written to the data store. Value must be treated + // as opaque by clients. Only equality comparison on the value is valid. + // This is an alpha feature and may change or be removed in the future. + // The field is populated by the apiserver only if the + // StorageVersionHash feature gate is enabled. + // This field will remain optional even if it graduates. + // +optional + storageVersionHash?: string @go(StorageVersionHash) @protobuf(10,bytes,opt) +} + +// Verbs masks the value so protobuf can generate +// +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#Verbs: [...string] + +// APIResourceList is a list of APIResource, it is used to expose the name of the +// resources supported in a specific group and version, and if the resource +// is namespaced. +#APIResourceList: { + #TypeMeta + + // groupVersion is the group and version this APIResourceList is for. + groupVersion: string @go(GroupVersion) @protobuf(1,bytes,opt) + + // resources contains the name of the resources and if they are namespaced. + resources: [...#APIResource] @go(APIResources,[]APIResource) @protobuf(2,bytes,rep) +} + +// RootPaths lists the paths available at root. +// For example: "/healthz", "/apis". +#RootPaths: { + // paths are the paths available at root. + paths: [...string] @go(Paths,[]string) @protobuf(1,bytes,rep) +} + +// Patch is provided to give a concrete name and type to the Kubernetes PATCH request body. +#Patch: { +} + +// A label selector is a label query over a set of resources. The result of matchLabels and +// matchExpressions are ANDed. An empty label selector matches all objects. A null +// label selector matches no objects. +// +structType=atomic +#LabelSelector: { + // matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + // map is equivalent to an element of matchExpressions, whose key field is "key", the + // operator is "In", and the values array contains only "value". The requirements are ANDed. + // +optional + matchLabels?: {[string]: string} @go(MatchLabels,map[string]string) @protobuf(1,bytes,rep) + + // matchExpressions is a list of label selector requirements. The requirements are ANDed. + // +optional + matchExpressions?: [...#LabelSelectorRequirement] @go(MatchExpressions,[]LabelSelectorRequirement) @protobuf(2,bytes,rep) +} + +// A label selector requirement is a selector that contains values, a key, and an operator that +// relates the key and values. +#LabelSelectorRequirement: { + // key is the label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: #LabelSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=LabelSelectorOperator) + + // values is an array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. This array is replaced during a strategic + // merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A label selector operator is the set of operators that can be used in a selector requirement. +#LabelSelectorOperator: string // #enumLabelSelectorOperator + +#enumLabelSelectorOperator: + #LabelSelectorOpIn | + #LabelSelectorOpNotIn | + #LabelSelectorOpExists | + #LabelSelectorOpDoesNotExist + +#LabelSelectorOpIn: #LabelSelectorOperator & "In" +#LabelSelectorOpNotIn: #LabelSelectorOperator & "NotIn" +#LabelSelectorOpExists: #LabelSelectorOperator & "Exists" +#LabelSelectorOpDoesNotExist: #LabelSelectorOperator & "DoesNotExist" + +// ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource +// that the fieldset applies to. +#ManagedFieldsEntry: { + // Manager is an identifier of the workflow managing these fields. + manager?: string @go(Manager) @protobuf(1,bytes,opt) + + // Operation is the type of operation which lead to this ManagedFieldsEntry being created. + // The only valid values for this field are 'Apply' and 'Update'. + operation?: #ManagedFieldsOperationType @go(Operation) @protobuf(2,bytes,opt,casttype=ManagedFieldsOperationType) + + // APIVersion defines the version of this resource that this field set + // applies to. The format is "group/version" just like the top-level + // APIVersion field. It is necessary to track the version of a field + // set because it cannot be automatically converted. + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) + + // Time is the timestamp of when the ManagedFields entry was added. The + // timestamp will also be updated if a field is added, the manager + // changes any of the owned fields value or removes a field. The + // timestamp does not update when a field is removed from the entry + // because another manager took it over. + // +optional + time?: null | #Time @go(Time,*Time) @protobuf(4,bytes,opt) + + // FieldsType is the discriminator for the different fields format and version. + // There is currently only one possible value: "FieldsV1" + fieldsType?: string @go(FieldsType) @protobuf(6,bytes,opt) + + // FieldsV1 holds the first JSON version format as described in the "FieldsV1" type. + // +optional + fieldsV1?: null | #FieldsV1 @go(FieldsV1,*FieldsV1) @protobuf(7,bytes,opt) + + // Subresource is the name of the subresource used to update that object, or + // empty string if the object was updated through the main resource. The + // value of this field is used to distinguish between managers, even if they + // share the same name. For example, a status update will be distinct from a + // regular update using the same manager name. + // Note that the APIVersion field is not related to the Subresource field and + // it always corresponds to the version of the main resource. + subresource?: string @go(Subresource) @protobuf(8,bytes,opt) +} + +// ManagedFieldsOperationType is the type of operation which lead to a ManagedFieldsEntry being created. +#ManagedFieldsOperationType: string // #enumManagedFieldsOperationType + +#enumManagedFieldsOperationType: + #ManagedFieldsOperationApply | + #ManagedFieldsOperationUpdate + +#ManagedFieldsOperationApply: #ManagedFieldsOperationType & "Apply" +#ManagedFieldsOperationUpdate: #ManagedFieldsOperationType & "Update" + +// FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format. +// +// Each key is either a '.' representing the field itself, and will always map to an empty set, +// or a string representing a sub-field or item. The string will follow one of these four formats: +// 'f:', where is the name of a field in a struct, or key in a map +// 'v:', where is the exact json formatted value of a list item +// 'i:', where is position of a item in a list +// 'k:', where is a map of a list item's key fields to their unique values +// If a key maps to an empty Fields value, the field that key represents is part of the set. +// +// The exact format is defined in sigs.k8s.io/structured-merge-diff +// +protobuf.options.(gogoproto.goproto_stringer)=false +#FieldsV1: _ + +// Table is a tabular representation of a set of API resources. The server transforms the +// object into a set of preferred columns for quickly reviewing the objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +protobuf=false +#Table: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) + + // columnDefinitions describes each column in the returned items array. The number of cells per row + // will always match the number of column definitions. + columnDefinitions: [...#TableColumnDefinition] @go(ColumnDefinitions,[]TableColumnDefinition) + + // rows is the list of items in the table. + rows: [...#TableRow] @go(Rows,[]TableRow) +} + +// TableColumnDefinition contains information about a column returned in the Table. +// +protobuf=false +#TableColumnDefinition: { + // name is a human readable name for the column. + name: string @go(Name) + + // type is an OpenAPI type definition for this column, such as number, integer, string, or + // array. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more. + type: string @go(Type) + + // format is an optional OpenAPI type modifier for this column. A format modifies the type and + // imposes additional rules, like date or time formatting for a string. The 'name' format is applied + // to the primary identifier column which has type 'string' to assist in clients identifying column + // is the resource name. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more. + format: string @go(Format) + + // description is a human readable description of this column. + description: string @go(Description) + + // priority is an integer defining the relative importance of this column compared to others. Lower + // numbers are considered higher priority. Columns that may be omitted in limited space scenarios + // should be given a higher priority. + priority: int32 @go(Priority) +} + +// TableRow is an individual row in a table. +// +protobuf=false +#TableRow: { + // cells will be as wide as the column definitions array and may contain strings, numbers (float64 or + // int64), booleans, simple maps, lists, or null. See the type field of the column definition for a + // more detailed description. + cells: [...] @go(Cells,[]interface{}) + + // conditions describe additional status of a row that are relevant for a human user. These conditions + // apply to the row, not to the object, and will be specific to table output. The only defined + // condition type is 'Completed', for a row that indicates a resource that has run to completion and + // can be given less visual priority. + // +optional + conditions?: [...#TableRowCondition] @go(Conditions,[]TableRowCondition) + + // This field contains the requested additional information about each object based on the includeObject + // policy when requesting the Table. If "None", this field is empty, if "Object" this will be the + // default serialization of the object for the current API version, and if "Metadata" (the default) will + // contain the object metadata. Check the returned kind and apiVersion of the object before parsing. + // The media type of the object will always match the enclosing list - if this as a JSON table, these + // will be JSON encoded objects. + // +optional + object?: runtime.#RawExtension @go(Object) +} + +// TableRowCondition allows a row to be marked with additional information. +// +protobuf=false +#TableRowCondition: { + // Type of row condition. The only defined value is 'Completed' indicating that the + // object this row represents has reached a completed state and may be given less visual + // priority than other rows. Clients are not required to honor any conditions but should + // be consistent where possible about handling the conditions. + type: #RowConditionType @go(Type) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) + + // (brief) machine readable reason for the condition's last transition. + // +optional + reason?: string @go(Reason) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) +} + +#RowConditionType: string // #enumRowConditionType + +#enumRowConditionType: + #RowCompleted + +// RowCompleted means the underlying resource has reached completion and may be given less +// visual priority than other resources. +#RowCompleted: #RowConditionType & "Completed" + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// IncludeObjectPolicy controls which portion of the object is returned with a Table. +#IncludeObjectPolicy: string // #enumIncludeObjectPolicy + +#enumIncludeObjectPolicy: + #IncludeNone | + #IncludeMetadata | + #IncludeObject + +// IncludeNone returns no object. +#IncludeNone: #IncludeObjectPolicy & "None" + +// IncludeMetadata serializes the object containing only its metadata field. +#IncludeMetadata: #IncludeObjectPolicy & "Metadata" + +// IncludeObject contains the full object. +#IncludeObject: #IncludeObjectPolicy & "Object" + +// TableOptions are used when a Table is requested by the caller. +// +k8s:conversion-gen:explicit-from=net/url.Values +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#TableOptions: { + #TypeMeta + + // includeObject decides whether to include each object along with its columnar information. + // Specifying "None" will return no object, specifying "Object" will return the full object contents, and + // specifying "Metadata" (the default) will return the object's metadata in the PartialObjectMetadata kind + // in version v1beta1 of the meta.k8s.io API group. + includeObject?: #IncludeObjectPolicy @go(IncludeObject) @protobuf(1,bytes,opt,casttype=IncludeObjectPolicy) +} + +// PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients +// to get access to a particular ObjectMeta schema without knowing the details of the version. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#PartialObjectMetadata: { + #TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: #ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) +} + +// PartialObjectMetadataList contains a list of objects containing only their metadata +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#PartialObjectMetadataList: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items contains each of the included items. + items: [...#PartialObjectMetadata] @go(Items,[]PartialObjectMetadata) @protobuf(2,bytes,rep) +} + +// Condition contains details for one aspect of the current state of this API Resource. +// --- +// This struct is intended for direct use as an array at the field path .status.conditions. For example, +// +// type FooStatus struct{ +// // Represents the observations of a foo's current state. +// // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" +// // +patchMergeKey=type +// // +patchStrategy=merge +// // +listType=map +// // +listMapKey=type +// Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` +// +// // other fields +// } +#Condition: { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + type: string @go(Type) @protobuf(1,bytes,opt) + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt) + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + lastTransitionTime: #Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + reason: string @go(Reason) @protobuf(5,bytes,opt) + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + message: string @go(Message) @protobuf(6,bytes,opt) +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue new file mode 100644 index 000000000..12f5f1b63 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue @@ -0,0 +1,30 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" +) + +// Event represents a single event to a watched resource. +// +// +protobuf=true +// +k8s:deepcopy-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#WatchEvent: { + type: string @go(Type) @protobuf(1,bytes,opt) + + // Object is: + // * If Type is Added or Modified: the new state of the object. + // * If Type is Deleted: the state of the object immediately before deletion. + // * If Type is Error: *Status is recommended; other types may make sense + // depending on context. + object: runtime.#RawExtension @go(Object) @protobuf(2,bytes,opt) +} + +// InternalEvent makes watch.Event versioned +// +protobuf=false +#InternalEvent: watch.#Event diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue new file mode 100644 index 000000000..43474c392 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// SimpleAllocator a wrapper around make([]byte) +// conforms to the MemoryAllocator interface +#SimpleAllocator: { +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue new file mode 100644 index 000000000..a05de5d58 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue @@ -0,0 +1,37 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// codec binds an encoder and decoder. +_#codec: { + Encoder: #Encoder + Decoder: #Decoder +} + +// NoopEncoder converts an Decoder to a Serializer or Codec for code that expects them but only uses decoding. +#NoopEncoder: { + Decoder: #Decoder +} + +_#noopEncoderIdentifier: #Identifier & "noop" + +// NoopDecoder converts an Encoder to a Serializer or Codec for code that expects them but only uses encoding. +#NoopDecoder: { + Encoder: #Encoder +} + +_#base64Serializer: { + Encoder: #Encoder + Decoder: #Decoder +} + +_#internalGroupVersionerIdentifier: "internal" +_#disabledGroupVersionerIdentifier: "disabled" + +_#internalGroupVersioner: { +} + +_#disabledGroupVersioner: { +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue new file mode 100644 index 000000000..ce6d644cb --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +// Package runtime defines conversions between generic types and structs to map query strings +// to struct objects. +package runtime diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue new file mode 100644 index 000000000..f49ad1e36 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// UnstructuredConverter is an interface for converting between interface{} +// and map[string]interface representation. +#UnstructuredConverter: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue new file mode 100644 index 000000000..89c5c51b3 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue @@ -0,0 +1,39 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +// Package runtime includes helper functions for working with API objects +// that follow the kubernetes API object conventions, which are: +// +// 0. Your API objects have a common metadata struct member, TypeMeta. +// +// 1. Your code refers to an internal set of API objects. +// +// 2. In a separate package, you have an external set of API objects. +// +// 3. The external set is considered to be versioned, and no breaking +// changes are ever made to it (fields may be added but not changed +// or removed). +// +// 4. As your api evolves, you'll make an additional versioned package +// with every major change. +// +// 5. Versioned packages have conversion functions which convert to +// and from the internal version. +// +// 6. You'll continue to support older versions according to your +// deprecation policy, and you can easily provide a program/library +// to update old versions into new versions because of 5. +// +// 7. All of your serializations and deserializations are handled in a +// centralized place. +// +// Package runtime provides a conversion helper to make 5 easy, and the +// Encode/Decode/DecodeInto trio to accomplish 7. You can also register +// additional "codecs" which use a version of your choice. It's +// recommended that you register your types with runtime in your +// package's init function. +// +// As a bonus, a few common types useful from all api objects and versions +// are provided in types.go. +package runtime diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue new file mode 100644 index 000000000..d43f15f25 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +_#encodable: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue new file mode 100644 index 000000000..ec8f1f070 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue @@ -0,0 +1,23 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// MultiObjectTyper returns the types of objects across multiple schemes in order. +#MultiObjectTyper: [...#ObjectTyper] + +_#defaultFramer: { +} + +// WithVersionEncoder serializes an object and ensures the GVK is set. +#WithVersionEncoder: { + Version: #GroupVersioner + Encoder: #Encoder + ObjectTyper: #ObjectTyper +} + +// WithoutVersionDecoder clears the group version kind of a deserialized object. +#WithoutVersionDecoder: { + Decoder: #Decoder +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue new file mode 100644 index 000000000..22abcb620 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue @@ -0,0 +1,165 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// APIVersionInternal may be used if you are registering a type that should not +// be considered stable or serialized - it is a convention only and has no +// special behavior in this package. +#APIVersionInternal: "__internal" + +// GroupVersioner refines a set of possible conversion targets into a single option. +#GroupVersioner: _ + +// Identifier represents an identifier. +// Identitier of two different objects should be equal if and only if for every +// input the output they produce is exactly the same. +#Identifier: string // #enumIdentifier + +#enumIdentifier: + _#noopEncoderIdentifier + +// Encoder writes objects to a serialized form +#Encoder: _ + +// MemoryAllocator is responsible for allocating memory. +// By encapsulating memory allocation into its own interface, we can reuse the memory +// across many operations in places we know it can significantly improve the performance. +#MemoryAllocator: _ + +// EncoderWithAllocator serializes objects in a way that allows callers to manage any additional memory allocations. +#EncoderWithAllocator: _ + +// Decoder attempts to load an object from data. +#Decoder: _ + +// Serializer is the core interface for transforming objects into a serialized format and back. +// Implementations may choose to perform conversion of the object, but no assumptions should be made. +#Serializer: _ + +// Codec is a Serializer that deals with the details of versioning objects. It offers the same +// interface as Serializer, so this is a marker to consumers that care about the version of the objects +// they receive. +#Codec: #Serializer + +// ParameterCodec defines methods for serializing and deserializing API objects to url.Values and +// performing any necessary conversion. Unlike the normal Codec, query parameters are not self describing +// and the desired version must be specified. +#ParameterCodec: _ + +// Framer is a factory for creating readers and writers that obey a particular framing pattern. +#Framer: _ + +// SerializerInfo contains information about a specific serialization format +#SerializerInfo: { + // MediaType is the value that represents this serializer over the wire. + MediaType: string + + // MediaTypeType is the first part of the MediaType ("application" in "application/json"). + MediaTypeType: string + + // MediaTypeSubType is the second part of the MediaType ("json" in "application/json"). + MediaTypeSubType: string + + // EncodesAsText indicates this serializer can be encoded to UTF-8 safely. + EncodesAsText: bool + + // Serializer is the individual object serializer for this media type. + Serializer: #Serializer + + // PrettySerializer, if set, can serialize this object in a form biased towards + // readability. + PrettySerializer: #Serializer + + // StrictSerializer, if set, deserializes this object strictly, + // erring on unknown fields. + StrictSerializer: #Serializer + + // StreamSerializer, if set, describes the streaming serialization format + // for this media type. + StreamSerializer?: null | #StreamSerializerInfo @go(,*StreamSerializerInfo) +} + +// StreamSerializerInfo contains information about a specific stream serialization format +#StreamSerializerInfo: { + // EncodesAsText indicates this serializer can be encoded to UTF-8 safely. + EncodesAsText: bool + + // Serializer is the top level object serializer for this type when streaming + Serializer: #Serializer + + // Framer is the factory for retrieving streams that separate objects on the wire + Framer: #Framer +} + +// NegotiatedSerializer is an interface used for obtaining encoders, decoders, and serializers +// for multiple supported media types. This would commonly be accepted by a server component +// that performs HTTP content negotiation to accept multiple formats. +#NegotiatedSerializer: _ + +// ClientNegotiator handles turning an HTTP content type into the appropriate encoder. +// Use NewClientNegotiator or NewVersionedClientNegotiator to create this interface from +// a NegotiatedSerializer. +#ClientNegotiator: _ + +// StorageSerializer is an interface used for obtaining encoders, decoders, and serializers +// that can read and write data at rest. This would commonly be used by client tools that must +// read files, or server side storage interfaces that persist restful objects. +#StorageSerializer: _ + +// NestedObjectEncoder is an optional interface that objects may implement to be given +// an opportunity to encode any nested Objects / RawExtensions during serialization. +#NestedObjectEncoder: _ + +// NestedObjectDecoder is an optional interface that objects may implement to be given +// an opportunity to decode any nested Objects / RawExtensions during serialization. +// It is possible for DecodeNestedObjects to return a non-nil error but for the decoding +// to have succeeded in the case of strict decoding errors (e.g. unknown/duplicate fields). +// As such it is important for callers of DecodeNestedObjects to check to confirm whether +// an error is a runtime.StrictDecodingError before short circuiting. +// Similarly, implementations of DecodeNestedObjects should ensure that a runtime.StrictDecodingError +// is only returned when the rest of decoding has succeeded. +#NestedObjectDecoder: _ + +#ObjectDefaulter: _ + +#ObjectVersioner: _ + +// ObjectConvertor converts an object to a different version. +#ObjectConvertor: _ + +// ObjectTyper contains methods for extracting the APIVersion and Kind +// of objects. +#ObjectTyper: _ + +// ObjectCreater contains methods for instantiating an object by kind and version. +#ObjectCreater: _ + +// EquivalentResourceMapper provides information about resources that address the same underlying data as a specified resource +#EquivalentResourceMapper: _ + +// EquivalentResourceRegistry provides an EquivalentResourceMapper interface, +// and allows registering known resource[/subresource] -> kind +#EquivalentResourceRegistry: _ + +// ResourceVersioner provides methods for setting and retrieving +// the resource version from an API object. +#ResourceVersioner: _ + +// Namer provides methods for retrieving name and namespace of an API object. +#Namer: _ + +// Object interface must be supported by all API types registered with Scheme. Since objects in a scheme are +// expected to be serialized to the wire, the interface an Object must provide to the Scheme allows +// serializers to set the kind, version, and group the object is represented as. An Object may choose +// to return a no-op ObjectKindAccessor in cases where it is not expected to be serialized. +#Object: _ + +// CacheableObject allows an object to cache its different serializations +// to avoid performing the same serialization multiple times. +#CacheableObject: _ + +// Unstructured objects store values as map[string]interface{}, with only values that can be serialized +// to JSON allowed. +#Unstructured: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue new file mode 100644 index 000000000..7580f4676 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// NegotiateError is returned when a ClientNegotiator is unable to locate +// a serializer for the requested operation. +#NegotiateError: { + ContentType: string + Stream: bool +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue new file mode 100644 index 000000000..bd9c409a7 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// Splice is the interface that wraps the Splice method. +// +// Splice moves data from given slice without copying the underlying data for +// efficiency purpose. Therefore, the caller should make sure the underlying +// data is not changed later. +#Splice: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue new file mode 100644 index 000000000..9dfc078b4 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// Pair of strings. We keed the name of fields and the doc +#Pair: { + Name: string + Doc: string +} + +// KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself +#KubeTypes: [...#Pair] diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue new file mode 100644 index 000000000..d1ee609a2 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue @@ -0,0 +1,97 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type, +// like this: +// +// type MyAwesomeAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// ... // other fields +// } +// +// func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind +// +// TypeMeta is provided here for convenience. You may use it directly from this package or define +// your own with the same fields. +// +// +k8s:deepcopy-gen=false +// +protobuf=true +// +k8s:openapi-gen=true +#TypeMeta: { + // +optional + apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt) + + // +optional + kind?: string @go(Kind) @protobuf(2,bytes,opt) +} + +#ContentTypeJSON: "application/json" +#ContentTypeYAML: "application/yaml" +#ContentTypeProtobuf: "application/vnd.kubernetes.protobuf" + +// RawExtension is used to hold extensions in external versions. +// +// To use this, make a field which has RawExtension as its type in your external, versioned +// struct, and Object in your internal struct. You also need to register your +// various plugin types. +// +// // Internal package: +// +// type MyAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// MyPlugin runtime.Object `json:"myPlugin"` +// } +// +// type PluginA struct { +// AOption string `json:"aOption"` +// } +// +// // External package: +// +// type MyAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// MyPlugin runtime.RawExtension `json:"myPlugin"` +// } +// +// type PluginA struct { +// AOption string `json:"aOption"` +// } +// +// // On the wire, the JSON will look something like this: +// +// { +// "kind":"MyAPIObject", +// "apiVersion":"v1", +// "myPlugin": { +// "kind":"PluginA", +// "aOption":"foo", +// }, +// } +// +// So what happens? Decode first uses json or yaml to unmarshal the serialized data into +// your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. +// The next step is to copy (using pkg/conversion) into the internal struct. The runtime +// package's DefaultScheme has conversion functions installed which will unpack the +// JSON stored in RawExtension, turning it into the correct object type, and storing it +// in the Object. (TODO: In the case where the object is of an unknown type, a +// runtime.Unknown object will be created and stored.) +// +// +k8s:deepcopy-gen=true +// +protobuf=true +// +k8s:openapi-gen=true +#RawExtension: _ + +// Unknown allows api objects with unknown types to be passed-through. This can be used +// to deal with the API objects from a plug-in. Unknown objects still have functioning +// TypeMeta features-- kind, version, etc. +// TODO: Make this object have easy access to field based accessors and settors for +// metadata and field mutatation. +// +// +k8s:deepcopy-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +protobuf=true +// +k8s:openapi-gen=true +#Unknown: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue new file mode 100644 index 000000000..8b8ddf891 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +#ProtobufMarshaller: _ + +#ProtobufReverseMarshaller: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue new file mode 100644 index 000000000..bfb4bcda3 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +// Package types implements various generic types used throughout kubernetes. +package types diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue new file mode 100644 index 000000000..7cb2745aa --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +#NamespacedName: { + Namespace: string + Name: string +} + +#Separator: 47 // '/' diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue new file mode 100644 index 000000000..8b264b80c --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// NodeName is a type that holds a api.Node's Name identifier. +// Being a type captures intent and helps make sure that the node name +// is not confused with similar concepts (the hostname, the cloud provider id, +// the cloud provider name etc) +// +// To clarify the various types: +// +// - Node.Name is the Name field of the Node in the API. This should be stored in a NodeName. +// Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level. +// +// - Hostname is the hostname of the local machine (from uname -n). +// However, some components allow the user to pass in a --hostname-override flag, +// which will override this in most places. In the absence of anything more meaningful, +// kubelet will use Hostname as the Node.Name when it creates the Node. +// +// * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId. +// +// For GCE, InstanceName is the Name of an Instance object in the GCE API. On GCE, Instance.Name becomes the +// Hostname, and thus it makes sense also to use it as the Node.Name. But that is GCE specific, and it is up +// to the cloudprovider how to do this mapping. +// +// For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the +// PrivateDnsName for the Node.Name. And this is _not_ always the same as the hostname: if +// we are using a custom DHCP domain it won't be. +#NodeName: string diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue new file mode 100644 index 000000000..3de5d80f9 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue @@ -0,0 +1,21 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// Similarly to above, these are constants to support HTTP PATCH utilized by +// both the client and server that didn't make sense for a whole package to be +// dedicated to. +#PatchType: string // #enumPatchType + +#enumPatchType: + #JSONPatchType | + #MergePatchType | + #StrategicMergePatchType | + #ApplyPatchType + +#JSONPatchType: #PatchType & "application/json-patch+json" +#MergePatchType: #PatchType & "application/merge-patch+json" +#StrategicMergePatchType: #PatchType & "application/strategic-merge-patch+json" +#ApplyPatchType: #PatchType & "application/apply-patch+yaml" diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue new file mode 100644 index 000000000..40bdd8285 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// UID is a type that holds unique ID values, including UUIDs. Because we +// don't ONLY use UUIDs, this is an alias to string. Being a type captures +// intent and helps make sure that UIDs and names do not get conflated. +#UID: string diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue new file mode 100644 index 000000000..2c8cc3651 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/util/intstr + +package intstr + +// IntOrString is a type that can hold an int32 or a string. When used in +// JSON or YAML marshalling and unmarshalling, it produces or consumes the +// inner type. This allows you to have, for example, a JSON field that can +// accept a name or number. +// TODO: Rename to Int32OrString +// +// +protobuf=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:openapi-gen=true +#IntOrString: _ + +// Type represents the stored type of IntOrString. +#Type: int64 // #enumType + +#enumType: + #Int | + #String + +#values_Type: { + Int: #Int + String: #String +} + +#Int: #Type & 0 +#String: #Type & 1 diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue new file mode 100644 index 000000000..bc1b91894 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +// Package watch contains a generic watchable interface, and a fake for +// testing code that uses the watch interface. +package watch diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue new file mode 100644 index 000000000..045e8ec85 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// Recorder records all events that are sent from the watch until it is closed. +#Recorder: { + Interface: #Interface +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue new file mode 100644 index 000000000..dcf72d5b0 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue @@ -0,0 +1,25 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// FullChannelBehavior controls how the Broadcaster reacts if a watcher's watch +// channel is full. +#FullChannelBehavior: int // #enumFullChannelBehavior + +#enumFullChannelBehavior: + #WaitIfChannelFull | + #DropIfChannelFull + +#values_FullChannelBehavior: { + WaitIfChannelFull: #WaitIfChannelFull + DropIfChannelFull: #DropIfChannelFull +} + +#WaitIfChannelFull: #FullChannelBehavior & 0 +#DropIfChannelFull: #FullChannelBehavior & 1 + +_#incomingQueueLength: 25 + +_#internalRunFunctionMarker: "internal-do-function" diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue new file mode 100644 index 000000000..f0805cfb2 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// Decoder allows StreamWatcher to watch any stream for which a Decoder can be written. +#Decoder: _ + +// Reporter hides the details of how an error is turned into a runtime.Object for +// reporting on a watch stream since this package may not import a higher level report. +#Reporter: _ diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue new file mode 100644 index 000000000..0db2e6be1 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue @@ -0,0 +1,48 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +import "k8s.io/apimachinery/pkg/runtime" + +// Interface can be implemented by anything that knows how to watch and report changes. +#Interface: _ + +// EventType defines the possible types of events. +#EventType: string // #enumEventType + +#enumEventType: + #Added | + #Modified | + #Deleted | + #Bookmark | + #Error + +#Added: #EventType & "ADDED" +#Modified: #EventType & "MODIFIED" +#Deleted: #EventType & "DELETED" +#Bookmark: #EventType & "BOOKMARK" +#Error: #EventType & "ERROR" + +// Event represents a single event to a watched resource. +// +k8s:deepcopy-gen=true +#Event: { + Type: #EventType + + // Object is: + // * If Type is Added or Modified: the new state of the object. + // * If Type is Deleted: the state of the object immediately before deletion. + // * If Type is Bookmark: the object (instance of a type being watched) where + // only ResourceVersion field is set. On successful restart of watch from a + // bookmark resourceVersion, client is guaranteed to not get repeat event + // nor miss any events. + // * If Type is Error: *api.Status is recommended; other types may make sense + // depending on context. + Object: runtime.#Object +} + +// RaceFreeFakeWatcher lets you test anything that consumes a watch.Interface; threadsafe. +#RaceFreeFakeWatcher: { + Stopped: bool +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1/types_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1/types_gen.cue new file mode 100644 index 000000000..17c5a791a --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1/types_gen.cue @@ -0,0 +1,326 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/fluxcd/kustomize-controller/releases/download/v1.3.0/kustomize-controller.crds.yaml + +package v1 + +import "strings" + +// Kustomization is the Schema for the kustomizations API. +#Kustomization: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "kustomize.toolkit.fluxcd.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Kustomization" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // KustomizationSpec defines the configuration to calculate the + // desired state + // from a Source using Kustomize. + spec!: #KustomizationSpec +} + +// KustomizationSpec defines the configuration to calculate the +// desired state +// from a Source using Kustomize. +#KustomizationSpec: { + // CommonMetadata specifies the common labels and annotations that + // are + // applied to all resources. Any existing label or annotation will + // be + // overridden if its key matches a common one. + commonMetadata?: { + // Annotations to be added to the object's metadata. + annotations?: { + [string]: string + } + + // Labels to be added to the object's metadata. + labels?: { + [string]: string + } + } + + // Components specifies relative paths to specifications of other + // Components. + components?: [...string] + + // Decrypt Kubernetes secrets before applying them on the cluster. + decryption?: { + // Provider is the name of the decryption engine. + provider: "sops" + secretRef?: { + // Name of the referent. + name: string + } + } + + // DependsOn may contain a meta.NamespacedObjectReference slice + // with references to Kustomization resources that must be ready + // before this + // Kustomization can be reconciled. + dependsOn?: [...{ + // Name of the referent. + name: string + + // Namespace of the referent, when not specified it acts as + // LocalObjectReference. + namespace?: string + }] + + // Force instructs the controller to recreate resources + // when patching fails due to an immutable field change. + force?: bool | *false + + // A list of resources to be included in the health assessment. + healthChecks?: [...{ + // API version of the referent, if not specified the Kubernetes + // preferred version will be used. + apiVersion?: string + + // Kind of the referent. + kind: string + + // Name of the referent. + name: string + + // Namespace of the referent, when not specified it acts as + // LocalObjectReference. + namespace?: string + }] + + // Images is a list of (image name, new name, new tag or digest) + // for changing image names, tags or digests. This can also be + // achieved with a + // patch, but this operator is simpler to specify. + images?: [...{ + // Digest is the value used to replace the original image tag. + // If digest is present NewTag value is ignored. + digest?: string + + // Name is a tag-less image name. + name: string + + // NewName is the value used to replace the original name. + newName?: string + + // NewTag is the value used to replace the original tag. + newTag?: string + }] + + // The interval at which to reconcile the Kustomization. + // This interval is approximate and may be subject to jitter to + // ensure + // efficient use of resources. + interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$" + kubeConfig?: { + // SecretRef holds the name of a secret that contains a key with + // the kubeconfig file as the value. If no key is set, the key + // will default + // to 'value'. + // It is recommended that the kubeconfig is self-contained, and + // the secret + // is regularly updated if credentials such as a + // cloud-access-token expire. + // Cloud specific `cmd-path` auth helpers will not function + // without adding + // binaries and credentials to the Pod that is responsible for + // reconciling + // Kubernetes resources. + secretRef: { + // Key in the Secret, when not specified an + // implementation-specific default key is used. + key?: string + + // Name of the Secret. + name: string + } + } + + // NamePrefix will prefix the names of all managed resources. + namePrefix?: strings.MaxRunes(200) & strings.MinRunes(1) + + // NameSuffix will suffix the names of all managed resources. + nameSuffix?: strings.MaxRunes(200) & strings.MinRunes(1) + + // Strategic merge and JSON patches, defined as inline YAML + // objects, + // capable of targeting objects based on kind, label and + // annotation selectors. + patches?: [...{ + // Patch contains an inline StrategicMerge patch or an inline + // JSON6902 patch with + // an array of operation objects. + patch: string + + // Target points to the resources that the patch document should + // be applied to. + target?: { + // AnnotationSelector is a string that follows the label selection + // expression + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + // It matches with the resource annotations. + annotationSelector?: string + + // Group is the API group to select resources from. + // Together with Version and Kind it is capable of unambiguously + // identifying and/or selecting resources. + // https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + group?: string + + // Kind of the API Group to select resources from. + // Together with Group and Version it is capable of unambiguously + // identifying and/or selecting resources. + // https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + kind?: string + + // LabelSelector is a string that follows the label selection + // expression + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + // It matches with the resource labels. + labelSelector?: string + + // Name to match resources with. + name?: string + + // Namespace to select resources from. + namespace?: string + + // Version of the API Group to select resources from. + // Together with Group and Kind it is capable of unambiguously + // identifying and/or selecting resources. + // https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + version?: string + } + }] + + // Path to the directory containing the kustomization.yaml file, + // or the + // set of plain YAMLs a kustomization.yaml should be generated + // for. + // Defaults to 'None', which translates to the root path of the + // SourceRef. + path?: string + + // PostBuild describes which actions to perform on the YAML + // manifest + // generated by building the kustomize overlay. + postBuild?: { + // Substitute holds a map of key/value pairs. + // The variables defined in your YAML manifests that match any of + // the keys + // defined in the map will be substituted with the set value. + // Includes support for bash string replacement functions + // e.g. ${var:=default}, ${var:position} and + // ${var/substring/replacement}. + substitute?: { + [string]: string + } + + // SubstituteFrom holds references to ConfigMaps and Secrets + // containing + // the variables and their values to be substituted in the YAML + // manifests. + // The ConfigMap and the Secret data keys represent the var names, + // and they + // must match the vars declared in the manifests for the + // substitution to + // happen. + substituteFrom?: [...{ + // Kind of the values referent, valid values are ('Secret', + // 'ConfigMap'). + kind: "Secret" | "ConfigMap" + + // Name of the values referent. Should reside in the same + // namespace as the + // referring resource. + name: strings.MaxRunes(253) & strings.MinRunes(1) + + // Optional indicates whether the referenced resource must exist, + // or whether to + // tolerate its absence. If true and the referenced resource is + // absent, proceed + // as if the resource was present but empty, without any variables + // defined. + optional?: bool | *false + }] + } + + // Prune enables garbage collection. + prune: bool + + // The interval at which to retry a previously failed + // reconciliation. + // When not specified, the controller uses the + // KustomizationSpec.Interval + // value to retry failures. + retryInterval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$" + + // The name of the Kubernetes service account to impersonate + // when reconciling this Kustomization. + serviceAccountName?: string + + // Reference of the source where the kustomization file is. + sourceRef: { + // API version of the referent. + apiVersion?: string + + // Kind of the referent. + kind: "OCIRepository" | "GitRepository" | "Bucket" + + // Name of the referent. + name: string + + // Namespace of the referent, defaults to the namespace of the + // Kubernetes + // resource object that contains the reference. + namespace?: string + } + + // This flag tells the controller to suspend subsequent kustomize + // executions, + // it does not apply to already started executions. Defaults to + // false. + suspend?: bool + + // TargetNamespace sets or overrides the namespace in the + // kustomization.yaml file. + targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1) + + // Timeout for validation, apply and health checking operations. + // Defaults to 'Interval' duration. + timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$" + + // Wait instructs the controller to check the health of all the + // reconciled + // resources. When enabled, the HealthChecks are ignored. Defaults + // to false. + wait?: bool +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/gen/source.toolkit.fluxcd.io/ocirepository/v1beta2/types_gen.cue b/k8s/timoni/kustomize-oci/cue.mod/gen/source.toolkit.fluxcd.io/ocirepository/v1beta2/types_gen.cue new file mode 100644 index 000000000..28abd59d2 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/gen/source.toolkit.fluxcd.io/ocirepository/v1beta2/types_gen.cue @@ -0,0 +1,175 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/fluxcd/source-controller/releases/download/v1.3.0/source-controller.crds.yaml + +package v1beta2 + +import "strings" + +// OCIRepository is the Schema for the ocirepositories API +#OCIRepository: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "source.toolkit.fluxcd.io/v1beta2" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "OCIRepository" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // OCIRepositorySpec defines the desired state of OCIRepository + spec!: #OCIRepositorySpec +} + +// OCIRepositorySpec defines the desired state of OCIRepository +#OCIRepositorySpec: { + certSecretRef?: { + // Name of the referent. + name: string + } + + // Ignore overrides the set of excluded patterns in the + // .sourceignore format + // (which is the same as .gitignore). If not provided, a default + // will be used, + // consult the documentation for your version to find out what + // those are. + ignore?: string + + // Insecure allows connecting to a non-TLS HTTP container + // registry. + insecure?: bool + + // Interval at which the OCIRepository URL is checked for updates. + // This interval is approximate and may be subject to jitter to + // ensure + // efficient use of resources. + interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$" + + // LayerSelector specifies which layer should be extracted from + // the OCI artifact. + // When not specified, the first layer found in the artifact is + // selected. + layerSelector?: { + // MediaType specifies the OCI media type of the layer + // which should be extracted from the OCI Artifact. The + // first layer matching this type is selected. + mediaType?: string + + // Operation specifies how the selected layer should be processed. + // By default, the layer compressed content is extracted to + // storage. + // When the operation is set to 'copy', the layer compressed + // content + // is persisted to storage as it is. + operation?: "extract" | "copy" + } + + // The provider used for authentication, can be 'aws', 'azure', + // 'gcp' or 'generic'. + // When not specified, defaults to 'generic'. + provider?: "generic" | "aws" | "azure" | "gcp" | *"generic" + + // The OCI reference to pull and monitor for changes, + // defaults to the latest tag. + ref?: { + // Digest is the image digest to pull, takes precedence over + // SemVer. + // The value should be in the format 'sha256:'. + digest?: string + + // SemVer is the range of tags to pull selecting the latest within + // the range, takes precedence over Tag. + semver?: string + + // SemverFilter is a regex pattern to filter the tags within the + // SemVer range. + semverFilter?: string + + // Tag is the image tag to pull, defaults to latest. + tag?: string + } + secretRef?: { + // Name of the referent. + name: string + } + + // ServiceAccountName is the name of the Kubernetes ServiceAccount + // used to authenticate + // the image pull if the service account has attached pull + // secrets. For more information: + // https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account + serviceAccountName?: string + + // This flag tells the controller to suspend the reconciliation of + // this source. + suspend?: bool + + // The timeout for remote OCI Repository operations like pulling, + // defaults to 60s. + timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s" + + // URL is a reference to an OCI artifact repository hosted + // on a remote container registry. + url: =~"^oci://.*$" + + // Verify contains the secret name containing the trusted public + // keys + // used to verify the signature and specifies which provider to + // use to check + // whether OCI image is authentic. + verify?: { + // MatchOIDCIdentity specifies the identity matching criteria to + // use + // while verifying an OCI artifact which was signed using Cosign + // keyless + // signing. The artifact's identity is deemed to be verified if + // any of the + // specified matchers match against the identity. + matchOIDCIdentity?: [...{ + // Issuer specifies the regex pattern to match against to verify + // the OIDC issuer in the Fulcio certificate. The pattern must be + // a + // valid Go regular expression. + issuer: string + + // Subject specifies the regex pattern to match against to verify + // the identity subject in the Fulcio certificate. The pattern + // must + // be a valid Go regular expression. + subject: string + }] + + // Provider specifies the technology used to sign the OCI + // Artifact. + provider: "cosign" | "notation" | *"cosign" + secretRef?: { + // Name of the referent. + name: string + } + } +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/module.cue b/k8s/timoni/kustomize-oci/cue.mod/module.cue new file mode 100644 index 000000000..3b8a6e4ba --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/module.cue @@ -0,0 +1,2 @@ +module: "timoni.sh/kustomize-oci" +language: version: "v0.9.0" diff --git a/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue new file mode 100644 index 000000000..2c579e99d --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue @@ -0,0 +1,26 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Action holds the list of annotations for controlling +// Timoni's apply behaviour of Kubernetes resources. +Action: { + // Force annotation for recreating immutable resources such as Kubernetes Jobs. + Force: { + "action.timoni.sh/force": ActionStatus.Enabled + } + // One-off annotation for appling resources only if they don't exist on the cluster. + Oneoff: { + "action.timoni.sh/one-off": ActionStatus.Enabled + } + // Keep annotation for preventing Timoni's garbage collector from deleting resources. + Keep: { + "action.timoni.sh/prune": ActionStatus.Disabled + } +} + +ActionStatus: { + Enabled: "enabled" + Disabled: "disabled" +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue new file mode 100644 index 000000000..1535ea43f --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue @@ -0,0 +1,50 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strings" +) + +// Image defines the schema for OCI image reference used in Kubernetes PodSpec container image. +#Image: { + + // Repository is the address of a container registry repository. + // An image repository is made up of slash-separated name components, optionally + // prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. + repository!: string + + // Tag identifies an image in the repository. + // A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. + // A tag name may not start with a period or a dash and may contain a maximum of 128 characters. + tag!: string & strings.MaxRunes(128) + + // Digest uniquely and immutably identifies an image in the repository. + // Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. + digest!: string + + // PullPolicy defines the pull policy for the image. + // By default, it is set to IfNotPresent. + pullPolicy: *"IfNotPresent" | "Always" | "Never" + + // Reference is the image address computed from repository, tag and digest + // in the format [REPOSITORY]:[TAG]@[DIGEST]. + reference: string + + if digest != "" && tag != "" { + reference: "\(repository):\(tag)@\(digest)" + } + + if digest != "" && tag == "" { + reference: "\(repository)@\(digest)" + } + + if digest == "" && tag != "" { + reference: "\(repository):\(tag)" + } + + if digest == "" && tag == "" { + reference: "\(repository):latest" + } +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue new file mode 100644 index 000000000..19f098967 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue @@ -0,0 +1,47 @@ +// Copyright 2024 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "encoding/base64" + "strings" +) + +// ImagePullSecret is a generator for Kubernetes Secrets of type kubernetes.io/dockerconfigjson. +// Spec: https://kubernetes.io/docs/concepts/configuration/secret/#docker-config-secrets. +#ImagePullSecret: { + // Metadata is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Registry is the hostname of the container registry in the format [HOST[:PORT_NUMBER]]. + #Registry!: string + + // Username is the username used to authenticate to the container registry. + #Username!: string + + // Password is the password used to authenticate to the container registry. + #Password!: string + + // Optional suffix used to generate the Secret name. + #Suffix: *"" | string & strings.MaxRunes(30) + + let auth = base64.Encode(null, #Username+":"+#Password) + + apiVersion: "v1" + kind: "Secret" + type: "kubernetes.io/dockerconfigjson" + metadata: { + name: #Meta.name + #Suffix + namespace: #Meta.namespace + labels: #Meta.labels + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + } + stringData: { + ".dockerconfigjson": """ + {"auths": {"\(#Registry)": {"username": "\(#Username)","password": "\(#Password)","auth": "\(auth)"}}} + """ + } +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue new file mode 100644 index 000000000..7b31c23e4 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue @@ -0,0 +1,49 @@ +// Copyright 2024 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "encoding/json" + "strings" + "uuid" +) + +#ConfigMapKind: "ConfigMap" +#SecretKind: "Secret" + +// ImmutableConfig is a generator for immutable Kubernetes ConfigMaps and Secrets. +// The metadata.name of the generated object is suffixed with the hash of the input data. +#ImmutableConfig: { + // Kind of the generated object. + #Kind: *#ConfigMapKind | #SecretKind + + // Metadata of the generated object. + #Meta: #Metadata + + // Optional suffix appended to the generate name. + #Suffix: *"" | string + + // Data of the generated object. + #Data: {[string]: string} + + let hash = strings.Split(uuid.SHA1(uuid.ns.DNS, json.Marshal(#Data)), "-")[0] + + apiVersion: "v1" + kind: #Kind + metadata: { + name: #Meta.name + #Suffix + "-" + hash + namespace: #Meta.namespace + labels: #Meta.labels + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + } + immutable: true + if kind == #ConfigMapKind { + data: #Data + } + if kind == #SecretKind { + stringData: #Data + } +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue new file mode 100644 index 000000000..ad96b0621 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue @@ -0,0 +1,27 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// InstanceName defines the schema for the name of a Timoni instance. +// The instance name is used as a Kubernetes label value and must be 63 characters or less. +#InstanceName: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MinRunes(1) & strings.MaxRunes(63) + +// InstanceNamespace defines the schema for the namespace of a Timoni instance. +// The instance namespace is used as a Kubernetes label value and must be 63 characters or less. +#InstanceNamespace: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MinRunes(1) & strings.MaxRunes(63) + +// InstanceOwnerReference defines the schema for Kubernetes labels used to denote ownership. +#InstanceOwnerReference: { + #Name: "instance.timoni.sh/name" + #Namespace: "instance.timoni.sh/namespace" +} + +// InstanceModule defines the schema for the Module of a Timoni instance. +#InstanceModule: { + url: string & =~"^((oci|file)://.*)$" + version: *"latest" | string + digest?: string +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue new file mode 100644 index 000000000..7be10c909 --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue @@ -0,0 +1,115 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// Annotations defines the schema for Kubernetes object metadata annotations. +#Annotations: {[string & strings.MaxRunes(253)]: string} + +// Labels defines the schema for Kubernetes object metadata labels. +#Labels: {[string & strings.MaxRunes(253)]: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MaxRunes(63)} + +#StdLabelName: "app.kubernetes.io/name" +#StdLabelVersion: "app.kubernetes.io/version" +#StdLabelPartOf: "app.kubernetes.io/part-of" +#StdLabelManagedBy: "app.kubernetes.io/managed-by" +#StdLabelComponent: "app.kubernetes.io/component" +#StdLabelInstance: "app.kubernetes.io/instance" + +// Metadata defines the schema for Kubernetes object metadata. +#Metadata: { + // Version should be in the strict semver format. Is required when creating resources. + #Version!: string & strings.MaxRunes(63) + + // Name must be unique within a namespace. Is required when creating resources. + // Name is primarily intended for creation idempotence and configuration definition. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + name!: #InstanceName + + // Namespace defines the space within which each name must be unique. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces + namespace!: #InstanceNamespace + + // Annotations is an unstructured key value map stored with a resource that may be + // set to store and retrieve arbitrary metadata. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + annotations?: #Annotations + + // Map of string keys and values that can be used to organize and categorize (scope and select) objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + labels: #Labels + + // Standard Kubernetes labels: app name, version and managed-by. + labels: { + (#StdLabelName): name + (#StdLabelVersion): #Version + (#StdLabelManagedBy): "timoni" + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name label. + #LabelSelector: #Labels & { + (#StdLabelName): name + } +} + +// MetaComponent generates the Kubernetes object metadata for a module namespaced component. +// The metadata.name is composed of the instance name and the component name. +// The metadata.labels contain the app.kubernetes.io/component label. +#MetaComponent: { + // Meta is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Component is the name of the component used + // as a suffix for the generate object name. + #Component!: string & strings.MaxRunes(30) + + name: #Meta.name + "-" + #Component + namespace: #Meta.namespace + + labels: #Meta.labels + labels: (#StdLabelComponent): #Component + + annotations?: #Annotations + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name + // and app.kubernetes.io/component labels. + #LabelSelector: #Labels & { + (#StdLabelComponent): #Component + (#StdLabelName): #Meta.name + } +} + +// MetaClusterComponent generates the Kubernetes object metadata for a module non-namespaced component. +// The metadata.name is composed of the instance name and the component name. +// The metadata.namespace is unset. +// The metadata.labels contain the app.kubernetes.io/component label. +#MetaClusterComponent: { + // Meta is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Component is the name of the component used + // as a suffix for the generate object name. + #Component!: string & strings.MaxRunes(30) + + name: #Meta.name + "-" + #Component + + labels: #Meta.labels + labels: (#StdLabelComponent): #Component + + annotations?: #Annotations + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name + // and app.kubernetes.io/component labels. + #LabelSelector: #Labels & { + (#StdLabelComponent): #Component + (#StdLabelName): #Meta.name + } +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue new file mode 100644 index 000000000..1dcdb699e --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue @@ -0,0 +1,21 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// ObjectReference is a reference to a Kubernetes object. +#ObjectReference: { + // Name of the referent. + name!: string & strings.MaxRunes(256) + + // Namespace of the referent. + namespace?: string & strings.MaxRunes(256) + + // API version of the referent. + apiVersion?: string & strings.MaxRunes(256) + + // Kind of the referent. + kind?: string & strings.MaxRunes(256) +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue new file mode 100644 index 000000000..d3b5573ae --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue @@ -0,0 +1,40 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strconv" + "strings" +) + +// CPUQuantity is a string that is validated as a quantity of CPU, such as 100m or 2000m. +#CPUQuantity: string & =~"^[1-9]\\d*m$" + +// MemoryQuantity is a string that is validated as a quantity of memory, such as 128Mi or 2Gi. +#MemoryQuantity: string & =~"^[1-9]\\d*(Mi|Gi)$" + +// ResourceRequirement defines the schema for the CPU and Memory resource requirements. +#ResourceRequirement: { + cpu?: #CPUQuantity + memory?: #MemoryQuantity +} + +// ResourceRequirements defines the schema for the compute resource requirements of a container. +// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/. +#ResourceRequirements: { + // Limits describes the maximum amount of compute resources allowed. + limits?: #ResourceRequirement + + // Requests describes the minimum amount of compute resources required. + // Requests cannot exceed Limits. + requests?: #ResourceRequirement & { + if limits != _|_ { + if limits.cpu != _|_ { + _lc: strconv.Atoi(strings.Split(limits.cpu, "m")[0]) + _rc: strconv.Atoi(strings.Split(requests.cpu, "m")[0]) + #cpu: int & >=_rc & _lc + } + } + } +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue new file mode 100644 index 000000000..9c4f2384b --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue @@ -0,0 +1,19 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Selector defines the schema for Kubernetes Pod label selector used in Deployments, Services, Jobs, etc. +#Selector: { + // Name must be unique within a namespace. Is required when creating resources. + // Name is primarily intended for creation idempotence and configuration definition. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + #Name!: #InstanceName + + // Map of string keys and values that can be used to organize and categorize (scope and select) objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + labels: #Labels + + // Standard Kubernetes label: app name. + labels: (#StdLabelName): #Name +} diff --git a/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue new file mode 100644 index 000000000..ecd1e397f --- /dev/null +++ b/k8s/timoni/kustomize-oci/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue @@ -0,0 +1,29 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strconv" + "strings" +) + +// SemVer validates the input version string and extracts the major and minor version numbers. +// When Minimum is set, the major and minor parts must be greater or equal to the minimum +// or a validation error is returned. +#SemVer: { + // Input version string in strict semver format. + #Version!: string & =~"^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?$" + + // Minimum is the minimum allowed MAJOR.MINOR version. + #Minimum: *"0.0.0" | string & =~"^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?$" + + let minMajor = strconv.Atoi(strings.Split(#Minimum, ".")[0]) + let minMinor = strconv.Atoi(strings.Split(#Minimum, ".")[1]) + + major: int & >=minMajor + major: strconv.Atoi(strings.Split(#Version, ".")[0]) + + minor: int & >=minMinor + minor: strconv.Atoi(strings.Split(#Version, ".")[1]) +} diff --git a/k8s/timoni/kustomize-oci/templates/config.cue b/k8s/timoni/kustomize-oci/templates/config.cue new file mode 100644 index 000000000..06e09c7f7 --- /dev/null +++ b/k8s/timoni/kustomize-oci/templates/config.cue @@ -0,0 +1,70 @@ +package templates + +import ( + timoniv1 "timoni.sh/core/v1alpha1" +) + +#Config: { + moduleVersion!: string + kubeVersion!: string + + metadata: timoniv1.#Metadata & {#Version: moduleVersion} + + artifact: { + url!: string & =~"^oci://.*$" + tag: *"latest" | string + semver?: string + interval: *1 | int + ignore: *"" | string + } + + auth: { + provider: *"generic" | "aws" | "azure" | "gcp" + credentials?: { + username!: string + password!: string + } + } + + tls: { + insecure: *false | bool + ca?: string + } + + sync: { + path: *"./" | string + prune: *true | bool + wait: *true | bool + timeout: *3 | int + retryInterval: *5 | int + + serviceAccountName?: string + targetNamespace?: string + } + + substitute?: [string]: string + + dependsOn?: [...{ + name: string + namespace?: string + }] + + patches: [...{...}] +} + +#Instance: { + config: #Config + + objects: { + ocirepository: #OCIRepository & {#config: config} + kustomization: #Kustomization & {#config: config} + } + + if config.auth.credentials != _|_ { + objects: imagepullsecret: #PullSecret & {#config: config} + } + + if config.tls.ca != _|_ { + objects: tlssecret: #TLSSecret & {#config: config} + } +} diff --git a/k8s/timoni/kustomize-oci/templates/imagepullsecret.cue b/k8s/timoni/kustomize-oci/templates/imagepullsecret.cue new file mode 100644 index 000000000..bd46086e5 --- /dev/null +++ b/k8s/timoni/kustomize-oci/templates/imagepullsecret.cue @@ -0,0 +1,16 @@ +package templates + +import ( + "strings" + + timoniv1 "timoni.sh/core/v1alpha1" +) + +#PullSecret: timoniv1.#ImagePullSecret & { + #config: #Config + #Meta: #config.metadata + #Suffix: "-oci-auth" + #Registry: strings.Split(#config.artifact.url, "/")[2] + #Username: #config.auth.credentials.username + #Password: #config.auth.credentials.password +} diff --git a/k8s/timoni/kustomize-oci/templates/kustomization.cue b/k8s/timoni/kustomize-oci/templates/kustomization.cue new file mode 100644 index 000000000..d3a1badf7 --- /dev/null +++ b/k8s/timoni/kustomize-oci/templates/kustomization.cue @@ -0,0 +1,37 @@ +package templates + +import ( + "encoding/yaml" + ksv1 "kustomize.toolkit.fluxcd.io/kustomization/v1" + sourcev1 "source.toolkit.fluxcd.io/ocirepository/v1beta2" +) + +#Kustomization: ksv1.#Kustomization & { + #config: #Config + metadata: #config.metadata + spec: ksv1.#KustomizationSpec & { + sourceRef: { + kind: sourcev1.#OCIRepository.kind + name: #config.metadata.name + } + interval: "60m" + retryInterval: "\(#config.sync.retryInterval)m" + path: #config.sync.path + prune: #config.sync.prune + wait: #config.sync.wait + timeout: "\(#config.sync.timeout)m" + if #config.sync.serviceAccountName != _|_ { + serviceAccountName: #config.sync.serviceAccountName + } + if #config.sync.targetNamespace != _|_ { + targetNamespace: #config.sync.targetNamespace + } + if #config.substitute != _|_ { + postBuild: substitute: #config.substitute + } + if #config.dependsOn != _|_ { + dependsOn: #config.dependsOn + } + patches: [for p in #config.patches {patch: yaml.Marshal(p)}] + } +} diff --git a/k8s/timoni/kustomize-oci/templates/ocirepository.cue b/k8s/timoni/kustomize-oci/templates/ocirepository.cue new file mode 100644 index 000000000..ec89939f0 --- /dev/null +++ b/k8s/timoni/kustomize-oci/templates/ocirepository.cue @@ -0,0 +1,33 @@ +package templates + +import ( + sourcev1 "source.toolkit.fluxcd.io/ocirepository/v1beta2" +) + +#OCIRepository: sourcev1.#OCIRepository & { + #config: #Config + metadata: #config.metadata + spec: sourcev1.#OCIRepositorySpec & { + interval: "\(#config.artifact.interval)m" + url: #config.artifact.url + if #config.artifact.semver != _|_ { + ref: semver: #config.artifact.semver + } + if #config.artifact.semver == _|_ { + ref: tag: #config.artifact.tag + } + provider: #config.auth.provider + if #config.auth.credentials != _|_ { + secretRef: name: #config.metadata.name + "-oci-auth" + } + if #config.artifact.ignore != "" { + ignore: #config.artifact.ignore + } + if #config.tls.insecure { + insecure: #config.tls.insecure + } + if #config.tls.ca != _|_ { + certSecretRef: name: #config.metadata.name + "-oci-tls" + } + } +} diff --git a/k8s/timoni/kustomize-oci/templates/tlssecret.cue b/k8s/timoni/kustomize-oci/templates/tlssecret.cue new file mode 100644 index 000000000..76190544c --- /dev/null +++ b/k8s/timoni/kustomize-oci/templates/tlssecret.cue @@ -0,0 +1,21 @@ +package templates + +import ( + corev1 "k8s.io/api/core/v1" + timoniv1 "timoni.sh/core/v1alpha1" +) + +#TLSSecret: corev1.#Secret & { + #config: #Config + apiVersion: "v1" + kind: "Secret" + metadata: timoniv1.#MetaComponent & { + #Meta: #config.metadata + #Component: "oci-tls" + } + stringData: { + if #config.tls.ca != _|_ { + "ca.crt": #config.tls.ca + } + } +} diff --git a/k8s/timoni/kustomize-oci/timoni.cue b/k8s/timoni/kustomize-oci/timoni.cue new file mode 100644 index 000000000..cb02a3349 --- /dev/null +++ b/k8s/timoni/kustomize-oci/timoni.cue @@ -0,0 +1,25 @@ +package main + +import ( + templates "timoni.sh/kustomize-oci/templates" +) + +values: templates.#Config + +timoni: { + apiVersion: "v1alpha1" + + instance: templates.#Instance & { + config: values + config: { + metadata: { + name: string @tag(name) + namespace: string @tag(namespace) + } + moduleVersion: string @tag(mv, var=moduleVersion) + kubeVersion: string @tag(kv, var=kubeVersion) + } + } + + apply: all: [for obj in instance.objects {obj}] +} diff --git a/k8s/timoni/kustomize-oci/timoni.ignore b/k8s/timoni/kustomize-oci/timoni.ignore new file mode 100644 index 000000000..0722c3486 --- /dev/null +++ b/k8s/timoni/kustomize-oci/timoni.ignore @@ -0,0 +1,14 @@ +# VCS +.git/ +.gitignore +.gitmodules +.gitattributes + +# Go +vendor/ +go.mod +go.sum + +# CUE +*_tool.cue +debug_values.cue diff --git a/k8s/timoni/kustomize-oci/values.cue b/k8s/timoni/kustomize-oci/values.cue new file mode 100644 index 000000000..17bc0aff9 --- /dev/null +++ b/k8s/timoni/kustomize-oci/values.cue @@ -0,0 +1,3 @@ +package main + +values: {} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue new file mode 100644 index 000000000..597f5b0e7 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admission/v1 + +package v1 + +#GroupName: "admission.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue new file mode 100644 index 000000000..af26bd060 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue @@ -0,0 +1,172 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admission/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + authenticationv1 "k8s.io/api/authentication/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +// AdmissionReview describes an admission review request/response. +#AdmissionReview: { + metav1.#TypeMeta + + // Request describes the attributes for the admission request. + // +optional + request?: null | #AdmissionRequest @go(Request,*AdmissionRequest) @protobuf(1,bytes,opt) + + // Response describes the attributes for the admission response. + // +optional + response?: null | #AdmissionResponse @go(Response,*AdmissionResponse) @protobuf(2,bytes,opt) +} + +// AdmissionRequest describes the admission.Attributes for the admission request. +#AdmissionRequest: { + // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + // otherwise identical (parallel requests, requests when earlier requests did not modify etc) + // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + uid: types.#UID @go(UID) @protobuf(1,bytes,opt) + + // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale) + kind: metav1.#GroupVersionKind @go(Kind) @protobuf(2,bytes,opt) + + // Resource is the fully-qualified resource being requested (for example, v1.pods) + resource: metav1.#GroupVersionResource @go(Resource) @protobuf(3,bytes,opt) + + // SubResource is the subresource being requested, if any (for example, "status" or "scale") + // +optional + subResource?: string @go(SubResource) @protobuf(4,bytes,opt) + + // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + // + // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + // an API request to apps/v1beta1 deployments would be converted and sent to the webhook + // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + // + // See documentation for the "matchPolicy" field in the webhook configuration type for more details. + // +optional + requestKind?: null | metav1.#GroupVersionKind @go(RequestKind,*metav1.GroupVersionKind) @protobuf(13,bytes,opt) + + // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + // + // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + // an API request to apps/v1beta1 deployments would be converted and sent to the webhook + // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + // + // See documentation for the "matchPolicy" field in the webhook configuration type. + // +optional + requestResource?: null | metav1.#GroupVersionResource @go(RequestResource,*metav1.GroupVersionResource) @protobuf(14,bytes,opt) + + // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + // See documentation for the "matchPolicy" field in the webhook configuration type. + // +optional + requestSubResource?: string @go(RequestSubResource) @protobuf(15,bytes,opt) + + // Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + // rely on the server to generate the name. If that is the case, this field will contain an empty string. + // +optional + name?: string @go(Name) @protobuf(5,bytes,opt) + + // Namespace is the namespace associated with the request (if any). + // +optional + namespace?: string @go(Namespace) @protobuf(6,bytes,opt) + + // Operation is the operation being performed. This may be different than the operation + // requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + operation: #Operation @go(Operation) @protobuf(7,bytes,opt) + + // UserInfo is information about the requesting user + userInfo: authenticationv1.#UserInfo @go(UserInfo) @protobuf(8,bytes,opt) + + // Object is the object from the incoming request. + // +optional + object?: runtime.#RawExtension @go(Object) @protobuf(9,bytes,opt) + + // OldObject is the existing object. Only populated for DELETE and UPDATE requests. + // +optional + oldObject?: runtime.#RawExtension @go(OldObject) @protobuf(10,bytes,opt) + + // DryRun indicates that modifications will definitely not be persisted for this request. + // Defaults to false. + // +optional + dryRun?: null | bool @go(DryRun,*bool) @protobuf(11,varint,opt) + + // Options is the operation option structure of the operation being performed. + // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + // different than the options the caller provided. e.g. for a patch request the performed + // Operation might be a CREATE, in which case the Options will a + // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + // +optional + options?: runtime.#RawExtension @go(Options) @protobuf(12,bytes,opt) +} + +// AdmissionResponse describes an admission response. +#AdmissionResponse: { + // UID is an identifier for the individual request/response. + // This must be copied over from the corresponding AdmissionRequest. + uid: types.#UID @go(UID) @protobuf(1,bytes,opt) + + // Allowed indicates whether or not the admission request was permitted. + allowed: bool @go(Allowed) @protobuf(2,varint,opt) + + // Result contains extra details into why an admission request was denied. + // This field IS NOT consulted in any way if "Allowed" is "true". + // +optional + status?: null | metav1.#Status @go(Result,*metav1.Status) @protobuf(3,bytes,opt) + + // The patch body. Currently we only support "JSONPatch" which implements RFC 6902. + // +optional + patch?: bytes @go(Patch,[]byte) @protobuf(4,bytes,opt) + + // The type of Patch. Currently we only allow "JSONPatch". + // +optional + patchType?: null | #PatchType @go(PatchType,*PatchType) @protobuf(5,bytes,opt) + + // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). + // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with + // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by + // the admission webhook to add additional context to the audit log for this request. + // +optional + auditAnnotations?: {[string]: string} @go(AuditAnnotations,map[string]string) @protobuf(6,bytes,opt) + + // warnings is a list of warning messages to return to the requesting API client. + // Warning messages describe a problem the client making the API request should correct or be aware of. + // Limit warnings to 120 characters if possible. + // Warnings over 256 characters and large numbers of warnings may be truncated. + // +optional + warnings?: [...string] @go(Warnings,[]string) @protobuf(7,bytes,rep) +} + +// PatchType is the type of patch being used to represent the mutated object +#PatchType: string // #enumPatchType + +#enumPatchType: + #PatchTypeJSONPatch + +#PatchTypeJSONPatch: #PatchType & "JSONPatch" + +// Operation is the type of resource operation being checked for admission control +#Operation: string // #enumOperation + +#enumOperation: + #Create | + #Update | + #Delete | + #Connect + +#Create: #Operation & "CREATE" +#Update: #Operation & "UPDATE" +#Delete: #Operation & "DELETE" +#Connect: #Operation & "CONNECT" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue new file mode 100644 index 000000000..5d30100e9 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +// Package v1 is the v1 version of the API. +// AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration +// MutatingWebhookConfiguration and ValidatingWebhookConfiguration are for the +// new dynamic admission controller configuration. +package v1 diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue new file mode 100644 index 000000000..93348e918 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +package v1 + +#GroupName: "admissionregistration.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue new file mode 100644 index 000000000..7038db05a --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue @@ -0,0 +1,645 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/admissionregistration/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended +// to make sure that all the tuple expansions are valid. +#Rule: { + // APIGroups is the API groups the resources belong to. '*' is all groups. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(1,bytes,rep) + + // APIVersions is the API versions the resources belong to. '*' is all versions. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + apiVersions?: [...string] @go(APIVersions,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. + // + // For example: + // 'pods' means pods. + // 'pods/log' means the log subresource of pods. + // '*' means all resources, but not subresources. + // 'pods/*' means all subresources of pods. + // '*/scale' means all scale subresources. + // '*/*' means all resources and their subresources. + // + // If wildcard is present, the validation rule will ensure resources do not + // overlap with each other. + // + // Depending on the enclosing object, subresources might not be allowed. + // Required. + // +listType=atomic + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // scope specifies the scope of this rule. + // Valid values are "Cluster", "Namespaced", and "*" + // "Cluster" means that only cluster-scoped resources will match this rule. + // Namespace API objects are cluster-scoped. + // "Namespaced" means that only namespaced resources will match this rule. + // "*" means that there are no scope restrictions. + // Subresources match the scope of their parent resource. + // Default is "*". + // + // +optional + scope?: null | #ScopeType @go(Scope,*ScopeType) @protobuf(4,bytes,rep) +} + +// ScopeType specifies a scope for a Rule. +// +enum +#ScopeType: string // #enumScopeType + +#enumScopeType: + #ClusterScope | + #NamespacedScope | + #AllScopes + +// ClusterScope means that scope is limited to cluster-scoped objects. +// Namespace objects are cluster-scoped. +#ClusterScope: #ScopeType & "Cluster" + +// NamespacedScope means that scope is limited to namespaced objects. +#NamespacedScope: #ScopeType & "Namespaced" + +// AllScopes means that all scopes are included. +#AllScopes: #ScopeType & "*" + +// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. +// +enum +#FailurePolicyType: string // #enumFailurePolicyType + +#enumFailurePolicyType: + #Ignore | + #Fail + +// Ignore means that an error calling the webhook is ignored. +#Ignore: #FailurePolicyType & "Ignore" + +// Fail means that an error calling the webhook causes the admission to fail. +#Fail: #FailurePolicyType & "Fail" + +// MatchPolicyType specifies the type of match policy. +// +enum +#MatchPolicyType: string // #enumMatchPolicyType + +#enumMatchPolicyType: + #Exact | + #Equivalent + +// Exact means requests should only be sent to the webhook if they exactly match a given rule. +#Exact: #MatchPolicyType & "Exact" + +// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version. +#Equivalent: #MatchPolicyType & "Equivalent" + +// SideEffectClass specifies the types of side effects a webhook may have. +// +enum +#SideEffectClass: string // #enumSideEffectClass + +#enumSideEffectClass: + #SideEffectClassUnknown | + #SideEffectClassNone | + #SideEffectClassSome | + #SideEffectClassNoneOnDryRun + +// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook. +// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. +#SideEffectClassUnknown: #SideEffectClass & "Unknown" + +// SideEffectClassNone means that calling the webhook will have no side effects. +#SideEffectClassNone: #SideEffectClass & "None" + +// SideEffectClassSome means that calling the webhook will possibly have side effects. +// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. +#SideEffectClassSome: #SideEffectClass & "Some" + +// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the +// request being reviewed has the dry-run attribute, the side effects will be suppressed. +#SideEffectClassNoneOnDryRun: #SideEffectClass & "NoneOnDryRun" + +// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it. +#ValidatingWebhookConfiguration: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Webhooks is a list of webhooks and the affected resources and operations. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + webhooks?: [...#ValidatingWebhook] @go(Webhooks,[]ValidatingWebhook) @protobuf(2,bytes,rep,name=Webhooks) +} + +// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration. +#ValidatingWebhookConfigurationList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ValidatingWebhookConfiguration. + items: [...#ValidatingWebhookConfiguration] @go(Items,[]ValidatingWebhookConfiguration) @protobuf(2,bytes,rep) +} + +// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object. +#MutatingWebhookConfiguration: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Webhooks is a list of webhooks and the affected resources and operations. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + webhooks?: [...#MutatingWebhook] @go(Webhooks,[]MutatingWebhook) @protobuf(2,bytes,rep,name=Webhooks) +} + +// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration. +#MutatingWebhookConfigurationList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of MutatingWebhookConfiguration. + items: [...#MutatingWebhookConfiguration] @go(Items,[]MutatingWebhookConfiguration) @protobuf(2,bytes,rep) +} + +// ValidatingWebhook describes an admission webhook and the resources and operations it applies to. +#ValidatingWebhook: { + // The name of the admission webhook. + // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where + // "imagepolicy" is the name of the webhook, and kubernetes.io is the name + // of the organization. + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // ClientConfig defines how to communicate with the hook. + // Required + clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt) + + // Rules describes what operations on what resources/subresources the webhook cares about. + // The webhook cares about an operation if it matches _any_ Rule. + // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks + // from putting the cluster in a state which cannot be recovered from without completely + // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called + // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep) + + // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - + // allowed values are Ignore or Fail. Defaults to Fail. + // +optional + failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType) + + // matchPolicy defines how the "rules" list is used to match incoming requests. + // Allowed values are "Exact" or "Equivalent". + // + // - Exact: match a request only if it exactly matches a specified rule. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + // + // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + // + // Defaults to "Equivalent" + // +optional + matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType) + + // NamespaceSelector decides whether to run the webhook on an object based + // on whether the namespace for that object matches the selector. If the + // object itself is a namespace, the matching is performed on + // object.metadata.labels. If the object is another cluster scoped resource, + // it never skips the webhook. + // + // For example, to run the webhook on any objects whose namespace is not + // associated with "runlevel" of "0" or "1"; you will set the selector as + // follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "runlevel", + // "operator": "NotIn", + // "values": [ + // "0", + // "1" + // ] + // } + // ] + // } + // + // If instead you want to only run the webhook on any objects whose + // namespace is associated with the "environment" of "prod" or "staging"; + // you will set the selector as follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "environment", + // "operator": "In", + // "values": [ + // "prod", + // "staging" + // ] + // } + // ] + // } + // + // See + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + // for more examples of label selectors. + // + // Default to the empty LabelSelector, which matches everything. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt) + + // ObjectSelector decides whether to run the webhook based on if the + // object has matching labels. objectSelector is evaluated against both + // the oldObject and newObject that would be sent to the webhook, and + // is considered to match if either object matches the selector. A null + // object (oldObject in the case of create, or newObject in the case of + // delete) or an object that cannot have labels (like a + // DeploymentRollback or a PodProxyOptions object) is not considered to + // match. + // Use the object selector only if the webhook is opt-in, because end + // users may skip the admission webhook by setting the labels. + // Default to the empty LabelSelector, which matches everything. + // +optional + objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(10,bytes,opt) + + // SideEffects states whether this webhook has side effects. + // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + // Webhooks with side effects MUST implement a reconciliation system, since a request may be + // rejected by a future step in the admission chain and the side effects therefore need to be undone. + // Requests with the dryRun attribute will be auto-rejected if they match a webhook with + // sideEffects == Unknown or Some. + sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass) + + // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + // the webhook call will be ignored or the API call will fail based on the + // failure policy. + // The timeout value must be between 1 and 30 seconds. + // Default to 10 seconds. + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt) + + // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` + // versions the Webhook expects. API server will try to use first version in + // the list which it supports. If none of the versions specified in this list + // supported by API server, validation will fail for this object. + // If a persisted webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail + // and be subject to the failure policy. + admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep) + + // MatchConditions is a list of conditions that must be met for a request to be sent to this + // webhook. Match conditions filter requests that have already been matched by the rules, + // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + // There are a maximum of 64 match conditions allowed. + // + // The exact matching logic is (in order): + // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. + // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. + // 3. If any matchCondition evaluates to an error (but none are FALSE): + // - If failurePolicy=Fail, reject the request + // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped + // + // This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=AdmissionWebhookMatchConditions + // +optional + matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(11,bytes,opt) +} + +// MutatingWebhook describes an admission webhook and the resources and operations it applies to. +#MutatingWebhook: { + // The name of the admission webhook. + // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where + // "imagepolicy" is the name of the webhook, and kubernetes.io is the name + // of the organization. + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // ClientConfig defines how to communicate with the hook. + // Required + clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt) + + // Rules describes what operations on what resources/subresources the webhook cares about. + // The webhook cares about an operation if it matches _any_ Rule. + // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks + // from putting the cluster in a state which cannot be recovered from without completely + // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called + // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep) + + // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - + // allowed values are Ignore or Fail. Defaults to Fail. + // +optional + failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType) + + // matchPolicy defines how the "rules" list is used to match incoming requests. + // Allowed values are "Exact" or "Equivalent". + // + // - Exact: match a request only if it exactly matches a specified rule. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + // + // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + // + // Defaults to "Equivalent" + // +optional + matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType) + + // NamespaceSelector decides whether to run the webhook on an object based + // on whether the namespace for that object matches the selector. If the + // object itself is a namespace, the matching is performed on + // object.metadata.labels. If the object is another cluster scoped resource, + // it never skips the webhook. + // + // For example, to run the webhook on any objects whose namespace is not + // associated with "runlevel" of "0" or "1"; you will set the selector as + // follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "runlevel", + // "operator": "NotIn", + // "values": [ + // "0", + // "1" + // ] + // } + // ] + // } + // + // If instead you want to only run the webhook on any objects whose + // namespace is associated with the "environment" of "prod" or "staging"; + // you will set the selector as follows: + // "namespaceSelector": { + // "matchExpressions": [ + // { + // "key": "environment", + // "operator": "In", + // "values": [ + // "prod", + // "staging" + // ] + // } + // ] + // } + // + // See + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + // for more examples of label selectors. + // + // Default to the empty LabelSelector, which matches everything. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt) + + // ObjectSelector decides whether to run the webhook based on if the + // object has matching labels. objectSelector is evaluated against both + // the oldObject and newObject that would be sent to the webhook, and + // is considered to match if either object matches the selector. A null + // object (oldObject in the case of create, or newObject in the case of + // delete) or an object that cannot have labels (like a + // DeploymentRollback or a PodProxyOptions object) is not considered to + // match. + // Use the object selector only if the webhook is opt-in, because end + // users may skip the admission webhook by setting the labels. + // Default to the empty LabelSelector, which matches everything. + // +optional + objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(11,bytes,opt) + + // SideEffects states whether this webhook has side effects. + // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + // Webhooks with side effects MUST implement a reconciliation system, since a request may be + // rejected by a future step in the admission chain and the side effects therefore need to be undone. + // Requests with the dryRun attribute will be auto-rejected if they match a webhook with + // sideEffects == Unknown or Some. + sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass) + + // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + // the webhook call will be ignored or the API call will fail based on the + // failure policy. + // The timeout value must be between 1 and 30 seconds. + // Default to 10 seconds. + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt) + + // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` + // versions the Webhook expects. API server will try to use first version in + // the list which it supports. If none of the versions specified in this list + // supported by API server, validation will fail for this object. + // If a persisted webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail + // and be subject to the failure policy. + admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep) + + // reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. + // Allowed values are "Never" and "IfNeeded". + // + // Never: the webhook will not be called more than once in a single admission evaluation. + // + // IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation + // if the object being admitted is modified by other admission plugins after the initial webhook call. + // Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. + // Note: + // * the number of additional invocations is not guaranteed to be exactly one. + // * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. + // * webhooks that use this option may be reordered to minimize the number of additional invocations. + // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. + // + // Defaults to "Never". + // +optional + reinvocationPolicy?: null | #ReinvocationPolicyType @go(ReinvocationPolicy,*ReinvocationPolicyType) @protobuf(10,bytes,opt,casttype=ReinvocationPolicyType) + + // MatchConditions is a list of conditions that must be met for a request to be sent to this + // webhook. Match conditions filter requests that have already been matched by the rules, + // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + // There are a maximum of 64 match conditions allowed. + // + // The exact matching logic is (in order): + // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. + // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. + // 3. If any matchCondition evaluates to an error (but none are FALSE): + // - If failurePolicy=Fail, reject the request + // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped + // + // This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=AdmissionWebhookMatchConditions + // +optional + matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(12,bytes,opt) +} + +// ReinvocationPolicyType specifies what type of policy the admission hook uses. +// +enum +#ReinvocationPolicyType: string // #enumReinvocationPolicyType + +#enumReinvocationPolicyType: + #NeverReinvocationPolicy | + #IfNeededReinvocationPolicy + +// NeverReinvocationPolicy indicates that the webhook must not be called more than once in a +// single admission evaluation. +#NeverReinvocationPolicy: #ReinvocationPolicyType & "Never" + +// IfNeededReinvocationPolicy indicates that the webhook may be called at least one +// additional time as part of the admission evaluation if the object being admitted is +// modified by other admission plugins after the initial webhook call. +#IfNeededReinvocationPolicy: #ReinvocationPolicyType & "IfNeeded" + +// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make +// sure that all the tuple expansions are valid. +#RuleWithOperations: { + // Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + // for all of those operations and any future admission operations that are added. + // If '*' is present, the length of the slice must be one. + // Required. + // +listType=atomic + operations?: [...#OperationType] @go(Operations,[]OperationType) @protobuf(1,bytes,rep,casttype=OperationType) + + #Rule +} + +// OperationType specifies an operation for a request. +// +enum +#OperationType: string // #enumOperationType + +#enumOperationType: + #OperationAll | + #Create | + #Update | + #Delete | + #Connect + +#OperationAll: #OperationType & "*" +#Create: #OperationType & "CREATE" +#Update: #OperationType & "UPDATE" +#Delete: #OperationType & "DELETE" +#Connect: #OperationType & "CONNECT" + +// WebhookClientConfig contains the information to make a TLS +// connection with the webhook +#WebhookClientConfig: { + // `url` gives the location of the webhook, in standard URL form + // (`scheme://host:port/path`). Exactly one of `url` or `service` + // must be specified. + // + // The `host` should not refer to a service running in the cluster; use + // the `service` field instead. The host might be resolved via external + // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve + // in-cluster DNS as that would be a layering violation). `host` may + // also be an IP address. + // + // Please note that using `localhost` or `127.0.0.1` as a `host` is + // risky unless you take great care to run this webhook on all hosts + // which run an apiserver which might need to make calls to this + // webhook. Such installs are likely to be non-portable, i.e., not easy + // to turn up in a new cluster. + // + // The scheme must be "https"; the URL must begin with "https://". + // + // A path is optional, and if present may be any string permissible in + // a URL. You may use the path to pass an arbitrary string to the + // webhook, for example, a cluster identifier. + // + // Attempting to use a user or basic auth e.g. "user:password@" is not + // allowed. Fragments ("#...") and query parameters ("?...") are not + // allowed, either. + // + // +optional + url?: null | string @go(URL,*string) @protobuf(3,bytes,opt) + + // `service` is a reference to the service for this webhook. Either + // `service` or `url` must be specified. + // + // If the webhook is running within the cluster, then you should use `service`. + // + // +optional + service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt) + + // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. + // If unspecified, system trust roots on the apiserver are used. + // +optional + caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt) +} + +// ServiceReference holds a reference to Service.legacy.k8s.io +#ServiceReference: { + // `namespace` is the namespace of the service. + // Required + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // `name` is the name of the service. + // Required + name: string @go(Name) @protobuf(2,bytes,opt) + + // `path` is an optional URL path which will be sent in any request to + // this service. + // +optional + path?: null | string @go(Path,*string) @protobuf(3,bytes,opt) + + // If specified, the port on the service that hosting webhook. + // Default to 443 for backward compatibility. + // `port` should be a valid port number (1-65535, inclusive). + // +optional + port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt) +} + +// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. +#MatchCondition: { + // Name is an identifier for this match condition, used for strategic merging of MatchConditions, + // as well as providing an identifier for logging purposes. A good name should be descriptive of + // the associated expression. + // Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + // must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + // '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + // optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + // + // Required. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + // CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + // + // 'object' - The object from the incoming request. The value is null for DELETE requests. + // 'oldObject' - The existing object. The value is null for CREATE requests. + // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + // 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + // 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + // request resource. + // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + // + // Required. + expression: string @go(Expression) @protobuf(2,bytes,opt) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue new file mode 100644 index 000000000..c2497a513 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/apps/v1 + +package v1 + +#GroupName: "apps" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue new file mode 100644 index 000000000..d3ecc8345 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue @@ -0,0 +1,946 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/apps/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +#ControllerRevisionHashLabelKey: "controller-revision-hash" +#StatefulSetRevisionLabel: "controller-revision-hash" +#DeprecatedRollbackTo: "deprecated.deployment.rollback.to" +#DeprecatedTemplateGeneration: "deprecated.daemonset.template.generation" +#StatefulSetPodNameLabel: "statefulset.kubernetes.io/pod-name" +#PodIndexLabel: "apps.kubernetes.io/pod-index" + +// StatefulSet represents a set of pods with consistent identities. +// Identities are defined as: +// - Network: A single stable DNS and hostname. +// - Storage: As many VolumeClaims as requested. +// +// The StatefulSet guarantees that a given network identity will always +// map to the same storage identity. +#StatefulSet: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the desired identities of pods in this set. + // +optional + spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is the current status of Pods in this StatefulSet. This data + // may be out of date by some window of time. + // +optional + status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodManagementPolicyType defines the policy for creating pods under a stateful set. +// +enum +#PodManagementPolicyType: string // #enumPodManagementPolicyType + +#enumPodManagementPolicyType: + #OrderedReadyPodManagement | + #ParallelPodManagement + +// OrderedReadyPodManagement will create pods in strictly increasing order on +// scale up and strictly decreasing order on scale down, progressing only when +// the previous pod is ready or terminated. At most one pod will be changed +// at any time. +#OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady" + +// ParallelPodManagement will create and delete pods as soon as the stateful set +// replica count is changed, and will not wait for pods to be ready or complete +// termination. +#ParallelPodManagement: #PodManagementPolicyType & "Parallel" + +// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet +// controller will use to perform updates. It includes any additional parameters +// necessary to perform the update for the indicated strategy. +#StatefulSetUpdateStrategy: { + // Type indicates the type of the StatefulSetUpdateStrategy. + // Default is RollingUpdate. + // +optional + type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType) + + // RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType. + // +optional + rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt) +} + +// StatefulSetUpdateStrategyType is a string enumeration type that enumerates +// all possible update strategies for the StatefulSet controller. +// +enum +#StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType + +#enumStatefulSetUpdateStrategyType: + #RollingUpdateStatefulSetStrategyType | + #OnDeleteStatefulSetStrategyType + +// RollingUpdateStatefulSetStrategyType indicates that update will be +// applied to all Pods in the StatefulSet with respect to the StatefulSet +// ordering constraints. When a scale operation is performed with this +// strategy, new Pods will be created from the specification version indicated +// by the StatefulSet's updateRevision. +#RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate" + +// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version +// tracking and ordered rolling restarts are disabled. Pods are recreated +// from the StatefulSetSpec when they are manually deleted. When a scale +// operation is performed with this strategy,specification version indicated +// by the StatefulSet's currentRevision. +#OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete" + +// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType. +#RollingUpdateStatefulSetStrategy: { + // Partition indicates the ordinal at which the StatefulSet should be partitioned + // for updates. During a rolling update, all pods from ordinal Replicas-1 to + // Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. + // This is helpful in being able to do a canary based deployment. The default value is 0. + // +optional + partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt) + + // The maximum number of pods that can be unavailable during the update. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // Absolute number is calculated from percentage by rounding up. This can not be 0. + // Defaults to 1. This field is alpha-level and is only honored by servers that enable the + // MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to + // Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it + // will be counted towards MaxUnavailable. + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(2,varint,opt) +} + +// PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine +// when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is +// deleted or scaled down. +#PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType + +#enumPersistentVolumeClaimRetentionPolicyType: + #RetainPersistentVolumeClaimRetentionPolicyType | + #DeletePersistentVolumeClaimRetentionPolicyType + +// RetainPersistentVolumeClaimRetentionPolicyType is the default +// PersistentVolumeClaimRetentionPolicy and specifies that +// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates +// will not be deleted. +#RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain" + +// RetentionPersistentVolumeClaimRetentionPolicyType specifies that +// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates +// will be deleted in the scenario specified in +// StatefulSetPersistentVolumeClaimRetentionPolicy. +#DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete" + +// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs +// created from the StatefulSet VolumeClaimTemplates. +#StatefulSetPersistentVolumeClaimRetentionPolicy: { + // WhenDeleted specifies what happens to PVCs created from StatefulSet + // VolumeClaimTemplates when the StatefulSet is deleted. The default policy + // of `Retain` causes PVCs to not be affected by StatefulSet deletion. The + // `Delete` policy causes those PVCs to be deleted. + whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType) + + // WhenScaled specifies what happens to PVCs created from StatefulSet + // VolumeClaimTemplates when the StatefulSet is scaled down. The default + // policy of `Retain` causes PVCs to not be affected by a scaledown. The + // `Delete` policy causes the associated PVCs for any excess pods above + // the replica count to be deleted. + whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType) +} + +// StatefulSetOrdinals describes the policy used for replica ordinal assignment +// in this StatefulSet. +#StatefulSetOrdinals: { + // start is the number representing the first replica's index. It may be used + // to number replicas from an alternate index (eg: 1-indexed) over the default + // 0-indexed names, or to orchestrate progressive movement of replicas from + // one StatefulSet to another. + // If set, replica indices will be in the range: + // [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas). + // If unset, defaults to 0. Replica indices will be in the range: + // [0, .spec.replicas). + // +optional + start: int32 @go(Start) @protobuf(1,varint,opt) +} + +// A StatefulSetSpec is the specification of a StatefulSet. +#StatefulSetSpec: { + // replicas is the desired number of replicas of the given Template. + // These are replicas in the sense that they are instantiations of the + // same Template, but individual replicas also have a consistent identity. + // If unspecified, defaults to 1. + // TODO: Consider a rename of this field. + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // selector is a label query over pods that should match the replica count. + // It must match the pod template's labels. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // template is the object that describes the pod that will be created if + // insufficient replicas are detected. Each pod stamped out by the StatefulSet + // will fulfill this Template, but have a unique identity from the rest + // of the StatefulSet. Each pod will be named with the format + // -. For example, a pod in a StatefulSet named + // "web" with index number "3" would be named "web-3". + // The only allowed template.spec.restartPolicy value is "Always". + template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt) + + // volumeClaimTemplates is a list of claims that pods are allowed to reference. + // The StatefulSet controller is responsible for mapping network identities to + // claims in a way that maintains the identity of a pod. Every claim in + // this list must have at least one matching (by name) volumeMount in one + // container in the template. A claim in this list takes precedence over + // any volumes in the template, with the same name. + // TODO: Define the behavior if a claim already exists with the same name. + // +optional + volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep) + + // serviceName is the name of the service that governs this StatefulSet. + // This service must exist before the StatefulSet, and is responsible for + // the network identity of the set. Pods get DNS/hostnames that follow the + // pattern: pod-specific-string.serviceName.default.svc.cluster.local + // where "pod-specific-string" is managed by the StatefulSet controller. + serviceName: string @go(ServiceName) @protobuf(5,bytes,opt) + + // podManagementPolicy controls how pods are created during initial scale up, + // when replacing pods on nodes, or when scaling down. The default policy is + // `OrderedReady`, where pods are created in increasing order (pod-0, then + // pod-1, etc) and the controller will wait until each pod is ready before + // continuing. When scaling down, the pods are removed in the opposite order. + // The alternative policy is `Parallel` which will create pods in parallel + // to match the desired scale without waiting, and on scale down will delete + // all pods at once. + // +optional + podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType) + + // updateStrategy indicates the StatefulSetUpdateStrategy that will be + // employed to update Pods in the StatefulSet when a revision is made to + // Template. + updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt) + + // revisionHistoryLimit is the maximum number of revisions that will + // be maintained in the StatefulSet's revision history. The revision history + // consists of all revisions not represented by a currently applied + // StatefulSetSpec version. The default value is 10. + revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt) + + // persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent + // volume claims created from volumeClaimTemplates. By default, all persistent + // volume claims are created as needed and retained until manually deleted. This + // policy allows the lifecycle to be altered, for example by deleting persistent + // volume claims when their stateful set is deleted, or when their pod is scaled + // down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled, + // which is alpha. +optional + persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt) + + // ordinals controls the numbering of replica indices in a StatefulSet. The + // default ordinals behavior assigns a "0" index to the first replica and + // increments the index by one for each additional replica requested. Using + // the ordinals field requires the StatefulSetStartOrdinal feature gate to be + // enabled, which is beta. + // +optional + ordinals?: null | #StatefulSetOrdinals @go(Ordinals,*StatefulSetOrdinals) @protobuf(11,bytes,opt) +} + +// StatefulSetStatus represents the current state of a StatefulSet. +#StatefulSetStatus: { + // observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the + // StatefulSet's generation, which is updated on mutation by the API Server. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt) + + // replicas is the number of Pods created by the StatefulSet controller. + replicas: int32 @go(Replicas) @protobuf(2,varint,opt) + + // readyReplicas is the number of pods created for this StatefulSet with a Ready Condition. + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt) + + // currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version + // indicated by currentRevision. + currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt) + + // updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version + // indicated by updateRevision. + updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt) + + // currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the + // sequence [0,currentReplicas). + currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt) + + // updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence + // [replicas-updatedReplicas,replicas) + updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt) + + // collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller + // uses this field as a collision avoidance mechanism when it needs to create the name for the + // newest ControllerRevision. + // +optional + collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt) + + // Represents the latest available observations of a statefulset's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep) + + // Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset. + // +optional + availableReplicas: int32 @go(AvailableReplicas) @protobuf(11,varint,opt) +} + +#StatefulSetConditionType: string + +// StatefulSetCondition describes the state of a statefulset at a certain point. +#StatefulSetCondition: { + // Type of statefulset condition. + type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // Last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// StatefulSetList is a collection of StatefulSets. +#StatefulSetList: { + metav1.#TypeMeta + + // Standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of stateful sets. + items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep) +} + +// Deployment enables declarative updates for Pods and ReplicaSets. +#Deployment: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the Deployment. + // +optional + spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the Deployment. + // +optional + status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt) +} + +// DeploymentSpec is the specification of the desired behavior of the Deployment. +#DeploymentSpec: { + // Number of desired pods. This is a pointer to distinguish between explicit + // zero and not specified. Defaults to 1. + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // Label selector for pods. Existing ReplicaSets whose pods are + // selected by this will be the ones affected by this deployment. + // It must match the pod template's labels. + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // Template describes the pods that will be created. + // The only allowed template.spec.restartPolicy value is "Always". + template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt) + + // The deployment strategy to use to replace existing pods with new ones. + // +optional + // +patchStrategy=retainKeys + strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing, for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt) + + // The number of old ReplicaSets to retain to allow rollback. + // This is a pointer to distinguish between explicit zero and not specified. + // Defaults to 10. + // +optional + revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt) + + // Indicates that the deployment is paused. + // +optional + paused?: bool @go(Paused) @protobuf(7,varint,opt) + + // The maximum time in seconds for a deployment to make progress before it + // is considered to be failed. The deployment controller will continue to + // process failed deployments and a condition with a ProgressDeadlineExceeded + // reason will be surfaced in the deployment status. Note that progress will + // not be estimated during the time a deployment is paused. Defaults to 600s. + progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt) +} + +// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added +// to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets +// to select new pods (and old pods being select by new ReplicaSet). +#DefaultDeploymentUniqueLabelKey: "pod-template-hash" + +// DeploymentStrategy describes how to replace existing pods with new ones. +#DeploymentStrategy: { + // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. + // +optional + type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType) + + // Rolling update config params. Present only if DeploymentStrategyType = + // RollingUpdate. + //--- + // TODO: Update this to follow our convention for oneOf, whatever we decide it + // to be. + // +optional + rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt) +} + +// +enum +#DeploymentStrategyType: string // #enumDeploymentStrategyType + +#enumDeploymentStrategyType: + #RecreateDeploymentStrategyType | + #RollingUpdateDeploymentStrategyType + +// Kill all existing pods before creating new ones. +#RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate" + +// Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one. +#RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate" + +// Spec to control the desired behavior of rolling update. +#RollingUpdateDeployment: { + // The maximum number of pods that can be unavailable during the update. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // Absolute number is calculated from percentage by rounding down. + // This can not be 0 if MaxSurge is 0. + // Defaults to 25%. + // Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods + // immediately when the rolling update starts. Once new pods are ready, old ReplicaSet + // can be scaled down further, followed by scaling up the new ReplicaSet, ensuring + // that the total number of pods available at all times during the update is at + // least 70% of desired pods. + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt) + + // The maximum number of pods that can be scheduled above the desired number of + // pods. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // This can not be 0 if MaxUnavailable is 0. + // Absolute number is calculated from percentage by rounding up. + // Defaults to 25%. + // Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when + // the rolling update starts, such that the total number of old and new pods do not exceed + // 130% of desired pods. Once old pods have been killed, + // new ReplicaSet can be scaled up further, ensuring that total number of pods running + // at any time during the update is at most 130% of desired pods. + // +optional + maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt) +} + +// DeploymentStatus is the most recently observed status of the Deployment. +#DeploymentStatus: { + // The generation observed by the deployment controller. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt) + + // Total number of non-terminated pods targeted by this deployment (their labels match the selector). + // +optional + replicas?: int32 @go(Replicas) @protobuf(2,varint,opt) + + // Total number of non-terminated pods targeted by this deployment that have the desired template spec. + // +optional + updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt) + + // readyReplicas is the number of pods targeted by this Deployment with a Ready Condition. + // +optional + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt) + + // Total number of available pods (ready for at least minReadySeconds) targeted by this deployment. + // +optional + availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt) + + // Total number of unavailable pods targeted by this deployment. This is the total number of + // pods that are still required for the deployment to have 100% available capacity. They may + // either be pods that are running but not yet available or pods that still have not been created. + // +optional + unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt) + + // Represents the latest available observations of a deployment's current state. + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep) + + // Count of hash collisions for the Deployment. The Deployment controller uses this + // field as a collision avoidance mechanism when it needs to create the name for the + // newest ReplicaSet. + // +optional + collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt) +} + +#DeploymentConditionType: string // #enumDeploymentConditionType + +#enumDeploymentConditionType: + #DeploymentAvailable | + #DeploymentProgressing | + #DeploymentReplicaFailure + +// Available means the deployment is available, ie. at least the minimum available +// replicas required are up and running for at least minReadySeconds. +#DeploymentAvailable: #DeploymentConditionType & "Available" + +// Progressing means the deployment is progressing. Progress for a deployment is +// considered when a new replica set is created or adopted, and when new pods scale +// up or old pods scale down. Progress is not estimated for paused deployments or +// when progressDeadlineSeconds is not specified. +#DeploymentProgressing: #DeploymentConditionType & "Progressing" + +// ReplicaFailure is added in a deployment when one of its pods fails to be created +// or deleted. +#DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure" + +// DeploymentCondition describes the state of a deployment at a certain point. +#DeploymentCondition: { + // Type of deployment condition. + type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // The last time this condition was updated. + lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt) + + // Last time the condition transitioned from one status to another. + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt) + + // The reason for the condition's last transition. + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// DeploymentList is a list of Deployments. +#DeploymentList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of Deployments. + items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep) +} + +// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet. +#DaemonSetUpdateStrategy: { + // Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. + // +optional + type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt) + + // Rolling update config params. Present only if type = "RollingUpdate". + //--- + // TODO: Update this to follow our convention for oneOf, whatever we decide it + // to be. Same as Deployment `strategy.rollingUpdate`. + // See https://github.com/kubernetes/kubernetes/issues/35345 + // +optional + rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt) +} + +// +enum +#DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType + +#enumDaemonSetUpdateStrategyType: + #RollingUpdateDaemonSetStrategyType | + #OnDeleteDaemonSetStrategyType + +// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other. +#RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate" + +// Replace the old daemons only when it's killed +#OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete" + +// Spec to control the desired behavior of daemon set rolling update. +#RollingUpdateDaemonSet: { + // The maximum number of DaemonSet pods that can be unavailable during the + // update. Value can be an absolute number (ex: 5) or a percentage of total + // number of DaemonSet pods at the start of the update (ex: 10%). Absolute + // number is calculated from percentage by rounding up. + // This cannot be 0 if MaxSurge is 0 + // Default value is 1. + // Example: when this is set to 30%, at most 30% of the total number of nodes + // that should be running the daemon pod (i.e. status.desiredNumberScheduled) + // can have their pods stopped for an update at any given time. The update + // starts by stopping at most 30% of those DaemonSet pods and then brings + // up new DaemonSet pods in their place. Once the new pods are available, + // it then proceeds onto other DaemonSet pods, thus ensuring that at least + // 70% of original number of DaemonSet pods are available at all times during + // the update. + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt) + + // The maximum number of nodes with an existing available DaemonSet pod that + // can have an updated DaemonSet pod during during an update. + // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + // This can not be 0 if MaxUnavailable is 0. + // Absolute number is calculated from percentage by rounding up to a minimum of 1. + // Default value is 0. + // Example: when this is set to 30%, at most 30% of the total number of nodes + // that should be running the daemon pod (i.e. status.desiredNumberScheduled) + // can have their a new pod created before the old pod is marked as deleted. + // The update starts by launching new pods on 30% of nodes. Once an updated + // pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + // on that node is marked deleted. If the old pod becomes unavailable for any + // reason (Ready transitions to false, is evicted, or is drained) an updated + // pod is immediatedly created on that node without considering surge limits. + // Allowing surge implies the possibility that the resources consumed by the + // daemonset on any given node can double if the readiness check fails, and + // so resource intensive daemonsets should take into account that they may + // cause evictions during disruption. + // +optional + maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt) +} + +// DaemonSetSpec is the specification of a daemon set. +#DaemonSetSpec: { + // A label query over pods that are managed by the daemon set. + // Must match in order to be controlled. + // It must match the pod template's labels. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // An object that describes the pod that will be created. + // The DaemonSet will create exactly one copy of this pod on every node + // that matches the template's node selector (or on every node if no node + // selector is specified). + // The only allowed template.spec.restartPolicy value is "Always". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template + template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt) + + // An update strategy to replace existing DaemonSet pods with new pods. + // +optional + updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt) + + // The minimum number of seconds for which a newly created DaemonSet pod should + // be ready without any of its container crashing, for it to be considered + // available. Defaults to 0 (pod will be considered available as soon as it + // is ready). + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt) + + // The number of old history to retain to allow rollback. + // This is a pointer to distinguish between explicit zero and not specified. + // Defaults to 10. + // +optional + revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt) +} + +// DaemonSetStatus represents the current status of a daemon set. +#DaemonSetStatus: { + // The number of nodes that are running at least 1 + // daemon pod and are supposed to run the daemon pod. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt) + + // The number of nodes that are running the daemon pod, but are + // not supposed to run the daemon pod. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt) + + // The total number of nodes that should be running the daemon + // pod (including nodes correctly running the daemon pod). + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt) + + // numberReady is the number of nodes that should be running the daemon pod and have one + // or more of the daemon pod running with a Ready Condition. + numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt) + + // The most recent generation observed by the daemon set controller. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt) + + // The total number of nodes that are running updated daemon pod + // +optional + updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt) + + // The number of nodes that should be running the + // daemon pod and have one or more of the daemon pod running and + // available (ready for at least spec.minReadySeconds) + // +optional + numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt) + + // The number of nodes that should be running the + // daemon pod and have none of the daemon pod running and available + // (ready for at least spec.minReadySeconds) + // +optional + numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt) + + // Count of hash collisions for the DaemonSet. The DaemonSet controller + // uses this field as a collision avoidance mechanism when it needs to + // create the name for the newest ControllerRevision. + // +optional + collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt) + + // Represents the latest available observations of a DaemonSet's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep) +} + +#DaemonSetConditionType: string + +// DaemonSetCondition describes the state of a DaemonSet at a certain point. +#DaemonSetCondition: { + // Type of DaemonSet condition. + type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // Last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// DaemonSet represents the configuration of a daemon set. +#DaemonSet: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The desired behavior of this daemon set. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt) + + // The current status of this daemon set. This data may be + // out of date by some window of time. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// DefaultDaemonSetUniqueLabelKey is the default label key that is added +// to existing DaemonSet pods to distinguish between old and new +// DaemonSet pods during DaemonSet template updates. +#DefaultDaemonSetUniqueLabelKey: "controller-revision-hash" + +// DaemonSetList is a collection of daemon sets. +#DaemonSetList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // A list of daemon sets. + items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep) +} + +// ReplicaSet ensures that a specified number of pod replicas are running at any given time. +#ReplicaSet: { + metav1.#TypeMeta + + // If the Labels of a ReplicaSet are empty, they are defaulted to + // be the same as the Pod(s) that the ReplicaSet manages. + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the specification of the desired behavior of the ReplicaSet. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is the most recently observed status of the ReplicaSet. + // This data may be out of date by some window of time. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ReplicaSetList is a collection of ReplicaSets. +#ReplicaSetList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ReplicaSets. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller + items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep) +} + +// ReplicaSetSpec is the specification of a ReplicaSet. +#ReplicaSetSpec: { + // Replicas is the number of desired replicas. + // This is a pointer to distinguish between explicit zero and unspecified. + // Defaults to 1. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing, for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt) + + // Selector is a label query over pods that should match the replica count. + // Label keys and values that must match in order to be controlled by this replica set. + // It must match the pod template's labels. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // Template is the object that describes the pod that will be created if + // insufficient replicas are detected. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template + // +optional + template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt) +} + +// ReplicaSetStatus represents the current status of a ReplicaSet. +#ReplicaSetStatus: { + // Replicas is the most recently observed number of replicas. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // The number of pods that have labels matching the labels of the pod template of the replicaset. + // +optional + fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt) + + // readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition. + // +optional + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt) + + // The number of available replicas (ready for at least minReadySeconds) for this replica set. + // +optional + availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt) + + // ObservedGeneration reflects the generation of the most recently observed ReplicaSet. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // Represents the latest available observations of a replica set's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep) +} + +#ReplicaSetConditionType: string // #enumReplicaSetConditionType + +#enumReplicaSetConditionType: + #ReplicaSetReplicaFailure + +// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created +// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted +// due to kubelet being down or finalizers are failing. +#ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure" + +// ReplicaSetCondition describes the state of a replica set at a certain point. +#ReplicaSetCondition: { + // Type of replica set condition. + type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType) + + // Status of the condition, one of True, False, Unknown. + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // The last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ControllerRevision implements an immutable snapshot of state data. Clients +// are responsible for serializing and deserializing the objects that contain +// their internal state. +// Once a ControllerRevision has been successfully created, it can not be updated. +// The API Server will fail validation of all requests that attempt to mutate +// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both +// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, +// it may be subject to name and representation changes in future releases, and clients should not +// depend on its stability. It is primarily for internal use by controllers. +#ControllerRevision: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Data is the serialized representation of the state. + data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt) + + // Revision indicates the revision of the state represented by Data. + revision: int64 @go(Revision) @protobuf(3,varint,opt) +} + +// ControllerRevisionList is a resource containing a list of ControllerRevision objects. +#ControllerRevisionList: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of ControllerRevisions + items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue new file mode 100644 index 000000000..082560098 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authentication/v1 + +package v1 + +#GroupName: "authentication.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue new file mode 100644 index 000000000..5f0127a65 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue @@ -0,0 +1,206 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authentication/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" +) + +// ImpersonateUserHeader is used to impersonate a particular user during an API server request +#ImpersonateUserHeader: "Impersonate-User" + +// ImpersonateGroupHeader is used to impersonate a particular group during an API server request. +// It can be repeated multiplied times for multiple groups. +#ImpersonateGroupHeader: "Impersonate-Group" + +// ImpersonateUIDHeader is used to impersonate a particular UID during an API server request +#ImpersonateUIDHeader: "Impersonate-Uid" + +// ImpersonateUserExtraHeaderPrefix is a prefix for any header used to impersonate an entry in the +// extra map[string][]string for user.Info. The key will be every after the prefix. +// It can be repeated multiplied times for multiple map keys and the same key can be repeated multiple +// times to have multiple elements in the slice under a single key +#ImpersonateUserExtraHeaderPrefix: "Impersonate-Extra-" + +// TokenReview attempts to authenticate a token to a known user. +// Note: TokenReview requests may be cached by the webhook token authenticator +// plugin in the kube-apiserver. +#TokenReview: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #TokenReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request can be authenticated. + // +optional + status?: #TokenReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// TokenReviewSpec is a description of the token authentication request. +#TokenReviewSpec: { + // Token is the opaque bearer token. + // +optional + token?: string @go(Token) @protobuf(1,bytes,opt) + + // Audiences is a list of the identifiers that the resource server presented + // with the token identifies as. Audience-aware token authenticators will + // verify that the token was intended for at least one of the audiences in + // this list. If no audiences are provided, the audience will default to the + // audience of the Kubernetes apiserver. + // +optional + audiences?: [...string] @go(Audiences,[]string) @protobuf(2,bytes,rep) +} + +// TokenReviewStatus is the result of the token authentication request. +#TokenReviewStatus: { + // Authenticated indicates that the token was associated with a known user. + // +optional + authenticated?: bool @go(Authenticated) @protobuf(1,varint,opt) + + // User is the UserInfo associated with the provided token. + // +optional + user?: #UserInfo @go(User) @protobuf(2,bytes,opt) + + // Audiences are audience identifiers chosen by the authenticator that are + // compatible with both the TokenReview and token. An identifier is any + // identifier in the intersection of the TokenReviewSpec audiences and the + // token's audiences. A client of the TokenReview API that sets the + // spec.audiences field should validate that a compatible audience identifier + // is returned in the status.audiences field to ensure that the TokenReview + // server is audience aware. If a TokenReview returns an empty + // status.audience field where status.authenticated is "true", the token is + // valid against the audience of the Kubernetes API server. + // +optional + audiences?: [...string] @go(Audiences,[]string) @protobuf(4,bytes,rep) + + // Error indicates that the token couldn't be checked + // +optional + error?: string @go(Error) @protobuf(3,bytes,opt) +} + +// UserInfo holds the information about the user needed to implement the +// user.Info interface. +#UserInfo: { + // The name that uniquely identifies this user among all active users. + // +optional + username?: string @go(Username) @protobuf(1,bytes,opt) + + // A unique value that identifies this user across time. If this user is + // deleted and another user by the same name is added, they will have + // different UIDs. + // +optional + uid?: string @go(UID) @protobuf(2,bytes,opt) + + // The names of groups this user is a part of. + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(3,bytes,rep) + + // Any additional information provided by the authenticator. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(4,bytes,rep) +} + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// TokenRequest requests a token for a given service account. +#TokenRequest: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #TokenRequestSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the token can be authenticated. + // +optional + status?: #TokenRequestStatus @go(Status) @protobuf(3,bytes,opt) +} + +// TokenRequestSpec contains client provided parameters of a token request. +#TokenRequestSpec: { + // Audiences are the intendend audiences of the token. A recipient of a + // token must identify themself with an identifier in the list of + // audiences of the token, and otherwise should reject the token. A + // token issued for multiple audiences may be used to authenticate + // against any of the audiences listed but implies a high degree of + // trust between the target audiences. + audiences: [...string] @go(Audiences,[]string) @protobuf(1,bytes,rep) + + // ExpirationSeconds is the requested duration of validity of the request. The + // token issuer may return a token with a different validity duration so a + // client needs to check the 'expiration' field in a response. + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(4,varint,opt) + + // BoundObjectRef is a reference to an object that the token will be bound to. + // The token will only be valid for as long as the bound object exists. + // NOTE: The API server's TokenReview endpoint will validate the + // BoundObjectRef, but other audiences may not. Keep ExpirationSeconds + // small if you want prompt revocation. + // +optional + boundObjectRef?: null | #BoundObjectReference @go(BoundObjectRef,*BoundObjectReference) @protobuf(3,bytes,opt) +} + +// TokenRequestStatus is the result of a token request. +#TokenRequestStatus: { + // Token is the opaque bearer token. + token: string @go(Token) @protobuf(1,bytes,opt) + + // ExpirationTimestamp is the time of expiration of the returned token. + expirationTimestamp: metav1.#Time @go(ExpirationTimestamp) @protobuf(2,bytes,opt) +} + +// BoundObjectReference is a reference to an object that a token is bound to. +#BoundObjectReference: { + // Kind of the referent. Valid kinds are 'Pod' and 'Secret'. + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // API version of the referent. + // +optional + apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt) + + // Name of the referent. + // +optional + name?: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // +optional + uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. +// When using impersonation, users will receive the user info of the user being impersonated. If impersonation or +// request header authentication is used, any extra keys will have their case ignored and returned as lowercase. +#SelfSubjectReview: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Status is filled in by the server with the user attributes. + status?: #SelfSubjectReviewStatus @go(Status) @protobuf(2,bytes,opt) +} + +// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user. +#SelfSubjectReviewStatus: { + // User attributes of the user making this request. + // +optional + userInfo?: #UserInfo @go(UserInfo) @protobuf(1,bytes,opt) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue new file mode 100644 index 000000000..afd54ec06 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authorization/v1 + +package v1 + +#GroupName: "authorization.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue new file mode 100644 index 000000000..6eaf81871 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue @@ -0,0 +1,262 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/authorization/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// SubjectAccessReview checks whether or not a user or group can perform an action. +#SubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated + spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a +// spec.namespace means "in all namespaces". Self is a special case, because users should always be able +// to check whether they can perform an action +#SelfSubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. user and groups must be empty + spec: #SelfSubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. +// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions +// checking. +#LocalSubjectAccessReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace + // you made the request against. If empty, it is defaulted. + spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates whether the request is allowed or not + // +optional + status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface +#ResourceAttributes: { + // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces + // "" (empty) is defaulted for LocalSubjectAccessReviews + // "" (empty) is empty for cluster-scoped resources + // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview + // +optional + namespace?: string @go(Namespace) @protobuf(1,bytes,opt) + + // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all. + // +optional + verb?: string @go(Verb) @protobuf(2,bytes,opt) + + // Group is the API Group of the Resource. "*" means all. + // +optional + group?: string @go(Group) @protobuf(3,bytes,opt) + + // Version is the API Version of the Resource. "*" means all. + // +optional + version?: string @go(Version) @protobuf(4,bytes,opt) + + // Resource is one of the existing resource types. "*" means all. + // +optional + resource?: string @go(Resource) @protobuf(5,bytes,opt) + + // Subresource is one of the existing resource types. "" means none. + // +optional + subresource?: string @go(Subresource) @protobuf(6,bytes,opt) + + // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all. + // +optional + name?: string @go(Name) @protobuf(7,bytes,opt) +} + +// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface +#NonResourceAttributes: { + // Path is the URL path of the request + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // Verb is the standard HTTP verb + // +optional + verb?: string @go(Verb) @protobuf(2,bytes,opt) +} + +// SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes +// and NonResourceAuthorizationAttributes must be set +#SubjectAccessReviewSpec: { + // ResourceAuthorizationAttributes describes information for a resource access request + // +optional + resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt) + + // NonResourceAttributes describes information for a non-resource access request + // +optional + nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt) + + // User is the user you're testing for. + // If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // Groups is the groups you're testing for. + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep) + + // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer + // it needs a reflection here. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(5,bytes,rep) + + // UID information about the requesting user. + // +optional + uid?: string @go(UID) @protobuf(6,bytes,opt) +} + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes +// and NonResourceAuthorizationAttributes must be set +#SelfSubjectAccessReviewSpec: { + // ResourceAuthorizationAttributes describes information for a resource access request + // +optional + resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt) + + // NonResourceAttributes describes information for a non-resource access request + // +optional + nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt) +} + +// SubjectAccessReviewStatus +#SubjectAccessReviewStatus: { + // Allowed is required. True if the action would be allowed, false otherwise. + allowed: bool @go(Allowed) @protobuf(1,varint,opt) + + // Denied is optional. True if the action would be denied, otherwise + // false. If both allowed is false and denied is false, then the + // authorizer has no opinion on whether to authorize the action. Denied + // may not be true if Allowed is true. + // +optional + denied?: bool @go(Denied) @protobuf(4,varint,opt) + + // Reason is optional. It indicates why a request was allowed or denied. + // +optional + reason?: string @go(Reason) @protobuf(2,bytes,opt) + + // EvaluationError is an indication that some error occurred during the authorization check. + // It is entirely possible to get an error and be able to continue determine authorization status in spite of it. + // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request. + // +optional + evaluationError?: string @go(EvaluationError) @protobuf(3,bytes,opt) +} + +// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. +// The returned list of actions may be incomplete depending on the server's authorization mode, +// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, +// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to +// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. +// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. +#SelfSubjectRulesReview: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec holds information about the request being evaluated. + spec: #SelfSubjectRulesReviewSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is filled in by the server and indicates the set of actions a user can perform. + // +optional + status?: #SubjectRulesReviewStatus @go(Status) @protobuf(3,bytes,opt) +} + +// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview. +#SelfSubjectRulesReviewSpec: { + // Namespace to evaluate rules for. Required. + namespace?: string @go(Namespace) @protobuf(1,bytes,opt) +} + +// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on +// the set of authorizers the server is configured with and any errors experienced during evaluation. +// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, +// even if that list is incomplete. +#SubjectRulesReviewStatus: { + // ResourceRules is the list of actions the subject is allowed to perform on resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + resourceRules: [...#ResourceRule] @go(ResourceRules,[]ResourceRule) @protobuf(1,bytes,rep) + + // NonResourceRules is the list of actions the subject is allowed to perform on non-resources. + // The list ordering isn't significant, may contain duplicates, and possibly be incomplete. + nonResourceRules: [...#NonResourceRule] @go(NonResourceRules,[]NonResourceRule) @protobuf(2,bytes,rep) + + // Incomplete is true when the rules returned by this call are incomplete. This is most commonly + // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation. + incomplete: bool @go(Incomplete) @protobuf(3,bytes,rep) + + // EvaluationError can appear in combination with Rules. It indicates an error occurred during + // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that + // ResourceRules and/or NonResourceRules may be incomplete. + // +optional + evaluationError?: string @go(EvaluationError) @protobuf(4,bytes,opt) +} + +// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, +// may contain duplicates, and possibly be incomplete. +#ResourceRule: { + // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "*" means all. + // +optional + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. + // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups. + // +optional + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all. + // +optional + resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep) +} + +// NonResourceRule holds information that describes a rule for the non-resource +#NonResourceRule: { + // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, + // final step in the path. "*" means all. + // +optional + nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue new file mode 100644 index 000000000..0a7f3423c --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v1 + +package v1 + +#GroupName: "autoscaling" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue new file mode 100644 index 000000000..6e873a358 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue @@ -0,0 +1,542 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/api/core/v1" +) + +// CrossVersionObjectReference contains enough information to let you identify the referred resource. +// +structType=atomic +#CrossVersionObjectReference: { + // kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(2,bytes,opt) + + // apiVersion is the API version of the referent + // +optional + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) +} + +// specification of a horizontal pod autoscaler. +#HorizontalPodAutoscalerSpec: { + // reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption + // and will set the desired number of pods by using its Scale subresource. + scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt) + + // minReplicas is the lower limit for the number of replicas to which the autoscaler + // can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + // alpha feature gate HPAScaleToZero is enabled and at least one Object or External + // metric is configured. Scaling is active as long as at least one metric value is + // available. + // +optional + minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt) + + // maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas. + maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt) + + // targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods; + // if not specified the default autoscaling policy will be used. + // +optional + targetCPUUtilizationPercentage?: null | int32 @go(TargetCPUUtilizationPercentage,*int32) @protobuf(4,varint,opt) +} + +// current status of a horizontal pod autoscaler +#HorizontalPodAutoscalerStatus: { + // observedGeneration is the most recent generation observed by this autoscaler. + // +optional + observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt) + + // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods; + // used by the autoscaler to control how often the number of pods is changed. + // +optional + lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt) + + // currentReplicas is the current number of replicas of pods managed by this autoscaler. + currentReplicas: int32 @go(CurrentReplicas) @protobuf(3,varint,opt) + + // desiredReplicas is the desired number of replicas of pods managed by this autoscaler. + desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt) + + // currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU, + // e.g. 70 means that an average pod is using now 70% of its requested CPU. + // +optional + currentCPUUtilizationPercentage?: null | int32 @go(CurrentCPUUtilizationPercentage,*int32) @protobuf(5,varint,opt) +} + +// configuration of a horizontal pod autoscaler. +#HorizontalPodAutoscaler: { + metav1.#TypeMeta + + // Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current information about the autoscaler. + // +optional + status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// list of horizontal pod autoscaler objects. +#HorizontalPodAutoscalerList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of horizontal pod autoscaler objects. + items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep) +} + +// Scale represents a scaling request for a resource. +#Scale: { + metav1.#TypeMeta + + // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #ScaleSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only. + // +optional + status?: #ScaleStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ScaleSpec describes the attributes of a scale subresource. +#ScaleSpec: { + // replicas is the desired number of instances for the scaled object. + // +optional + replicas?: int32 @go(Replicas) @protobuf(1,varint,opt) +} + +// ScaleStatus represents the current status of a scale subresource. +#ScaleStatus: { + // replicas is the actual number of observed instances of the scaled object. + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // selector is the label query over pods that should match the replicas count. This is same + // as the label selector but in the string format to avoid introspection + // by clients. The string will be in the same format as the query-param syntax. + // More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + // +optional + selector?: string @go(Selector) @protobuf(2,bytes,opt) +} + +// MetricSourceType indicates the type of metric. +// +enum +#MetricSourceType: string // #enumMetricSourceType + +#enumMetricSourceType: + #ObjectMetricSourceType | + #PodsMetricSourceType | + #ResourceMetricSourceType | + #ContainerResourceMetricSourceType | + #ExternalMetricSourceType + +// ObjectMetricSourceType is a metric describing a kubernetes object +// (for example, hits-per-second on an Ingress object). +#ObjectMetricSourceType: #MetricSourceType & "Object" + +// PodsMetricSourceType is a metric describing each pod in the current scale +// target (for example, transactions-processed-per-second). The values +// will be averaged together before being compared to the target value. +#PodsMetricSourceType: #MetricSourceType & "Pods" + +// ResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ResourceMetricSourceType: #MetricSourceType & "Resource" + +// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing a single container in each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource" + +// ExternalMetricSourceType is a global metric that is not associated +// with any Kubernetes object. It allows autoscaling based on information +// coming from components running outside of cluster +// (for example length of queue in cloud messaging service, or +// QPS from loadbalancer running outside of cluster). +#ExternalMetricSourceType: #MetricSourceType & "External" + +// MetricSpec specifies how to scale based on a single metric +// (only `type` and one other matching field should be set at once). +#MetricSpec: { + // type is the type of metric source. It should be one of "ContainerResource", + // "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod of the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. + // +optional + containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt) +} + +// ObjectMetricSource indicates how to scale on a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricSource: { + // target is the described Kubernetes object. + target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes) + + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(2,bytes) + + // targetValue is the target value of the metric (as a quantity). + targetValue: resource.#Quantity @go(TargetValue) @protobuf(3,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric. + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes) + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes) +} + +// PodsMetricSource indicates how to scale on a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +// The values will be averaged together before being compared to the target +// value. +#PodsMetricSource: { + // metricName is the name of the metric in question + metricName: string @go(MetricName) @protobuf(1,bytes) + + // targetAverageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + targetAverageValue: resource.#Quantity @go(TargetAverageValue) @protobuf(2,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes) +} + +// ResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // targetAverageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt) + + // targetAverageValue is the target value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt) +} + +// ContainerResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in the requests and limits, describing a single container in +// each of the pods of the current scale target(e.g. CPU or memory). The values will be +// averaged together before being compared to the target. Such metrics are built into +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ContainerResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // targetAverageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt) + + // targetAverageValue is the target value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // container is the name of the container in the pods of the scaling target. + container: string @go(Container) @protobuf(5,bytes,opt) +} + +// ExternalMetricSource indicates how to scale on a metric not associated with +// any Kubernetes object (for example length of queue in cloud +// messaging service, or QPS from loadbalancer running outside of cluster). +#ExternalMetricSource: { + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(1,bytes) + + // metricSelector is used to identify a specific time series + // within a given metric. + // +optional + metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // targetValue is the target value of the metric (as a quantity). + // Mutually exclusive with TargetAverageValue. + // +optional + targetValue?: null | resource.#Quantity @go(TargetValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // targetAverageValue is the target per-pod value of global metric (as a quantity). + // Mutually exclusive with TargetValue. + // +optional + targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(4,bytes,opt) +} + +// MetricStatus describes the last-read state of a single metric. +#MetricStatus: { + // type is the type of metric source. It will be one of "ContainerResource", + // "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt) +} + +// HorizontalPodAutoscalerConditionType are the valid conditions of +// a HorizontalPodAutoscaler. +#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType + +#enumHorizontalPodAutoscalerConditionType: + #ScalingActive | + #AbleToScale | + #ScalingLimited + +// ScalingActive indicates that the HPA controller is able to scale if necessary: +// it's correctly configured, can fetch the desired metrics, and isn't disabled. +#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive" + +// AbleToScale indicates a lack of transient issues which prevent scaling from occurring, +// such as being in a backoff window, or being unable to access/update the target scale. +#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale" + +// ScalingLimited indicates that the calculated scale based on metrics would be above or +// below the range for the HPA, and has thus been capped. +#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited" + +// HorizontalPodAutoscalerCondition describes the state of +// a HorizontalPodAutoscaler at a certain point. +#HorizontalPodAutoscalerCondition: { + // type describes the current condition + type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes) + + // status is the status of the condition (True, False, Unknown) + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes) + + // lastTransitionTime is the last time the condition transitioned from + // one status to another + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is the reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable explanation containing details about + // the transition + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ObjectMetricStatus indicates the current value of a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricStatus: { + // target is the described Kubernetes object. + target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes) + + // metricName is the name of the metric in question. + metricName: string @go(MetricName) @protobuf(2,bytes) + + // currentValue is the current value of the metric (as a quantity). + currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes) + + // averageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes) +} + +// PodsMetricStatus indicates the current value of a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +#PodsMetricStatus: { + // metricName is the name of the metric in question + metricName: string @go(MetricName) @protobuf(1,bytes) + + // currentAverageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(2,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes) +} + +// ResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. It will only be + // present if `targetAverageValue` was set in the corresponding metric + // specification. + // +optional + currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt) + + // currentAverageValue is the current value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // It will always be set, regardless of the corresponding metric specification. + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes) +} + +// ContainerResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing a single container in each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ContainerResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. It will only be + // present if `targetAverageValue` was set in the corresponding metric + // specification. + // +optional + currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt) + + // currentAverageValue is the current value of the average of the + // resource metric across all relevant pods, as a raw value (instead of as + // a percentage of the request), similar to the "pods" metric source type. + // It will always be set, regardless of the corresponding metric specification. + currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes) + + // container is the name of the container in the pods of the scaling taget + container: string @go(Container) @protobuf(4,bytes,opt) +} + +// ExternalMetricStatus indicates the current value of a global metric +// not associated with any Kubernetes object. +#ExternalMetricStatus: { + // metricName is the name of a metric used for autoscaling in + // metric system. + metricName: string @go(MetricName) @protobuf(1,bytes) + + // metricSelector is used to identify a specific time series + // within a given metric. + // +optional + metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // currentValue is the current value of the metric (as a quantity) + currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes) + + // currentAverageValue is the current value of metric averaged over autoscaled pods. + // +optional + currentAverageValue?: null | resource.#Quantity @go(CurrentAverageValue,*resource.Quantity) @protobuf(4,bytes,opt) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue new file mode 100644 index 000000000..aea0fb269 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v2 + +package v2 + +#GroupName: "autoscaling" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue new file mode 100644 index 000000000..767020856 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue @@ -0,0 +1,597 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/autoscaling/v2 + +package v2 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" +) + +// HorizontalPodAutoscaler is the configuration for a horizontal pod +// autoscaler, which automatically manages the replica count of any resource +// implementing the scale subresource based on the metrics specified. +#HorizontalPodAutoscaler: { + metav1.#TypeMeta + + // metadata is the standard object metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the specification for the behaviour of the autoscaler. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + // +optional + spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current information about the autoscaler. + // +optional + status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler. +#HorizontalPodAutoscalerSpec: { + // scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics + // should be collected, as well as to actually change the replica count. + scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt) + + // minReplicas is the lower limit for the number of replicas to which the autoscaler + // can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the + // alpha feature gate HPAScaleToZero is enabled and at least one Object or External + // metric is configured. Scaling is active as long as at least one metric value is + // available. + // +optional + minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt) + + // maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. + // It cannot be less that minReplicas. + maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt) + + // metrics contains the specifications for which to use to calculate the + // desired replica count (the maximum replica count across all metrics will + // be used). The desired replica count is calculated multiplying the + // ratio between the target value and the current value by the current + // number of pods. Ergo, metrics used must decrease as the pod count is + // increased, and vice-versa. See the individual metric source types for + // more information about how each type of metric must respond. + // If not set, the default metric will be set to 80% average CPU utilization. + // +listType=atomic + // +optional + metrics?: [...#MetricSpec] @go(Metrics,[]MetricSpec) @protobuf(4,bytes,rep) + + // behavior configures the scaling behavior of the target + // in both Up and Down directions (scaleUp and scaleDown fields respectively). + // If not set, the default HPAScalingRules for scale up and scale down are used. + // +optional + behavior?: null | #HorizontalPodAutoscalerBehavior @go(Behavior,*HorizontalPodAutoscalerBehavior) @protobuf(5,bytes,opt) +} + +// CrossVersionObjectReference contains enough information to let you identify the referred resource. +#CrossVersionObjectReference: { + // kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(2,bytes,opt) + + // apiVersion is the API version of the referent + // +optional + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) +} + +// MetricSpec specifies how to scale based on a single metric +// (only `type` and one other matching field should be set at once). +#MetricSpec: { + // type is the type of metric source. It should be one of "ContainerResource", "External", + // "Object", "Pods" or "Resource", each mapping to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt) + + // containerResource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in + // each pod of the current scale target (e.g. CPU or memory). Such metrics are + // built in to Kubernetes, and have special scaling options on top of those + // available to normal per-pod metrics using the "pods" source. + // This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. + // +optional + containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt) +} + +// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target +// in both Up and Down directions (scaleUp and scaleDown fields respectively). +#HorizontalPodAutoscalerBehavior: { + // scaleUp is scaling policy for scaling Up. + // If not set, the default value is the higher of: + // * increase no more than 4 pods per 60 seconds + // * double the number of pods per 60 seconds + // No stabilization is used. + // +optional + scaleUp?: null | #HPAScalingRules @go(ScaleUp,*HPAScalingRules) @protobuf(1,bytes,opt) + + // scaleDown is scaling policy for scaling Down. + // If not set, the default value is to allow to scale down to minReplicas pods, with a + // 300 second stabilization window (i.e., the highest recommendation for + // the last 300sec is used). + // +optional + scaleDown?: null | #HPAScalingRules @go(ScaleDown,*HPAScalingRules) @protobuf(2,bytes,opt) +} + +// ScalingPolicySelect is used to specify which policy should be used while scaling in a certain direction +#ScalingPolicySelect: string // #enumScalingPolicySelect + +#enumScalingPolicySelect: + #MaxChangePolicySelect | + #MinChangePolicySelect | + #DisabledPolicySelect + +// MaxChangePolicySelect selects the policy with the highest possible change. +#MaxChangePolicySelect: #ScalingPolicySelect & "Max" + +// MinChangePolicySelect selects the policy with the lowest possible change. +#MinChangePolicySelect: #ScalingPolicySelect & "Min" + +// DisabledPolicySelect disables the scaling in this direction. +#DisabledPolicySelect: #ScalingPolicySelect & "Disabled" + +// HPAScalingRules configures the scaling behavior for one direction. +// These Rules are applied after calculating DesiredReplicas from metrics for the HPA. +// They can limit the scaling velocity by specifying scaling policies. +// They can prevent flapping by specifying the stabilization window, so that the +// number of replicas is not set instantly, instead, the safest value from the stabilization +// window is chosen. +#HPAScalingRules: { + // stabilizationWindowSeconds is the number of seconds for which past recommendations should be + // considered while scaling up or scaling down. + // StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + // If not set, use the default values: + // - For scale up: 0 (i.e. no stabilization is done). + // - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + // +optional + stabilizationWindowSeconds?: null | int32 @go(StabilizationWindowSeconds,*int32) @protobuf(3,varint,opt) + + // selectPolicy is used to specify which policy should be used. + // If not set, the default value Max is used. + // +optional + selectPolicy?: null | #ScalingPolicySelect @go(SelectPolicy,*ScalingPolicySelect) @protobuf(1,bytes,opt) + + // policies is a list of potential scaling polices which can be used during scaling. + // At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid + // +listType=atomic + // +optional + policies?: [...#HPAScalingPolicy] @go(Policies,[]HPAScalingPolicy) @protobuf(2,bytes,rep) +} + +// HPAScalingPolicyType is the type of the policy which could be used while making scaling decisions. +#HPAScalingPolicyType: string // #enumHPAScalingPolicyType + +#enumHPAScalingPolicyType: + #PodsScalingPolicy | + #PercentScalingPolicy + +// PodsScalingPolicy is a policy used to specify a change in absolute number of pods. +#PodsScalingPolicy: #HPAScalingPolicyType & "Pods" + +// PercentScalingPolicy is a policy used to specify a relative amount of change with respect to +// the current number of pods. +#PercentScalingPolicy: #HPAScalingPolicyType & "Percent" + +// HPAScalingPolicy is a single policy which must hold true for a specified past interval. +#HPAScalingPolicy: { + // type is used to specify the scaling policy. + type: #HPAScalingPolicyType @go(Type) @protobuf(1,bytes,opt,casttype=HPAScalingPolicyType) + + // value contains the amount of change which is permitted by the policy. + // It must be greater than zero + value: int32 @go(Value) @protobuf(2,varint,opt) + + // periodSeconds specifies the window of time for which the policy should hold true. + // PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + periodSeconds: int32 @go(PeriodSeconds) @protobuf(3,varint,opt) +} + +// MetricSourceType indicates the type of metric. +#MetricSourceType: string // #enumMetricSourceType + +#enumMetricSourceType: + #ObjectMetricSourceType | + #PodsMetricSourceType | + #ResourceMetricSourceType | + #ContainerResourceMetricSourceType | + #ExternalMetricSourceType + +// ObjectMetricSourceType is a metric describing a kubernetes object +// (for example, hits-per-second on an Ingress object). +#ObjectMetricSourceType: #MetricSourceType & "Object" + +// PodsMetricSourceType is a metric describing each pod in the current scale +// target (for example, transactions-processed-per-second). The values +// will be averaged together before being compared to the target value. +#PodsMetricSourceType: #MetricSourceType & "Pods" + +// ResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ResourceMetricSourceType: #MetricSourceType & "Resource" + +// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as +// specified in requests and limits, describing a single container in each pod in the current +// scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available +// to normal per-pod metrics (the "pods" source). +#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource" + +// ExternalMetricSourceType is a global metric that is not associated +// with any Kubernetes object. It allows autoscaling based on information +// coming from components running outside of cluster +// (for example length of queue in cloud messaging service, or +// QPS from loadbalancer running outside of cluster). +#ExternalMetricSourceType: #MetricSourceType & "External" + +// ObjectMetricSource indicates how to scale on a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricSource: { + // describedObject specifies the descriptions of a object,such as kind,name apiVersion + describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) + + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(3,bytes) +} + +// PodsMetricSource indicates how to scale on a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +// The values will be averaged together before being compared to the target +// value. +#PodsMetricSource: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// ResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// ContainerResourceMetricSource indicates how to scale on a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). The values will be averaged +// together before being compared to the target. Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. Only one "target" type +// should be set. +#ContainerResourceMetricSource: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) + + // container is the name of the container in the pods of the scaling target + container: string @go(Container) @protobuf(3,bytes,opt) +} + +// ExternalMetricSource indicates how to scale on a metric not associated with +// any Kubernetes object (for example length of queue in cloud +// messaging service, or QPS from loadbalancer running outside of cluster). +#ExternalMetricSource: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // target specifies the target value for the given metric + target: #MetricTarget @go(Target) @protobuf(2,bytes) +} + +// MetricIdentifier defines the name and optionally selector for a metric +#MetricIdentifier: { + // name is the name of the given metric + name: string @go(Name) @protobuf(1,bytes) + + // selector is the string-encoded form of a standard kubernetes label selector for the given metric + // When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. + // When unset, just the metricName will be used to gather metrics. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes) +} + +// MetricTarget defines the target value, average value, or average utilization of a specific metric +#MetricTarget: { + // type represents whether the metric type is Utilization, Value, or AverageValue + type: #MetricTargetType @go(Type) @protobuf(1,bytes) + + // value is the target value of the metric (as a quantity). + // +optional + value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(2,bytes,opt) + + // averageValue is the target value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(3,bytes,opt) + + // averageUtilization is the target value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // Currently only valid for Resource metric source type + // +optional + averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(4,bytes,opt) +} + +// MetricTargetType specifies the type of metric being targeted, and should be either +// "Value", "AverageValue", or "Utilization" +#MetricTargetType: string // #enumMetricTargetType + +#enumMetricTargetType: + #UtilizationMetricType | + #ValueMetricType | + #AverageValueMetricType + +// UtilizationMetricType declares a MetricTarget is an AverageUtilization value +#UtilizationMetricType: #MetricTargetType & "Utilization" + +// ValueMetricType declares a MetricTarget is a raw value +#ValueMetricType: #MetricTargetType & "Value" + +// AverageValueMetricType declares a MetricTarget is an +#AverageValueMetricType: #MetricTargetType & "AverageValue" + +// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler. +#HorizontalPodAutoscalerStatus: { + // observedGeneration is the most recent generation observed by this autoscaler. + // +optional + observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt) + + // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, + // used by the autoscaler to control how often the number of pods is changed. + // +optional + lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt) + + // currentReplicas is current number of replicas of pods managed by this autoscaler, + // as last seen by the autoscaler. + // +optional + currentReplicas?: int32 @go(CurrentReplicas) @protobuf(3,varint,opt) + + // desiredReplicas is the desired number of replicas of pods managed by this autoscaler, + // as last calculated by the autoscaler. + desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt) + + // currentMetrics is the last read state of the metrics used by this autoscaler. + // +listType=atomic + // +optional + currentMetrics: [...#MetricStatus] @go(CurrentMetrics,[]MetricStatus) @protobuf(5,bytes,rep) + + // conditions is the set of conditions required for this autoscaler to scale its target, + // and indicates whether or not those conditions are met. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + // +optional + conditions?: [...#HorizontalPodAutoscalerCondition] @go(Conditions,[]HorizontalPodAutoscalerCondition) @protobuf(6,bytes,rep) +} + +// HorizontalPodAutoscalerConditionType are the valid conditions of +// a HorizontalPodAutoscaler. +#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType + +#enumHorizontalPodAutoscalerConditionType: + #ScalingActive | + #AbleToScale | + #ScalingLimited + +// ScalingActive indicates that the HPA controller is able to scale if necessary: +// it's correctly configured, can fetch the desired metrics, and isn't disabled. +#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive" + +// AbleToScale indicates a lack of transient issues which prevent scaling from occurring, +// such as being in a backoff window, or being unable to access/update the target scale. +#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale" + +// ScalingLimited indicates that the calculated scale based on metrics would be above or +// below the range for the HPA, and has thus been capped. +#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited" + +// HorizontalPodAutoscalerCondition describes the state of +// a HorizontalPodAutoscaler at a certain point. +#HorizontalPodAutoscalerCondition: { + // type describes the current condition + type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes) + + // status is the status of the condition (True, False, Unknown) + status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes) + + // lastTransitionTime is the last time the condition transitioned from + // one status to another + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is the reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable explanation containing details about + // the transition + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// MetricStatus describes the last-read state of a single metric. +#MetricStatus: { + // type is the type of metric source. It will be one of "ContainerResource", "External", + // "Object", "Pods" or "Resource", each corresponds to a matching field in the object. + // Note: "ContainerResource" type is available on when the feature-gate + // HPAContainerMetrics is enabled + type: #MetricSourceType @go(Type) @protobuf(1,bytes) + + // object refers to a metric describing a single kubernetes object + // (for example, hits-per-second on an Ingress object). + // +optional + object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt) + + // pods refers to a metric describing each pod in the current scale target + // (for example, transactions-processed-per-second). The values will be + // averaged together before being compared to the target value. + // +optional + pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt) + + // resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt) + + // container resource refers to a resource metric (such as those specified in + // requests and limits) known to Kubernetes describing a single container in each pod in the + // current scale target (e.g. CPU or memory). Such metrics are built in to + // Kubernetes, and have special scaling options on top of those available + // to normal per-pod metrics using the "pods" source. + // +optional + containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt) + + // external refers to a global metric that is not associated + // with any Kubernetes object. It allows autoscaling based on information + // coming from components running outside of cluster + // (for example length of queue in cloud messaging service, or + // QPS from loadbalancer running outside of cluster). + // +optional + external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt) +} + +// ObjectMetricStatus indicates the current value of a metric describing a +// kubernetes object (for example, hits-per-second on an Ingress object). +#ObjectMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) + + // DescribedObject specifies the descriptions of a object,such as kind,name apiVersion + describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(3,bytes) +} + +// PodsMetricStatus indicates the current value of a metric describing each pod in +// the current scale target (for example, transactions-processed-per-second). +#PodsMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// ResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// ContainerResourceMetricStatus indicates the current value of a resource metric known to +// Kubernetes, as specified in requests and limits, describing a single container in each pod in the +// current scale target (e.g. CPU or memory). Such metrics are built in to +// Kubernetes, and have special scaling options on top of those available to +// normal per-pod metrics using the "pods" source. +#ContainerResourceMetricStatus: { + // name is the name of the resource in question. + name: v1.#ResourceName @go(Name) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) + + // container is the name of the container in the pods of the scaling target + container: string @go(Container) @protobuf(3,bytes,opt) +} + +// ExternalMetricStatus indicates the current value of a global metric +// not associated with any Kubernetes object. +#ExternalMetricStatus: { + // metric identifies the target metric by name and selector + metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes) + + // current contains the current value for the given metric + current: #MetricValueStatus @go(Current) @protobuf(2,bytes) +} + +// MetricValueStatus holds the current value for a metric +#MetricValueStatus: { + // value is the current value of the metric (as a quantity). + // +optional + value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(1,bytes,opt) + + // averageValue is the current value of the average of the + // metric across all relevant pods (as a quantity) + // +optional + averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(2,bytes,opt) + + // currentAverageUtilization is the current value of the average of the + // resource metric across all relevant pods, represented as a percentage of + // the requested value of the resource for the pods. + // +optional + averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(3,bytes,opt) +} + +// HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects. +#HorizontalPodAutoscalerList: { + metav1.#TypeMeta + + // metadata is the standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of horizontal pod autoscaler objects. + items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue new file mode 100644 index 000000000..5c4890873 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/batch/v1 + +package v1 + +#GroupName: "batch" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue new file mode 100644 index 000000000..3cbdc66ff --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue @@ -0,0 +1,693 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/batch/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" +) + +// All Kubernetes labels need to be prefixed with Kubernetes to distinguish them from end-user labels +// More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#label-selector-and-annotation-conventions +_#labelPrefix: "batch.kubernetes.io/" + +// CronJobScheduledTimestampAnnotation is the scheduled timestamp annotation for the Job. +// It records the original/expected scheduled timestamp for the running job, represented in RFC3339. +// The CronJob controller adds this annotation if the CronJobsScheduledAnnotation feature gate (beta in 1.28) is enabled. +#CronJobScheduledTimestampAnnotation: "batch.kubernetes.io/cronjob-scheduled-timestamp" +#JobCompletionIndexAnnotation: "batch.kubernetes.io/job-completion-index" + +// JobTrackingFinalizer is a finalizer for Job's pods. It prevents them from +// being deleted before being accounted in the Job status. +// +// Additionally, the apiserver and job controller use this string as a Job +// annotation, to mark Jobs that are being tracked using pod finalizers. +// However, this behavior is deprecated in kubernetes 1.26. This means that, in +// 1.27+, one release after JobTrackingWithFinalizers graduates to GA, the +// apiserver and job controller will ignore this annotation and they will +// always track jobs using finalizers. +#JobTrackingFinalizer: "batch.kubernetes.io/job-tracking" + +// The Job labels will use batch.kubernetes.io as a prefix for all labels +// Historically the job controller uses unprefixed labels for job-name and controller-uid and +// Kubernetes continutes to recognize those unprefixed labels for consistency. +#JobNameLabel: "batch.kubernetes.io/job-name" + +// ControllerUid is used to programatically get pods corresponding to a Job. +// There is a corresponding label without the batch.kubernetes.io that we support for legacy reasons. +#ControllerUidLabel: "batch.kubernetes.io/controller-uid" + +// Annotation indicating the number of failures for the index corresponding +// to the pod, which are counted towards the backoff limit. +#JobIndexFailureCountAnnotation: "batch.kubernetes.io/job-index-failure-count" + +// Annotation indicating the number of failures for the index corresponding +// to the pod, which don't count towards the backoff limit, according to the +// pod failure policy. When the annotation is absent zero is implied. +#JobIndexIgnoredFailureCountAnnotation: "batch.kubernetes.io/job-index-ignored-failure-count" + +// Job represents the configuration of a single job. +#Job: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of a job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt) + + // Current status of a job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #JobStatus @go(Status) @protobuf(3,bytes,opt) +} + +// JobList is a collection of jobs. +#JobList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of Jobs. + items: [...#Job] @go(Items,[]Job) @protobuf(2,bytes,rep) +} + +// CompletionMode specifies how Pod completions of a Job are tracked. +// +enum +#CompletionMode: string // #enumCompletionMode + +#enumCompletionMode: + #NonIndexedCompletion | + #IndexedCompletion + +// NonIndexedCompletion is a Job completion mode. In this mode, the Job is +// considered complete when there have been .spec.completions +// successfully completed Pods. Pod completions are homologous to each other. +#NonIndexedCompletion: #CompletionMode & "NonIndexed" + +// IndexedCompletion is a Job completion mode. In this mode, the Pods of a +// Job get an associated completion index from 0 to (.spec.completions - 1). +// The Job is considered complete when a Pod completes for each completion +// index. +#IndexedCompletion: #CompletionMode & "Indexed" + +// PodFailurePolicyAction specifies how a Pod failure is handled. +// +enum +#PodFailurePolicyAction: string // #enumPodFailurePolicyAction + +#enumPodFailurePolicyAction: + #PodFailurePolicyActionFailJob | + #PodFailurePolicyActionFailIndex | + #PodFailurePolicyActionIgnore | + #PodFailurePolicyActionCount + +// This is an action which might be taken on a pod failure - mark the +// pod's job as Failed and terminate all running pods. +#PodFailurePolicyActionFailJob: #PodFailurePolicyAction & "FailJob" + +// This is an action which might be taken on a pod failure - mark the +// Job's index as failed to avoid restarts within this index. This action +// can only be used when backoffLimitPerIndex is set. +#PodFailurePolicyActionFailIndex: #PodFailurePolicyAction & "FailIndex" + +// This is an action which might be taken on a pod failure - the counter towards +// .backoffLimit, represented by the job's .status.failed field, is not +// incremented and a replacement pod is created. +#PodFailurePolicyActionIgnore: #PodFailurePolicyAction & "Ignore" + +// This is an action which might be taken on a pod failure - the pod failure +// is handled in the default way - the counter towards .backoffLimit, +// represented by the job's .status.failed field, is incremented. +#PodFailurePolicyActionCount: #PodFailurePolicyAction & "Count" + +// +enum +#PodFailurePolicyOnExitCodesOperator: string // #enumPodFailurePolicyOnExitCodesOperator + +#enumPodFailurePolicyOnExitCodesOperator: + #PodFailurePolicyOnExitCodesOpIn | + #PodFailurePolicyOnExitCodesOpNotIn + +#PodFailurePolicyOnExitCodesOpIn: #PodFailurePolicyOnExitCodesOperator & "In" +#PodFailurePolicyOnExitCodesOpNotIn: #PodFailurePolicyOnExitCodesOperator & "NotIn" + +// PodReplacementPolicy specifies the policy for creating pod replacements. +// +enum +#PodReplacementPolicy: string // #enumPodReplacementPolicy + +#enumPodReplacementPolicy: + #TerminatingOrFailed | + #Failed + +// TerminatingOrFailed means that we recreate pods +// when they are terminating (has a metadata.deletionTimestamp) or failed. +#TerminatingOrFailed: #PodReplacementPolicy & "TerminatingOrFailed" + +// Failed means to wait until a previously created Pod is fully terminated (has phase +// Failed or Succeeded) before creating a replacement Pod. +#Failed: #PodReplacementPolicy & "Failed" + +// PodFailurePolicyOnExitCodesRequirement describes the requirement for handling +// a failed pod based on its container exit codes. In particular, it lookups the +// .state.terminated.exitCode for each app container and init container status, +// represented by the .status.containerStatuses and .status.initContainerStatuses +// fields in the Pod status, respectively. Containers completed with success +// (exit code 0) are excluded from the requirement check. +#PodFailurePolicyOnExitCodesRequirement: { + // Restricts the check for exit codes to the container with the + // specified name. When null, the rule applies to all containers. + // When specified, it should match one the container or initContainer + // names in the pod template. + // +optional + containerName?: null | string @go(ContainerName,*string) @protobuf(1,bytes,opt) + + // Represents the relationship between the container exit code(s) and the + // specified values. Containers completed with success (exit code 0) are + // excluded from the requirement check. Possible values are: + // + // - In: the requirement is satisfied if at least one container exit code + // (might be multiple if there are multiple containers not restricted + // by the 'containerName' field) is in the set of specified values. + // - NotIn: the requirement is satisfied if at least one container exit code + // (might be multiple if there are multiple containers not restricted + // by the 'containerName' field) is not in the set of specified values. + // Additional values are considered to be added in the future. Clients should + // react to an unknown operator by assuming the requirement is not satisfied. + operator: #PodFailurePolicyOnExitCodesOperator @go(Operator) @protobuf(2,bytes,req) + + // Specifies the set of values. Each returned container exit code (might be + // multiple in case of multiple containers) is checked against this set of + // values with respect to the operator. The list of values must be ordered + // and must not contain duplicates. Value '0' cannot be used for the In operator. + // At least one element is required. At most 255 elements are allowed. + // +listType=set + values: [...int32] @go(Values,[]int32) @protobuf(3,varint,rep) +} + +// PodFailurePolicyOnPodConditionsPattern describes a pattern for matching +// an actual pod condition type. +#PodFailurePolicyOnPodConditionsPattern: { + // Specifies the required Pod condition type. To match a pod condition + // it is required that specified type equals the pod condition type. + type: corev1.#PodConditionType @go(Type) @protobuf(1,bytes,req) + + // Specifies the required Pod condition status. To match a pod condition + // it is required that the specified status equals the pod condition status. + // Defaults to True. + status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,req) +} + +// PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. +// One of onExitCodes and onPodConditions, but not both, can be used in each rule. +#PodFailurePolicyRule: { + // Specifies the action taken on a pod failure when the requirements are satisfied. + // Possible values are: + // + // - FailJob: indicates that the pod's job is marked as Failed and all + // running pods are terminated. + // - FailIndex: indicates that the pod's index is marked as Failed and will + // not be restarted. + // This value is alpha-level. It can be used when the + // `JobBackoffLimitPerIndex` feature gate is enabled (disabled by default). + // - Ignore: indicates that the counter towards the .backoffLimit is not + // incremented and a replacement pod is created. + // - Count: indicates that the pod is handled in the default way - the + // counter towards the .backoffLimit is incremented. + // Additional values are considered to be added in the future. Clients should + // react to an unknown action by skipping the rule. + action: #PodFailurePolicyAction @go(Action) @protobuf(1,bytes,req) + + // Represents the requirement on the container exit codes. + // +optional + onExitCodes?: null | #PodFailurePolicyOnExitCodesRequirement @go(OnExitCodes,*PodFailurePolicyOnExitCodesRequirement) @protobuf(2,bytes,opt) + + // Represents the requirement on the pod conditions. The requirement is represented + // as a list of pod condition patterns. The requirement is satisfied if at + // least one pattern matches an actual pod condition. At most 20 elements are allowed. + // +listType=atomic + // +optional + onPodConditions: [...#PodFailurePolicyOnPodConditionsPattern] @go(OnPodConditions,[]PodFailurePolicyOnPodConditionsPattern) @protobuf(3,bytes,opt) +} + +// PodFailurePolicy describes how failed pods influence the backoffLimit. +#PodFailurePolicy: { + // A list of pod failure policy rules. The rules are evaluated in order. + // Once a rule matches a Pod failure, the remaining of the rules are ignored. + // When no rule matches the Pod failure, the default handling applies - the + // counter of pod failures is incremented and it is checked against + // the backoffLimit. At most 20 elements are allowed. + // +listType=atomic + rules: [...#PodFailurePolicyRule] @go(Rules,[]PodFailurePolicyRule) @protobuf(1,bytes,opt) +} + +// JobSpec describes how the job execution will look like. +#JobSpec: { + // Specifies the maximum desired number of pods the job should + // run at any given time. The actual number of pods running in steady state will + // be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism), + // i.e. when the work left to do is less than max parallelism. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + parallelism?: null | int32 @go(Parallelism,*int32) @protobuf(1,varint,opt) + + // Specifies the desired number of successfully finished pods the + // job should be run with. Setting to null means that the success of any + // pod signals the success of all pods, and allows parallelism to have any positive + // value. Setting to 1 means that parallelism is limited to 1 and the success of that + // pod signals the success of the job. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + completions?: null | int32 @go(Completions,*int32) @protobuf(2,varint,opt) + + // Specifies the duration in seconds relative to the startTime that the job + // may be continuously active before the system tries to terminate it; value + // must be positive integer. If a Job is suspended (at creation or through an + // update), this timer will effectively be stopped and reset when the Job is + // resumed again. + // +optional + activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(3,varint,opt) + + // Specifies the policy of handling failed pods. In particular, it allows to + // specify the set of actions and conditions which need to be + // satisfied to take the associated action. + // If empty, the default behaviour applies - the counter of failed pods, + // represented by the jobs's .status.failed field, is incremented and it is + // checked against the backoffLimit. This field cannot be used in combination + // with restartPolicy=OnFailure. + // + // This field is beta-level. It can be used when the `JobPodFailurePolicy` + // feature gate is enabled (enabled by default). + // +optional + podFailurePolicy?: null | #PodFailurePolicy @go(PodFailurePolicy,*PodFailurePolicy) @protobuf(11,bytes,opt) + + // Specifies the number of retries before marking this job failed. + // Defaults to 6 + // +optional + backoffLimit?: null | int32 @go(BackoffLimit,*int32) @protobuf(7,varint,opt) + + // Specifies the limit for the number of retries within an + // index before marking this index as failed. When enabled the number of + // failures per index is kept in the pod's + // batch.kubernetes.io/job-index-failure-count annotation. It can only + // be set when Job's completionMode=Indexed, and the Pod's restart + // policy is Never. The field is immutable. + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + backoffLimitPerIndex?: null | int32 @go(BackoffLimitPerIndex,*int32) @protobuf(12,varint,opt) + + // Specifies the maximal number of failed indexes before marking the Job as + // failed, when backoffLimitPerIndex is set. Once the number of failed + // indexes exceeds this number the entire Job is marked as Failed and its + // execution is terminated. When left as null the job continues execution of + // all of its indexes and is marked with the `Complete` Job condition. + // It can only be specified when backoffLimitPerIndex is set. + // It can be null or up to completions. It is required and must be + // less than or equal to 10^4 when is completions greater than 10^5. + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + maxFailedIndexes?: null | int32 @go(MaxFailedIndexes,*int32) @protobuf(13,varint,opt) + + // A label query over pods that should match the pod count. + // Normally, the system sets this field for you. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // manualSelector controls generation of pod labels and pod selectors. + // Leave `manualSelector` unset unless you are certain what you are doing. + // When false or unset, the system pick labels unique to this job + // and appends those labels to the pod template. When true, + // the user is responsible for picking unique labels and specifying + // the selector. Failure to pick a unique label may cause this + // and other jobs to not function correctly. However, You may see + // `manualSelector=true` in jobs that were created with the old `extensions/v1beta1` + // API. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector + // +optional + manualSelector?: null | bool @go(ManualSelector,*bool) @protobuf(5,varint,opt) + + // Describes the pod that will be created when executing a job. + // The only allowed template.spec.restartPolicy values are "Never" or "OnFailure". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + template: corev1.#PodTemplateSpec @go(Template) @protobuf(6,bytes,opt) + + // ttlSecondsAfterFinished limits the lifetime of a Job that has finished + // execution (either Complete or Failed). If this field is set, + // ttlSecondsAfterFinished after the Job finishes, it is eligible to be + // automatically deleted. When the Job is being deleted, its lifecycle + // guarantees (e.g. finalizers) will be honored. If this field is unset, + // the Job won't be automatically deleted. If this field is set to zero, + // the Job becomes eligible to be deleted immediately after it finishes. + // +optional + ttlSecondsAfterFinished?: null | int32 @go(TTLSecondsAfterFinished,*int32) @protobuf(8,varint,opt) + + // completionMode specifies how Pod completions are tracked. It can be + // `NonIndexed` (default) or `Indexed`. + // + // `NonIndexed` means that the Job is considered complete when there have + // been .spec.completions successfully completed Pods. Each Pod completion is + // homologous to each other. + // + // `Indexed` means that the Pods of a + // Job get an associated completion index from 0 to (.spec.completions - 1), + // available in the annotation batch.kubernetes.io/job-completion-index. + // The Job is considered complete when there is one successfully completed Pod + // for each index. + // When value is `Indexed`, .spec.completions must be specified and + // `.spec.parallelism` must be less than or equal to 10^5. + // In addition, The Pod name takes the form + // `$(job-name)-$(index)-$(random-string)`, + // the Pod hostname takes the form `$(job-name)-$(index)`. + // + // More completion modes can be added in the future. + // If the Job controller observes a mode that it doesn't recognize, which + // is possible during upgrades due to version skew, the controller + // skips updates for the Job. + // +optional + completionMode?: null | #CompletionMode @go(CompletionMode,*CompletionMode) @protobuf(9,bytes,opt,casttype=CompletionMode) + + // suspend specifies whether the Job controller should create Pods or not. If + // a Job is created with suspend set to true, no Pods are created by the Job + // controller. If a Job is suspended after creation (i.e. the flag goes from + // false to true), the Job controller will delete all active Pods associated + // with this Job. Users must design their workload to gracefully handle this. + // Suspending a Job will reset the StartTime field of the Job, effectively + // resetting the ActiveDeadlineSeconds timer too. Defaults to false. + // + // +optional + suspend?: null | bool @go(Suspend,*bool) @protobuf(10,varint,opt) + + // podReplacementPolicy specifies when to create replacement Pods. + // Possible values are: + // - TerminatingOrFailed means that we recreate pods + // when they are terminating (has a metadata.deletionTimestamp) or failed. + // - Failed means to wait until a previously created Pod is fully terminated (has phase + // Failed or Succeeded) before creating a replacement Pod. + // + // When using podFailurePolicy, Failed is the the only allowed value. + // TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use. + // This is an alpha field. Enable JobPodReplacementPolicy to be able to use this field. + // +optional + podReplacementPolicy?: null | #PodReplacementPolicy @go(PodReplacementPolicy,*PodReplacementPolicy) @protobuf(14,bytes,opt,casttype=podReplacementPolicy) +} + +// JobStatus represents the current state of a Job. +#JobStatus: { + // The latest available observations of an object's current state. When a Job + // fails, one of the conditions will have type "Failed" and status true. When + // a Job is suspended, one of the conditions will have type "Suspended" and + // status true; when the Job is resumed, the status of this condition will + // become false. When a Job is completed, one of the conditions will have + // type "Complete" and status true. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=atomic + conditions?: [...#JobCondition] @go(Conditions,[]JobCondition) @protobuf(1,bytes,rep) + + // Represents time when the job controller started processing a job. When a + // Job is created in the suspended state, this field is not set until the + // first time it is resumed. This field is reset every time a Job is resumed + // from suspension. It is represented in RFC3339 form and is in UTC. + // +optional + startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(2,bytes,opt) + + // Represents time when the job was completed. It is not guaranteed to + // be set in happens-before order across separate operations. + // It is represented in RFC3339 form and is in UTC. + // The completion time is only set when the job finishes successfully. + // +optional + completionTime?: null | metav1.#Time @go(CompletionTime,*metav1.Time) @protobuf(3,bytes,opt) + + // The number of pending and running pods. + // +optional + active?: int32 @go(Active) @protobuf(4,varint,opt) + + // The number of pods which reached phase Succeeded. + // +optional + succeeded?: int32 @go(Succeeded) @protobuf(5,varint,opt) + + // The number of pods which reached phase Failed. + // +optional + failed?: int32 @go(Failed) @protobuf(6,varint,opt) + + // The number of pods which are terminating (in phase Pending or Running + // and have a deletionTimestamp). + // + // This field is alpha-level. The job controller populates the field when + // the feature gate JobPodReplacementPolicy is enabled (disabled by default). + // +optional + terminating?: null | int32 @go(Terminating,*int32) @protobuf(11,varint,opt) + + // completedIndexes holds the completed indexes when .spec.completionMode = + // "Indexed" in a text format. The indexes are represented as decimal integers + // separated by commas. The numbers are listed in increasing order. Three or + // more consecutive numbers are compressed and represented by the first and + // last element of the series, separated by a hyphen. + // For example, if the completed indexes are 1, 3, 4, 5 and 7, they are + // represented as "1,3-5,7". + // +optional + completedIndexes?: string @go(CompletedIndexes) @protobuf(7,bytes,opt) + + // FailedIndexes holds the failed indexes when backoffLimitPerIndex=true. + // The indexes are represented in the text format analogous as for the + // `completedIndexes` field, ie. they are kept as decimal integers + // separated by commas. The numbers are listed in increasing order. Three or + // more consecutive numbers are compressed and represented by the first and + // last element of the series, separated by a hyphen. + // For example, if the failed indexes are 1, 3, 4, 5 and 7, they are + // represented as "1,3-5,7". + // This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + // feature gate is enabled (disabled by default). + // +optional + failedIndexes?: null | string @go(FailedIndexes,*string) @protobuf(10,bytes,opt) + + // uncountedTerminatedPods holds the UIDs of Pods that have terminated but + // the job controller hasn't yet accounted for in the status counters. + // + // The job controller creates pods with a finalizer. When a pod terminates + // (succeeded or failed), the controller does three steps to account for it + // in the job status: + // + // 1. Add the pod UID to the arrays in this field. + // 2. Remove the pod finalizer. + // 3. Remove the pod UID from the arrays while increasing the corresponding + // counter. + // + // Old jobs might not be tracked using this field, in which case the field + // remains null. + // +optional + uncountedTerminatedPods?: null | #UncountedTerminatedPods @go(UncountedTerminatedPods,*UncountedTerminatedPods) @protobuf(8,bytes,opt) + + // The number of pods which have a Ready condition. + // + // This field is beta-level. The job controller populates the field when + // the feature gate JobReadyPods is enabled (enabled by default). + // +optional + ready?: null | int32 @go(Ready,*int32) @protobuf(9,varint,opt) +} + +// UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't +// been accounted in Job status counters. +#UncountedTerminatedPods: { + // succeeded holds UIDs of succeeded Pods. + // +listType=set + // +optional + succeeded?: [...types.#UID] @go(Succeeded,[]types.UID) @protobuf(1,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID) + + // failed holds UIDs of failed Pods. + // +listType=set + // +optional + failed?: [...types.#UID] @go(Failed,[]types.UID) @protobuf(2,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +#JobConditionType: string // #enumJobConditionType + +#enumJobConditionType: + #JobSuspended | + #JobComplete | + #JobFailed | + #JobFailureTarget + +// JobSuspended means the job has been suspended. +#JobSuspended: #JobConditionType & "Suspended" + +// JobComplete means the job has completed its execution. +#JobComplete: #JobConditionType & "Complete" + +// JobFailed means the job has failed its execution. +#JobFailed: #JobConditionType & "Failed" + +// FailureTarget means the job is about to fail its execution. +#JobFailureTarget: #JobConditionType & "FailureTarget" + +// JobCondition describes current state of a job. +#JobCondition: { + // Type of job condition, Complete or Failed. + type: #JobConditionType @go(Type) @protobuf(1,bytes,opt,casttype=JobConditionType) + + // Status of the condition, one of True, False, Unknown. + status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // Last time the condition was checked. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // Last time the condition transit from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // (brief) reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// JobTemplateSpec describes the data a Job should have when created from a template +#JobTemplateSpec: { + // Standard object's metadata of the jobs created from this template. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CronJob represents the configuration of a single cron job. +#CronJob: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of a cron job, including the schedule. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #CronJobSpec @go(Spec) @protobuf(2,bytes,opt) + + // Current status of a cron job. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #CronJobStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CronJobList is a collection of cron jobs. +#CronJobList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CronJobs. + items: [...#CronJob] @go(Items,[]CronJob) @protobuf(2,bytes,rep) +} + +// CronJobSpec describes how the job execution will look like and when it will actually run. +#CronJobSpec: { + // The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron. + schedule: string @go(Schedule) @protobuf(1,bytes,opt) + + // The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. + // If not specified, this will default to the time zone of the kube-controller-manager process. + // The set of valid time zone names and the time zone offset is loaded from the system-wide time zone + // database by the API server during CronJob validation and the controller manager during execution. + // If no system-wide time zone database can be found a bundled version of the database is used instead. + // If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host + // configuration, the controller will stop creating new new Jobs and will create a system event with the + // reason UnknownTimeZone. + // More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones + // +optional + timeZone?: null | string @go(TimeZone,*string) @protobuf(8,bytes,opt) + + // Optional deadline in seconds for starting the job if it misses scheduled + // time for any reason. Missed jobs executions will be counted as failed ones. + // +optional + startingDeadlineSeconds?: null | int64 @go(StartingDeadlineSeconds,*int64) @protobuf(2,varint,opt) + + // Specifies how to treat concurrent executions of a Job. + // Valid values are: + // + // - "Allow" (default): allows CronJobs to run concurrently; + // - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet; + // - "Replace": cancels currently running job and replaces it with a new one + // +optional + concurrencyPolicy?: #ConcurrencyPolicy @go(ConcurrencyPolicy) @protobuf(3,bytes,opt,casttype=ConcurrencyPolicy) + + // This flag tells the controller to suspend subsequent executions, it does + // not apply to already started executions. Defaults to false. + // +optional + suspend?: null | bool @go(Suspend,*bool) @protobuf(4,varint,opt) + + // Specifies the job that will be created when executing a CronJob. + jobTemplate: #JobTemplateSpec @go(JobTemplate) @protobuf(5,bytes,opt) + + // The number of successful finished jobs to retain. Value must be non-negative integer. + // Defaults to 3. + // +optional + successfulJobsHistoryLimit?: null | int32 @go(SuccessfulJobsHistoryLimit,*int32) @protobuf(6,varint,opt) + + // The number of failed finished jobs to retain. Value must be non-negative integer. + // Defaults to 1. + // +optional + failedJobsHistoryLimit?: null | int32 @go(FailedJobsHistoryLimit,*int32) @protobuf(7,varint,opt) +} + +// ConcurrencyPolicy describes how the job will be handled. +// Only one of the following concurrent policies may be specified. +// If none of the following policies is specified, the default one +// is AllowConcurrent. +// +enum +#ConcurrencyPolicy: string // #enumConcurrencyPolicy + +#enumConcurrencyPolicy: + #AllowConcurrent | + #ForbidConcurrent | + #ReplaceConcurrent + +// AllowConcurrent allows CronJobs to run concurrently. +#AllowConcurrent: #ConcurrencyPolicy & "Allow" + +// ForbidConcurrent forbids concurrent runs, skipping next run if previous +// hasn't finished yet. +#ForbidConcurrent: #ConcurrencyPolicy & "Forbid" + +// ReplaceConcurrent cancels currently running job and replaces it with a new one. +#ReplaceConcurrent: #ConcurrencyPolicy & "Replace" + +// CronJobStatus represents the current state of a cron job. +#CronJobStatus: { + // A list of pointers to currently running jobs. + // +optional + // +listType=atomic + active?: [...corev1.#ObjectReference] @go(Active,[]corev1.ObjectReference) @protobuf(1,bytes,rep) + + // Information when was the last time the job was successfully scheduled. + // +optional + lastScheduleTime?: null | metav1.#Time @go(LastScheduleTime,*metav1.Time) @protobuf(4,bytes,opt) + + // Information when was the last time the job successfully completed. + // +optional + lastSuccessfulTime?: null | metav1.#Time @go(LastSuccessfulTime,*metav1.Time) @protobuf(5,bytes,opt) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue new file mode 100644 index 000000000..f2ce34369 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/certificates/v1 + +package v1 + +#GroupName: "certificates.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue new file mode 100644 index 000000000..401ca5c97 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue @@ -0,0 +1,318 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/certificates/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" +) + +// CertificateSigningRequest objects provide a mechanism to obtain x509 certificates +// by submitting a certificate signing request, and having it asynchronously approved and issued. +// +// Kubelets use this API to obtain: +// 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName). +// 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName). +// +// This API can be used to request client certificates to authenticate to kube-apiserver +// (with the "kubernetes.io/kube-apiserver-client" signerName), +// or to obtain certificates from custom non-Kubernetes signers. +#CertificateSigningRequest: { + metav1.#TypeMeta + + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec contains the certificate request, and is immutable after creation. + // Only the request, signerName, expirationSeconds, and usages fields can be set on creation. + // Other fields are derived by Kubernetes and cannot be modified by users. + spec: #CertificateSigningRequestSpec @go(Spec) @protobuf(2,bytes,opt) + + // status contains information about whether the request is approved or denied, + // and the certificate issued by the signer, or the failure condition indicating signer failure. + // +optional + status?: #CertificateSigningRequestStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CertificateSigningRequestSpec contains the certificate request. +#CertificateSigningRequestSpec: { + // request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. + // When serialized as JSON or YAML, the data is additionally base64-encoded. + // +listType=atomic + request: bytes @go(Request,[]byte) @protobuf(1,bytes,opt) + + // signerName indicates the requested signer, and is a qualified name. + // + // List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector. + // + // Well-known Kubernetes signers are: + // 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver. + // Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager. + // 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver. + // Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. + // 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely. + // Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. + // + // More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers + // + // Custom signerNames can also be specified. The signer defines: + // 1. Trust distribution: how trust (CA bundles) are distributed. + // 2. Permitted subjects: and behavior when a disallowed subject is requested. + // 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested. + // 4. Required, permitted, or forbidden key usages / extended key usages. + // 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin. + // 6. Whether or not requests for CA certificates are allowed. + signerName: string @go(SignerName) @protobuf(7,bytes,opt) + + // expirationSeconds is the requested duration of validity of the issued + // certificate. The certificate signer may issue a certificate with a different + // validity duration so a client must check the delta between the notBefore and + // and notAfter fields in the issued certificate to determine the actual duration. + // + // The v1.22+ in-tree implementations of the well-known Kubernetes signers will + // honor this field as long as the requested duration is not greater than the + // maximum duration they will honor per the --cluster-signing-duration CLI + // flag to the Kubernetes controller manager. + // + // Certificate signers may not honor this field for various reasons: + // + // 1. Old signer that is unaware of the field (such as the in-tree + // implementations prior to v1.22) + // 2. Signer whose configured maximum is shorter than the requested duration + // 3. Signer whose configured minimum is longer than the requested duration + // + // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes. + // + // +optional + expirationSeconds?: null | int32 @go(ExpirationSeconds,*int32) @protobuf(8,varint,opt) + + // usages specifies a set of key usages requested in the issued certificate. + // + // Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth". + // + // Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth". + // + // Valid values are: + // "signing", "digital signature", "content commitment", + // "key encipherment", "key agreement", "data encipherment", + // "cert sign", "crl sign", "encipher only", "decipher only", "any", + // "server auth", "client auth", + // "code signing", "email protection", "s/mime", + // "ipsec end system", "ipsec tunnel", "ipsec user", + // "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" + // +listType=atomic + usages?: [...#KeyUsage] @go(Usages,[]KeyUsage) @protobuf(5,bytes,opt) + + // username contains the name of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + username?: string @go(Username) @protobuf(2,bytes,opt) + + // uid contains the uid of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + uid?: string @go(UID) @protobuf(3,bytes,opt) + + // groups contains group membership of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +listType=atomic + // +optional + groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep) + + // extra contains extra attributes of the user that created the CertificateSigningRequest. + // Populated by the API server on creation and immutable. + // +optional + extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(6,bytes,rep) +} + +// "kubernetes.io/kube-apiserver-client" signer issues client certificates that can be used to authenticate to kube-apiserver. +// Never auto-approved by kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeAPIServerClientSignerName: "kubernetes.io/kube-apiserver-client" + +// "kubernetes.io/kube-apiserver-client-kubelet" issues client certificates that kubelets use to authenticate to kube-apiserver. +// Can be auto-approved by the "csrapproving" controller in kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeAPIServerClientKubeletSignerName: "kubernetes.io/kube-apiserver-client-kubelet" + +// "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, +// which kube-apiserver can connect to securely. +// Never auto-approved by kube-controller-manager. +// Can be issued by the "csrsigning" controller in kube-controller-manager. +#KubeletServingSignerName: "kubernetes.io/kubelet-serving" + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#ExtraValue: [...string] + +// CertificateSigningRequestStatus contains conditions used to indicate +// approved/denied/failed status of the request, and the issued certificate. +#CertificateSigningRequestStatus: { + // conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed". + // +listType=map + // +listMapKey=type + // +optional + conditions?: [...#CertificateSigningRequestCondition] @go(Conditions,[]CertificateSigningRequestCondition) @protobuf(1,bytes,rep) + + // certificate is populated with an issued certificate by the signer after an Approved condition is present. + // This field is set via the /status subresource. Once populated, this field is immutable. + // + // If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. + // If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty. + // + // Validation requirements: + // 1. certificate must contain one or more PEM blocks. + // 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data + // must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280. + // 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated, + // to allow for explanatory text as described in section 5.2 of RFC7468. + // + // If more than one PEM block is present, and the definition of the requested spec.signerName + // does not indicate otherwise, the first block is the issued certificate, + // and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes. + // + // The certificate is encoded in PEM format. + // + // When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of: + // + // base64( + // -----BEGIN CERTIFICATE----- + // ... + // -----END CERTIFICATE----- + // ) + // + // +listType=atomic + // +optional + certificate?: bytes @go(Certificate,[]byte) @protobuf(2,bytes,opt) +} + +// RequestConditionType is the type of a CertificateSigningRequestCondition +#RequestConditionType: string // #enumRequestConditionType + +#enumRequestConditionType: + #CertificateApproved | + #CertificateDenied | + #CertificateFailed + +// Approved indicates the request was approved and should be issued by the signer. +#CertificateApproved: #RequestConditionType & "Approved" + +// Denied indicates the request was denied and should not be issued by the signer. +#CertificateDenied: #RequestConditionType & "Denied" + +// Failed indicates the signer failed to issue the certificate. +#CertificateFailed: #RequestConditionType & "Failed" + +// CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object +#CertificateSigningRequestCondition: { + // type of the condition. Known conditions are "Approved", "Denied", and "Failed". + // + // An "Approved" condition is added via the /approval subresource, + // indicating the request was approved and should be issued by the signer. + // + // A "Denied" condition is added via the /approval subresource, + // indicating the request was denied and should not be issued by the signer. + // + // A "Failed" condition is added via the /status subresource, + // indicating the signer failed to issue the certificate. + // + // Approved and Denied conditions are mutually exclusive. + // Approved, Denied, and Failed conditions cannot be removed once added. + // + // Only one condition of a given type is allowed. + type: #RequestConditionType @go(Type) @protobuf(1,bytes,opt,casttype=RequestConditionType) + + // status of the condition, one of True, False, Unknown. + // Approved, Denied, and Failed conditions may not be "False" or "Unknown". + status: v1.#ConditionStatus @go(Status) @protobuf(6,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus) + + // reason indicates a brief reason for the request state + // +optional + reason?: string @go(Reason) @protobuf(2,bytes,opt) + + // message contains a human readable message with details about the request state + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // lastUpdateTime is the time of the last update to this condition + // +optional + lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(4,bytes,opt) + + // lastTransitionTime is the time the condition last transitioned from one status to another. + // If unset, when a new condition type is added or an existing condition's status is changed, + // the server defaults this to the current time. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(5,bytes,opt) +} + +// CertificateSigningRequestList is a collection of CertificateSigningRequest objects +#CertificateSigningRequestList: { + metav1.#TypeMeta + + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a collection of CertificateSigningRequest objects + items: [...#CertificateSigningRequest] @go(Items,[]CertificateSigningRequest) @protobuf(2,bytes,rep) +} + +// KeyUsage specifies valid usage contexts for keys. +// See: +// +// https://tools.ietf.org/html/rfc5280#section-4.2.1.3 +// https://tools.ietf.org/html/rfc5280#section-4.2.1.12 +// +// +enum +#KeyUsage: string // #enumKeyUsage + +#enumKeyUsage: + #UsageSigning | + #UsageDigitalSignature | + #UsageContentCommitment | + #UsageKeyEncipherment | + #UsageKeyAgreement | + #UsageDataEncipherment | + #UsageCertSign | + #UsageCRLSign | + #UsageEncipherOnly | + #UsageDecipherOnly | + #UsageAny | + #UsageServerAuth | + #UsageClientAuth | + #UsageCodeSigning | + #UsageEmailProtection | + #UsageSMIME | + #UsageIPsecEndSystem | + #UsageIPsecTunnel | + #UsageIPsecUser | + #UsageTimestamping | + #UsageOCSPSigning | + #UsageMicrosoftSGC | + #UsageNetscapeSGC + +#UsageSigning: #KeyUsage & "signing" +#UsageDigitalSignature: #KeyUsage & "digital signature" +#UsageContentCommitment: #KeyUsage & "content commitment" +#UsageKeyEncipherment: #KeyUsage & "key encipherment" +#UsageKeyAgreement: #KeyUsage & "key agreement" +#UsageDataEncipherment: #KeyUsage & "data encipherment" +#UsageCertSign: #KeyUsage & "cert sign" +#UsageCRLSign: #KeyUsage & "crl sign" +#UsageEncipherOnly: #KeyUsage & "encipher only" +#UsageDecipherOnly: #KeyUsage & "decipher only" +#UsageAny: #KeyUsage & "any" +#UsageServerAuth: #KeyUsage & "server auth" +#UsageClientAuth: #KeyUsage & "client auth" +#UsageCodeSigning: #KeyUsage & "code signing" +#UsageEmailProtection: #KeyUsage & "email protection" +#UsageSMIME: #KeyUsage & "s/mime" +#UsageIPsecEndSystem: #KeyUsage & "ipsec end system" +#UsageIPsecTunnel: #KeyUsage & "ipsec tunnel" +#UsageIPsecUser: #KeyUsage & "ipsec user" +#UsageTimestamping: #KeyUsage & "timestamping" +#UsageOCSPSigning: #KeyUsage & "ocsp signing" +#UsageMicrosoftSGC: #KeyUsage & "microsoft sgc" +#UsageNetscapeSGC: #KeyUsage & "netscape sgc" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue new file mode 100644 index 000000000..d0a257d5e --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/coordination/v1 + +package v1 + +#GroupName: "coordination.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue new file mode 100644 index 000000000..de2c74126 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue @@ -0,0 +1,61 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/coordination/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Lease defines a lease concept. +#Lease: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec contains the specification of the Lease. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #LeaseSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// LeaseSpec is a specification of a Lease. +#LeaseSpec: { + // holderIdentity contains the identity of the holder of a current lease. + // +optional + holderIdentity?: null | string @go(HolderIdentity,*string) @protobuf(1,bytes,opt) + + // leaseDurationSeconds is a duration that candidates for a lease need + // to wait to force acquire it. This is measure against time of last + // observed renewTime. + // +optional + leaseDurationSeconds?: null | int32 @go(LeaseDurationSeconds,*int32) @protobuf(2,varint,opt) + + // acquireTime is a time when the current lease was acquired. + // +optional + acquireTime?: null | metav1.#MicroTime @go(AcquireTime,*metav1.MicroTime) @protobuf(3,bytes,opt) + + // renewTime is a time when the current holder of a lease has last + // updated the lease. + // +optional + renewTime?: null | metav1.#MicroTime @go(RenewTime,*metav1.MicroTime) @protobuf(4,bytes,opt) + + // leaseTransitions is the number of transitions of a lease between + // holders. + // +optional + leaseTransitions?: null | int32 @go(LeaseTransitions,*int32) @protobuf(5,varint,opt) +} + +// LeaseList is a list of Lease objects. +#LeaseList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#Lease] @go(Items,[]Lease) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue new file mode 100644 index 000000000..3a3027906 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue @@ -0,0 +1,147 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy +// webhook backend fails. +#ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open" + +// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods +#MirrorPodAnnotationKey: "kubernetes.io/config.mirror" + +// TolerationsAnnotationKey represents the key of tolerations data (json serialized) +// in the Annotations of a Pod. +#TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations" + +// TaintsAnnotationKey represents the key of taints data (json serialized) +// in the Annotations of a Node. +#TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints" + +// SeccompPodAnnotationKey represents the key of a seccomp profile applied +// to all containers of a pod. +// Deprecated: set a pod security context `seccompProfile` field. +#SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod" + +// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied +// to one container of a pod. +// Deprecated: set a container security context `seccompProfile` field. +#SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/" + +// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime. +// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. +#SeccompProfileRuntimeDefault: "runtime/default" + +// SeccompProfileNameUnconfined is the unconfined seccomp profile. +#SeccompProfileNameUnconfined: "unconfined" + +// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk. +#SeccompLocalhostProfileNamePrefix: "localhost/" + +// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile. +#AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/" + +// AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile. +#AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName" + +// AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles. +#AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames" + +// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default. +#AppArmorBetaProfileRuntimeDefault: "runtime/default" + +// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node. +#AppArmorBetaProfileNamePrefix: "localhost/" + +// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile +#AppArmorBetaProfileNameUnconfined: "unconfined" + +// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker. +// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead. +#DeprecatedSeccompProfileDockerDefault: "docker/default" + +// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized) +// in the Annotations of a Node. +#PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods" + +// ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache +// an object (e.g. secret, config map) before fetching it again from apiserver. +// This annotation can be attached to node. +#ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl" + +// annotation key prefix used to identify non-convertible json paths. +#NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io" +_#kubectlPrefix: "kubectl.kubernetes.io/" + +// LastAppliedConfigAnnotation is the annotation used to store the previous +// configuration of a resource for use in a three way diff by UpdateApplyAnnotation. +#LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration" + +// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers +// +// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to +// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow +// access only from the CIDRs currently allocated to MIT & the USPS. +// +// Not all cloud providers support this annotation, though AWS & GCE do. +#AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges" + +// EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that +// represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z') +// of the last change, of some Pod or Service object, that triggered the endpoints object change. +// In other words, if a Pod / Service changed at time T0, that change was observed by endpoints +// controller at T1, and the Endpoints object was changed at T2, the +// EndpointsLastChangeTriggerTime would be set to T0. +// +// The "endpoints change trigger" here means any Pod or Service change that resulted in the +// Endpoints object change. +// +// Given the definition of the "endpoints change trigger", please note that this annotation will +// be set ONLY for endpoints object changes triggered by either Pod or Service change. If the +// Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's +// already set). +// +// This annotation will be used to compute the in-cluster network programming latency SLI, see +// https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md +#EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time" + +// EndpointsOverCapacity will be set on an Endpoints resource when it +// exceeds the maximum capacity of 1000 addresses. Initially the Endpoints +// controller will set this annotation with a value of "warning". In a +// future release, the controller may set this annotation with a value of +// "truncated" to indicate that any addresses exceeding the limit of 1000 +// have been truncated from the Endpoints resource. +#EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity" + +// MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated +// list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode. +// This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or +// CSI Backend for a volume plugin on a specific node. +#MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins" + +// PodDeletionCost can be used to set to an int32 that represent the cost of deleting +// a pod compared to other pods belonging to the same ReplicaSet. Pods with lower +// deletion cost are preferred to be deleted before pods with higher deletion cost. +// Note that this is honored on a best-effort basis, and so it does not offer guarantees on +// pod deletion order. +// The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted. +// +// This annotation is beta-level and is only honored when PodDeletionCost feature is enabled. +#PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost" + +// DeprecatedAnnotationTopologyAwareHints can be used to enable or disable +// Topology Aware Hints for a Service. This may be set to "Auto" or +// "Disabled". Any other value is treated as "Disabled". This annotation has +// been deprecated in favor of the "service.kubernetes.io/topology-mode" +// annotation. +#DeprecatedAnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints" + +// AnnotationTopologyMode can be used to enable or disable Topology Aware +// Routing for a Service. Well known values are "Auto" and "Disabled". +// Implementations may choose to develop new topology approaches, exposing +// them with domain-prefixed values. For example, "example.com/lowest-rtt" +// could be a valid implementation-specific value for this annotation. These +// heuristics will often populate topology hints on EndpointSlices, but that +// is not a requirement. +#AnnotationTopologyMode: "service.kubernetes.io/topology-mode" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue new file mode 100644 index 000000000..2bf1afce0 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +// Package v1 is the v1 version of the core API. +package v1 diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue new file mode 100644 index 000000000..29c24abce --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +#GroupName: "" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue new file mode 100644 index 000000000..d87edcff5 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue @@ -0,0 +1,7617 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/types" +) + +// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients +#NamespaceDefault: "default" + +// NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces +#NamespaceAll: "" + +// NamespaceNodeLease is the namespace where we place node lease objects (used for node heartbeats) +#NamespaceNodeLease: "kube-node-lease" + +// Volume represents a named volume in a pod that may be accessed by any container in the pod. +#Volume: { + // name of the volume. + // Must be a DNS_LABEL and unique within the pod. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name: string @go(Name) @protobuf(1,bytes,opt) + + #VolumeSource +} + +// Represents the source of a volume to mount. +// Only one of its members may be specified. +#VolumeSource: { + // hostPath represents a pre-existing file or directory on the host + // machine that is directly exposed to the container. This is generally + // used for system agents or other privileged things that are allowed + // to see the host machine. Most containers will NOT need this. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // --- + // TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + // mount host directories as read/write. + // +optional + hostPath?: null | #HostPathVolumeSource @go(HostPath,*HostPathVolumeSource) @protobuf(1,bytes,opt) + + // emptyDir represents a temporary directory that shares a pod's lifetime. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + emptyDir?: null | #EmptyDirVolumeSource @go(EmptyDir,*EmptyDirVolumeSource) @protobuf(2,bytes,opt) + + // gcePersistentDisk represents a GCE Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + gcePersistentDisk?: null | #GCEPersistentDiskVolumeSource @go(GCEPersistentDisk,*GCEPersistentDiskVolumeSource) @protobuf(3,bytes,opt) + + // awsElasticBlockStore represents an AWS Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + awsElasticBlockStore?: null | #AWSElasticBlockStoreVolumeSource @go(AWSElasticBlockStore,*AWSElasticBlockStoreVolumeSource) @protobuf(4,bytes,opt) + + // gitRepo represents a git repository at a particular revision. + // DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + // EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + // into the Pod's container. + // +optional + gitRepo?: null | #GitRepoVolumeSource @go(GitRepo,*GitRepoVolumeSource) @protobuf(5,bytes,opt) + + // secret represents a secret that should populate this volume. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + // +optional + secret?: null | #SecretVolumeSource @go(Secret,*SecretVolumeSource) @protobuf(6,bytes,opt) + + // nfs represents an NFS mount on the host that shares a pod's lifetime + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + nfs?: null | #NFSVolumeSource @go(NFS,*NFSVolumeSource) @protobuf(7,bytes,opt) + + // iscsi represents an ISCSI Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://examples.k8s.io/volumes/iscsi/README.md + // +optional + iscsi?: null | #ISCSIVolumeSource @go(ISCSI,*ISCSIVolumeSource) @protobuf(8,bytes,opt) + + // glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md + // +optional + glusterfs?: null | #GlusterfsVolumeSource @go(Glusterfs,*GlusterfsVolumeSource) @protobuf(9,bytes,opt) + + // persistentVolumeClaimVolumeSource represents a reference to a + // PersistentVolumeClaim in the same namespace. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + persistentVolumeClaim?: null | #PersistentVolumeClaimVolumeSource @go(PersistentVolumeClaim,*PersistentVolumeClaimVolumeSource) @protobuf(10,bytes,opt) + + // rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/rbd/README.md + // +optional + rbd?: null | #RBDVolumeSource @go(RBD,*RBDVolumeSource) @protobuf(11,bytes,opt) + + // flexVolume represents a generic volume resource that is + // provisioned/attached using an exec based plugin. + // +optional + flexVolume?: null | #FlexVolumeSource @go(FlexVolume,*FlexVolumeSource) @protobuf(12,bytes,opt) + + // cinder represents a cinder volume attached and mounted on kubelets host machine. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + cinder?: null | #CinderVolumeSource @go(Cinder,*CinderVolumeSource) @protobuf(13,bytes,opt) + + // cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + // +optional + cephfs?: null | #CephFSVolumeSource @go(CephFS,*CephFSVolumeSource) @protobuf(14,bytes,opt) + + // flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + // +optional + flocker?: null | #FlockerVolumeSource @go(Flocker,*FlockerVolumeSource) @protobuf(15,bytes,opt) + + // downwardAPI represents downward API about the pod that should populate this volume + // +optional + downwardAPI?: null | #DownwardAPIVolumeSource @go(DownwardAPI,*DownwardAPIVolumeSource) @protobuf(16,bytes,opt) + + // fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + // +optional + fc?: null | #FCVolumeSource @go(FC,*FCVolumeSource) @protobuf(17,bytes,opt) + + // azureFile represents an Azure File Service mount on the host and bind mount to the pod. + // +optional + azureFile?: null | #AzureFileVolumeSource @go(AzureFile,*AzureFileVolumeSource) @protobuf(18,bytes,opt) + + // configMap represents a configMap that should populate this volume + // +optional + configMap?: null | #ConfigMapVolumeSource @go(ConfigMap,*ConfigMapVolumeSource) @protobuf(19,bytes,opt) + + // vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + // +optional + vsphereVolume?: null | #VsphereVirtualDiskVolumeSource @go(VsphereVolume,*VsphereVirtualDiskVolumeSource) @protobuf(20,bytes,opt) + + // quobyte represents a Quobyte mount on the host that shares a pod's lifetime + // +optional + quobyte?: null | #QuobyteVolumeSource @go(Quobyte,*QuobyteVolumeSource) @protobuf(21,bytes,opt) + + // azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + // +optional + azureDisk?: null | #AzureDiskVolumeSource @go(AzureDisk,*AzureDiskVolumeSource) @protobuf(22,bytes,opt) + + // photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + photonPersistentDisk?: null | #PhotonPersistentDiskVolumeSource @go(PhotonPersistentDisk,*PhotonPersistentDiskVolumeSource) @protobuf(23,bytes,opt) + + // projected items for all in one resources secrets, configmaps, and downward API + projected?: null | #ProjectedVolumeSource @go(Projected,*ProjectedVolumeSource) @protobuf(26,bytes,opt) + + // portworxVolume represents a portworx volume attached and mounted on kubelets host machine + // +optional + portworxVolume?: null | #PortworxVolumeSource @go(PortworxVolume,*PortworxVolumeSource) @protobuf(24,bytes,opt) + + // scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + // +optional + scaleIO?: null | #ScaleIOVolumeSource @go(ScaleIO,*ScaleIOVolumeSource) @protobuf(25,bytes,opt) + + // storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + // +optional + storageos?: null | #StorageOSVolumeSource @go(StorageOS,*StorageOSVolumeSource) @protobuf(27,bytes,opt) + + // csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + // +optional + csi?: null | #CSIVolumeSource @go(CSI,*CSIVolumeSource) @protobuf(28,bytes,opt) + + // ephemeral represents a volume that is handled by a cluster storage driver. + // The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + // and deleted when the pod is removed. + // + // Use this if: + // a) the volume is only needed while the pod runs, + // b) features of normal volumes like restoring from snapshot or capacity + // tracking are needed, + // c) the storage driver is specified through a storage class, and + // d) the storage driver supports dynamic volume provisioning through + // a PersistentVolumeClaim (see EphemeralVolumeSource for more + // information on the connection between this volume type + // and PersistentVolumeClaim). + // + // Use PersistentVolumeClaim or one of the vendor-specific + // APIs for volumes that persist for longer than the lifecycle + // of an individual pod. + // + // Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + // be used that way - see the documentation of the driver for + // more information. + // + // A pod can use both types of ephemeral volumes and + // persistent volumes at the same time. + // + // +optional + ephemeral?: null | #EphemeralVolumeSource @go(Ephemeral,*EphemeralVolumeSource) @protobuf(29,bytes,opt) +} + +// PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. +// This volume finds the bound PV and mounts that volume for the pod. A +// PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another +// type of volume that is owned by someone else (the system). +#PersistentVolumeClaimVolumeSource: { + // claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + claimName: string @go(ClaimName) @protobuf(1,bytes,opt) + + // readOnly Will force the ReadOnly setting in VolumeMounts. + // Default false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt) +} + +// PersistentVolumeSource is similar to VolumeSource but meant for the +// administrator who creates PVs. Exactly one of its members must be set. +#PersistentVolumeSource: { + // gcePersistentDisk represents a GCE Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. Provisioned by an admin. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + gcePersistentDisk?: null | #GCEPersistentDiskVolumeSource @go(GCEPersistentDisk,*GCEPersistentDiskVolumeSource) @protobuf(1,bytes,opt) + + // awsElasticBlockStore represents an AWS Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + awsElasticBlockStore?: null | #AWSElasticBlockStoreVolumeSource @go(AWSElasticBlockStore,*AWSElasticBlockStoreVolumeSource) @protobuf(2,bytes,opt) + + // hostPath represents a directory on the host. + // Provisioned by a developer or tester. + // This is useful for single-node development and testing only! + // On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // +optional + hostPath?: null | #HostPathVolumeSource @go(HostPath,*HostPathVolumeSource) @protobuf(3,bytes,opt) + + // glusterfs represents a Glusterfs volume that is attached to a host and + // exposed to the pod. Provisioned by an admin. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md + // +optional + glusterfs?: null | #GlusterfsPersistentVolumeSource @go(Glusterfs,*GlusterfsPersistentVolumeSource) @protobuf(4,bytes,opt) + + // nfs represents an NFS mount on the host. Provisioned by an admin. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + nfs?: null | #NFSVolumeSource @go(NFS,*NFSVolumeSource) @protobuf(5,bytes,opt) + + // rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + // More info: https://examples.k8s.io/volumes/rbd/README.md + // +optional + rbd?: null | #RBDPersistentVolumeSource @go(RBD,*RBDPersistentVolumeSource) @protobuf(6,bytes,opt) + + // iscsi represents an ISCSI Disk resource that is attached to a + // kubelet's host machine and then exposed to the pod. Provisioned by an admin. + // +optional + iscsi?: null | #ISCSIPersistentVolumeSource @go(ISCSI,*ISCSIPersistentVolumeSource) @protobuf(7,bytes,opt) + + // cinder represents a cinder volume attached and mounted on kubelets host machine. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + cinder?: null | #CinderPersistentVolumeSource @go(Cinder,*CinderPersistentVolumeSource) @protobuf(8,bytes,opt) + + // cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + // +optional + cephfs?: null | #CephFSPersistentVolumeSource @go(CephFS,*CephFSPersistentVolumeSource) @protobuf(9,bytes,opt) + + // fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + // +optional + fc?: null | #FCVolumeSource @go(FC,*FCVolumeSource) @protobuf(10,bytes,opt) + + // flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running + // +optional + flocker?: null | #FlockerVolumeSource @go(Flocker,*FlockerVolumeSource) @protobuf(11,bytes,opt) + + // flexVolume represents a generic volume resource that is + // provisioned/attached using an exec based plugin. + // +optional + flexVolume?: null | #FlexPersistentVolumeSource @go(FlexVolume,*FlexPersistentVolumeSource) @protobuf(12,bytes,opt) + + // azureFile represents an Azure File Service mount on the host and bind mount to the pod. + // +optional + azureFile?: null | #AzureFilePersistentVolumeSource @go(AzureFile,*AzureFilePersistentVolumeSource) @protobuf(13,bytes,opt) + + // vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + // +optional + vsphereVolume?: null | #VsphereVirtualDiskVolumeSource @go(VsphereVolume,*VsphereVirtualDiskVolumeSource) @protobuf(14,bytes,opt) + + // quobyte represents a Quobyte mount on the host that shares a pod's lifetime + // +optional + quobyte?: null | #QuobyteVolumeSource @go(Quobyte,*QuobyteVolumeSource) @protobuf(15,bytes,opt) + + // azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + // +optional + azureDisk?: null | #AzureDiskVolumeSource @go(AzureDisk,*AzureDiskVolumeSource) @protobuf(16,bytes,opt) + + // photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + photonPersistentDisk?: null | #PhotonPersistentDiskVolumeSource @go(PhotonPersistentDisk,*PhotonPersistentDiskVolumeSource) @protobuf(17,bytes,opt) + + // portworxVolume represents a portworx volume attached and mounted on kubelets host machine + // +optional + portworxVolume?: null | #PortworxVolumeSource @go(PortworxVolume,*PortworxVolumeSource) @protobuf(18,bytes,opt) + + // scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + // +optional + scaleIO?: null | #ScaleIOPersistentVolumeSource @go(ScaleIO,*ScaleIOPersistentVolumeSource) @protobuf(19,bytes,opt) + + // local represents directly-attached storage with node affinity + // +optional + local?: null | #LocalVolumeSource @go(Local,*LocalVolumeSource) @protobuf(20,bytes,opt) + + // storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod + // More info: https://examples.k8s.io/volumes/storageos/README.md + // +optional + storageos?: null | #StorageOSPersistentVolumeSource @go(StorageOS,*StorageOSPersistentVolumeSource) @protobuf(21,bytes,opt) + + // csi represents storage that is handled by an external CSI driver (Beta feature). + // +optional + csi?: null | #CSIPersistentVolumeSource @go(CSI,*CSIPersistentVolumeSource) @protobuf(22,bytes,opt) +} + +// BetaStorageClassAnnotation represents the beta/previous StorageClass annotation. +// It's currently still used and will be held for backwards compatibility +#BetaStorageClassAnnotation: "volume.beta.kubernetes.io/storage-class" + +// MountOptionAnnotation defines mount option annotation used in PVs +#MountOptionAnnotation: "volume.beta.kubernetes.io/mount-options" + +// PersistentVolume (PV) is a storage resource provisioned by an administrator. +// It is analogous to a node. +// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes +#PersistentVolume: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines a specification of a persistent volume owned by the cluster. + // Provisioned by an administrator. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes + // +optional + spec?: #PersistentVolumeSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents the current information/status for the persistent volume. + // Populated by the system. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes + // +optional + status?: #PersistentVolumeStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PersistentVolumeSpec is the specification of a persistent volume. +#PersistentVolumeSpec: { + // capacity is the description of the persistent volume's resources and capacity. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + #PersistentVolumeSource + + // accessModes contains all ways the volume can be mounted. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(3,bytes,rep,casttype=PersistentVolumeAccessMode) + + // claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. + // Expected to be non-nil when bound. + // claim.VolumeName is the authoritative bind between PV and PVC. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding + // +optional + // +structType=granular + claimRef?: null | #ObjectReference @go(ClaimRef,*ObjectReference) @protobuf(4,bytes,opt) + + // persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. + // Valid options are Retain (default for manually created PersistentVolumes), Delete (default + // for dynamically provisioned PersistentVolumes), and Recycle (deprecated). + // Recycle must be supported by the volume plugin underlying this PersistentVolume. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming + // +optional + persistentVolumeReclaimPolicy?: #PersistentVolumeReclaimPolicy @go(PersistentVolumeReclaimPolicy) @protobuf(5,bytes,opt,casttype=PersistentVolumeReclaimPolicy) + + // storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value + // means that this volume does not belong to any StorageClass. + // +optional + storageClassName?: string @go(StorageClassName) @protobuf(6,bytes,opt) + + // mountOptions is the list of mount options, e.g. ["ro", "soft"]. Not validated - mount will + // simply fail if one is invalid. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options + // +optional + mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(7,bytes,opt) + + // volumeMode defines if a volume is intended to be used with a formatted filesystem + // or to remain in raw block state. Value of Filesystem is implied when not included in spec. + // +optional + volumeMode?: null | #PersistentVolumeMode @go(VolumeMode,*PersistentVolumeMode) @protobuf(8,bytes,opt,casttype=PersistentVolumeMode) + + // nodeAffinity defines constraints that limit what nodes this volume can be accessed from. + // This field influences the scheduling of pods that use this volume. + // +optional + nodeAffinity?: null | #VolumeNodeAffinity @go(NodeAffinity,*VolumeNodeAffinity) @protobuf(9,bytes,opt) +} + +// VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from. +#VolumeNodeAffinity: { + // required specifies hard node constraints that must be met. + required?: null | #NodeSelector @go(Required,*NodeSelector) @protobuf(1,bytes,opt) +} + +// PersistentVolumeReclaimPolicy describes a policy for end-of-life maintenance of persistent volumes. +// +enum +#PersistentVolumeReclaimPolicy: string // #enumPersistentVolumeReclaimPolicy + +#enumPersistentVolumeReclaimPolicy: + #PersistentVolumeReclaimRecycle | + #PersistentVolumeReclaimDelete | + #PersistentVolumeReclaimRetain + +// PersistentVolumeReclaimRecycle means the volume will be recycled back into the pool of unbound persistent volumes on release from its claim. +// The volume plugin must support Recycling. +#PersistentVolumeReclaimRecycle: #PersistentVolumeReclaimPolicy & "Recycle" + +// PersistentVolumeReclaimDelete means the volume will be deleted from Kubernetes on release from its claim. +// The volume plugin must support Deletion. +#PersistentVolumeReclaimDelete: #PersistentVolumeReclaimPolicy & "Delete" + +// PersistentVolumeReclaimRetain means the volume will be left in its current phase (Released) for manual reclamation by the administrator. +// The default policy is Retain. +#PersistentVolumeReclaimRetain: #PersistentVolumeReclaimPolicy & "Retain" + +// PersistentVolumeMode describes how a volume is intended to be consumed, either Block or Filesystem. +// +enum +#PersistentVolumeMode: string // #enumPersistentVolumeMode + +#enumPersistentVolumeMode: + #PersistentVolumeBlock | + #PersistentVolumeFilesystem + +// PersistentVolumeBlock means the volume will not be formatted with a filesystem and will remain a raw block device. +#PersistentVolumeBlock: #PersistentVolumeMode & "Block" + +// PersistentVolumeFilesystem means the volume will be or is formatted with a filesystem. +#PersistentVolumeFilesystem: #PersistentVolumeMode & "Filesystem" + +// PersistentVolumeStatus is the current status of a persistent volume. +#PersistentVolumeStatus: { + // phase indicates if a volume is available, bound to a claim, or released by a claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase + // +optional + phase?: #PersistentVolumePhase @go(Phase) @protobuf(1,bytes,opt,casttype=PersistentVolumePhase) + + // message is a human-readable message indicating details about why the volume is in this state. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) + + // reason is a brief CamelCase string that describes any failure and is meant + // for machine parsing and tidy display in the CLI. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // lastPhaseTransitionTime is the time the phase transitioned from one to another + // and automatically resets to current time everytime a volume phase transitions. + // This is an alpha field and requires enabling PersistentVolumeLastPhaseTransitionTime feature. + // +featureGate=PersistentVolumeLastPhaseTransitionTime + // +optional + lastPhaseTransitionTime?: null | metav1.#Time @go(LastPhaseTransitionTime,*metav1.Time) @protobuf(4,bytes,opt) +} + +// PersistentVolumeList is a list of PersistentVolume items. +#PersistentVolumeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of persistent volumes. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes + items: [...#PersistentVolume] @go(Items,[]PersistentVolume) @protobuf(2,bytes,rep) +} + +// PersistentVolumeClaim is a user's request for and claim to a persistent volume +#PersistentVolumeClaim: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec defines the desired characteristics of a volume requested by a pod author. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + spec?: #PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents the current information/status of a persistent volume claim. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + status?: #PersistentVolumeClaimStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PersistentVolumeClaimList is a list of PersistentVolumeClaim items. +#PersistentVolumeClaimList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of persistent volume claims. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + items: [...#PersistentVolumeClaim] @go(Items,[]PersistentVolumeClaim) @protobuf(2,bytes,rep) +} + +// PersistentVolumeClaimSpec describes the common attributes of storage devices +// and allows a Source for provider-specific attributes +#PersistentVolumeClaimSpec: { + // accessModes contains the desired access modes the volume should have. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(1,bytes,rep,casttype=PersistentVolumeAccessMode) + + // selector is a label query over volumes to consider for binding. + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // resources represents the minimum resources the volume should have. + // If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + // that are lower than previous value but must still be higher than capacity recorded in the + // status field of the claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(2,bytes,opt) + + // volumeName is the binding reference to the PersistentVolume backing this claim. + // +optional + volumeName?: string @go(VolumeName) @protobuf(3,bytes,opt) + + // storageClassName is the name of the StorageClass required by the claim. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + // +optional + storageClassName?: null | string @go(StorageClassName,*string) @protobuf(5,bytes,opt) + + // volumeMode defines what type of volume is required by the claim. + // Value of Filesystem is implied when not included in claim spec. + // +optional + volumeMode?: null | #PersistentVolumeMode @go(VolumeMode,*PersistentVolumeMode) @protobuf(6,bytes,opt,casttype=PersistentVolumeMode) + + // dataSource field can be used to specify either: + // * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + // * An existing PVC (PersistentVolumeClaim) + // If the provisioner or an external controller can support the specified data source, + // it will create a new volume based on the contents of the specified data source. + // When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + // and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + // If the namespace is specified, then dataSourceRef will not be copied to dataSource. + // +optional + dataSource?: null | #TypedLocalObjectReference @go(DataSource,*TypedLocalObjectReference) @protobuf(7,bytes,opt) + + // dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + // volume is desired. This may be any object from a non-empty API group (non + // core object) or a PersistentVolumeClaim object. + // When this field is specified, volume binding will only succeed if the type of + // the specified object matches some installed volume populator or dynamic + // provisioner. + // This field will replace the functionality of the dataSource field and as such + // if both fields are non-empty, they must have the same value. For backwards + // compatibility, when namespace isn't specified in dataSourceRef, + // both fields (dataSource and dataSourceRef) will be set to the same + // value automatically if one of them is empty and the other is non-empty. + // When namespace is specified in dataSourceRef, + // dataSource isn't set to the same value and must be empty. + // There are three important differences between dataSource and dataSourceRef: + // * While dataSource only allows two specific types of objects, dataSourceRef + // allows any non-core object, as well as PersistentVolumeClaim objects. + // * While dataSource ignores disallowed values (dropping them), dataSourceRef + // preserves all values, and generates an error if a disallowed value is + // specified. + // * While dataSource only allows local objects, dataSourceRef allows objects + // in any namespaces. + // (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + // (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + // +optional + dataSourceRef?: null | #TypedObjectReference @go(DataSourceRef,*TypedObjectReference) @protobuf(8,bytes,opt) +} + +#TypedObjectReference: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the core API group. + // For any other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) + + // Namespace is the namespace of resource being referenced + // Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + // (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + // +featureGate=CrossNamespaceVolumeDataSource + // +optional + namespace?: null | string @go(Namespace,*string) @protobuf(4,bytes,opt) +} + +// PersistentVolumeClaimConditionType is a valid value of PersistentVolumeClaimCondition.Type +#PersistentVolumeClaimConditionType: string // #enumPersistentVolumeClaimConditionType + +#enumPersistentVolumeClaimConditionType: + #PersistentVolumeClaimResizing | + #PersistentVolumeClaimFileSystemResizePending + +// PersistentVolumeClaimResizing - a user trigger resize of pvc has been started +#PersistentVolumeClaimResizing: #PersistentVolumeClaimConditionType & "Resizing" + +// PersistentVolumeClaimFileSystemResizePending - controller resize is finished and a file system resize is pending on node +#PersistentVolumeClaimFileSystemResizePending: #PersistentVolumeClaimConditionType & "FileSystemResizePending" + +// +enum +// When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource +// that it does not recognizes, then it should ignore that update and let other controllers +// handle it. +#ClaimResourceStatus: string // #enumClaimResourceStatus + +#enumClaimResourceStatus: + #PersistentVolumeClaimControllerResizeInProgress | + #PersistentVolumeClaimControllerResizeFailed | + #PersistentVolumeClaimNodeResizePending | + #PersistentVolumeClaimNodeResizeInProgress | + #PersistentVolumeClaimNodeResizeFailed + +// State set when resize controller starts resizing the volume in control-plane. +#PersistentVolumeClaimControllerResizeInProgress: #ClaimResourceStatus & "ControllerResizeInProgress" + +// State set when resize has failed in resize controller with a terminal error. +// Transient errors such as timeout should not set this status and should leave allocatedResourceStatus +// unmodified, so as resize controller can resume the volume expansion. +#PersistentVolumeClaimControllerResizeFailed: #ClaimResourceStatus & "ControllerResizeFailed" + +// State set when resize controller has finished resizing the volume but further resizing of volume +// is needed on the node. +#PersistentVolumeClaimNodeResizePending: #ClaimResourceStatus & "NodeResizePending" + +// State set when kubelet starts resizing the volume. +#PersistentVolumeClaimNodeResizeInProgress: #ClaimResourceStatus & "NodeResizeInProgress" + +// State set when resizing has failed in kubelet with a terminal error. Transient errors don't set NodeResizeFailed +#PersistentVolumeClaimNodeResizeFailed: #ClaimResourceStatus & "NodeResizeFailed" + +// PersistentVolumeClaimCondition contains details about state of pvc +#PersistentVolumeClaimCondition: { + type: #PersistentVolumeClaimConditionType @go(Type) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimConditionType) + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // lastProbeTime is the time we probed the condition. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // lastTransitionTime is the time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // reason is a unique, this should be a short, machine understandable string that gives the reason + // for condition's last transition. If it reports "ResizeStarted" that means the underlying + // persistent volume is being resized. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // message is the human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// PersistentVolumeClaimStatus is the current status of a persistent volume claim. +#PersistentVolumeClaimStatus: { + // phase represents the current phase of PersistentVolumeClaim. + // +optional + phase?: #PersistentVolumeClaimPhase @go(Phase) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimPhase) + + // accessModes contains the actual access modes the volume backing the PVC has. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + // +optional + accessModes?: [...#PersistentVolumeAccessMode] @go(AccessModes,[]PersistentVolumeAccessMode) @protobuf(2,bytes,rep,casttype=PersistentVolumeAccessMode) + + // capacity represents the actual resources of the underlying volume. + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(3,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // conditions is the current Condition of persistent volume claim. If underlying persistent volume is being + // resized then the Condition will be set to 'ResizeStarted'. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#PersistentVolumeClaimCondition] @go(Conditions,[]PersistentVolumeClaimCondition) @protobuf(4,bytes,rep) + + // allocatedResources tracks the resources allocated to a PVC including its capacity. + // Key names follow standard Kubernetes label syntax. Valid values are either: + // * Un-prefixed keys: + // - storage - the capacity of the volume. + // * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" + // Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered + // reserved and hence may not be used. + // + // Capacity reported here may be larger than the actual capacity when a volume expansion operation + // is requested. + // For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. + // If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. + // If a volume expansion capacity request is lowered, allocatedResources is only + // lowered if there are no expansion operations in progress and if the actual volume capacity + // is equal or lower than the requested capacity. + // + // A controller that receives PVC update with previously unknown resourceName + // should ignore the update for the purpose it was designed. For example - a controller that + // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid + // resources associated with PVC. + // + // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature. + // +featureGate=RecoverVolumeExpansionFailure + // +optional + allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // allocatedResourceStatuses stores status of resource being resized for the given PVC. + // Key names follow standard Kubernetes label syntax. Valid values are either: + // * Un-prefixed keys: + // - storage - the capacity of the volume. + // * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" + // Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered + // reserved and hence may not be used. + // + // ClaimResourceStatus can be in any of following states: + // - ControllerResizeInProgress: + // State set when resize controller starts resizing the volume in control-plane. + // - ControllerResizeFailed: + // State set when resize has failed in resize controller with a terminal error. + // - NodeResizePending: + // State set when resize controller has finished resizing the volume but further resizing of + // volume is needed on the node. + // - NodeResizeInProgress: + // State set when kubelet starts resizing the volume. + // - NodeResizeFailed: + // State set when resizing has failed in kubelet with a terminal error. Transient errors don't set + // NodeResizeFailed. + // For example: if expanding a PVC for more capacity - this field can be one of the following states: + // - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeInProgress" + // - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeFailed" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizePending" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeInProgress" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeFailed" + // When this field is not set, it means that no resize operation is in progress for the given PVC. + // + // A controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus + // should ignore the update for the purpose it was designed. For example - a controller that + // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid + // resources associated with PVC. + // + // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature. + // +featureGate=RecoverVolumeExpansionFailure + // +mapType=granular + // +optional + allocatedResourceStatuses?: {[string]: #ClaimResourceStatus} @go(AllocatedResourceStatuses,map[ResourceName]ClaimResourceStatus) @protobuf(7,bytes,rep) +} + +// +enum +#PersistentVolumeAccessMode: string // #enumPersistentVolumeAccessMode + +#enumPersistentVolumeAccessMode: + #ReadWriteOnce | + #ReadOnlyMany | + #ReadWriteMany | + #ReadWriteOncePod + +// can be mounted in read/write mode to exactly 1 host +#ReadWriteOnce: #PersistentVolumeAccessMode & "ReadWriteOnce" + +// can be mounted in read-only mode to many hosts +#ReadOnlyMany: #PersistentVolumeAccessMode & "ReadOnlyMany" + +// can be mounted in read/write mode to many hosts +#ReadWriteMany: #PersistentVolumeAccessMode & "ReadWriteMany" + +// can be mounted in read/write mode to exactly 1 pod +// cannot be used in combination with other access modes +#ReadWriteOncePod: #PersistentVolumeAccessMode & "ReadWriteOncePod" + +// +enum +#PersistentVolumePhase: string // #enumPersistentVolumePhase + +#enumPersistentVolumePhase: + #VolumePending | + #VolumeAvailable | + #VolumeBound | + #VolumeReleased | + #VolumeFailed + +// used for PersistentVolumes that are not available +#VolumePending: #PersistentVolumePhase & "Pending" + +// used for PersistentVolumes that are not yet bound +// Available volumes are held by the binder and matched to PersistentVolumeClaims +#VolumeAvailable: #PersistentVolumePhase & "Available" + +// used for PersistentVolumes that are bound +#VolumeBound: #PersistentVolumePhase & "Bound" + +// used for PersistentVolumes where the bound PersistentVolumeClaim was deleted +// released volumes must be recycled before becoming available again +// this phase is used by the persistent volume claim binder to signal to another process to reclaim the resource +#VolumeReleased: #PersistentVolumePhase & "Released" + +// used for PersistentVolumes that failed to be correctly recycled or deleted after being released from a claim +#VolumeFailed: #PersistentVolumePhase & "Failed" + +// +enum +#PersistentVolumeClaimPhase: string // #enumPersistentVolumeClaimPhase + +#enumPersistentVolumeClaimPhase: + #ClaimPending | + #ClaimBound | + #ClaimLost + +// used for PersistentVolumeClaims that are not yet bound +#ClaimPending: #PersistentVolumeClaimPhase & "Pending" + +// used for PersistentVolumeClaims that are bound +#ClaimBound: #PersistentVolumeClaimPhase & "Bound" + +// used for PersistentVolumeClaims that lost their underlying +// PersistentVolume. The claim was bound to a PersistentVolume and this +// volume does not exist any longer and all data on it was lost. +#ClaimLost: #PersistentVolumeClaimPhase & "Lost" + +// +enum +#HostPathType: string // #enumHostPathType + +#enumHostPathType: + #HostPathUnset | + #HostPathDirectoryOrCreate | + #HostPathDirectory | + #HostPathFileOrCreate | + #HostPathFile | + #HostPathSocket | + #HostPathCharDev | + #HostPathBlockDev + +// For backwards compatible, leave it empty if unset +#HostPathUnset: #HostPathType & "" + +// If nothing exists at the given path, an empty directory will be created there +// as needed with file mode 0755, having the same group and ownership with Kubelet. +#HostPathDirectoryOrCreate: #HostPathType & "DirectoryOrCreate" + +// A directory must exist at the given path +#HostPathDirectory: #HostPathType & "Directory" + +// If nothing exists at the given path, an empty file will be created there +// as needed with file mode 0644, having the same group and ownership with Kubelet. +#HostPathFileOrCreate: #HostPathType & "FileOrCreate" + +// A file must exist at the given path +#HostPathFile: #HostPathType & "File" + +// A UNIX socket must exist at the given path +#HostPathSocket: #HostPathType & "Socket" + +// A character device must exist at the given path +#HostPathCharDev: #HostPathType & "CharDevice" + +// A block device must exist at the given path +#HostPathBlockDev: #HostPathType & "BlockDevice" + +// Represents a host path mapped into a pod. +// Host path volumes do not support ownership management or SELinux relabeling. +#HostPathVolumeSource: { + // path of the directory on the host. + // If the path is a symlink, it will follow the link to the real path. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + path: string @go(Path) @protobuf(1,bytes,opt) + + // type for HostPath Volume + // Defaults to "" + // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + // +optional + type?: null | #HostPathType @go(Type,*HostPathType) @protobuf(2,bytes,opt) +} + +// Represents an empty directory for a pod. +// Empty directory volumes support ownership management and SELinux relabeling. +#EmptyDirVolumeSource: { + // medium represents what type of storage medium should back this directory. + // The default is "" which means to use the node's default medium. + // Must be an empty string (default) or Memory. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + medium?: #StorageMedium @go(Medium) @protobuf(1,bytes,opt,casttype=StorageMedium) + + // sizeLimit is the total amount of local storage required for this EmptyDir volume. + // The size limit is also applicable for memory medium. + // The maximum usage on memory medium EmptyDir would be the minimum value between + // the SizeLimit specified here and the sum of memory limits of all containers in a pod. + // The default is nil which means that the limit is undefined. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + // +optional + sizeLimit?: null | resource.#Quantity @go(SizeLimit,*resource.Quantity) @protobuf(2,bytes,opt) +} + +// Represents a Glusterfs mount that lasts the lifetime of a pod. +// Glusterfs volumes do not support ownership management or SELinux relabeling. +#GlusterfsVolumeSource: { + // endpoints is the endpoint name that details Glusterfs topology. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + endpoints: string @go(EndpointsName) @protobuf(1,bytes,opt) + + // path is the Glusterfs volume path. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// Represents a Glusterfs mount that lasts the lifetime of a pod. +// Glusterfs volumes do not support ownership management or SELinux relabeling. +#GlusterfsPersistentVolumeSource: { + // endpoints is the endpoint name that details Glusterfs topology. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + endpoints: string @go(EndpointsName) @protobuf(1,bytes,opt) + + // path is the Glusterfs volume path. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // endpointsNamespace is the namespace that contains Glusterfs endpoint. + // If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. + // More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + // +optional + endpointsNamespace?: null | string @go(EndpointsNamespace,*string) @protobuf(4,bytes,opt) +} + +// Represents a Rados Block Device mount that lasts the lifetime of a pod. +// RBD volumes support ownership management and SELinux relabeling. +#RBDVolumeSource: { + // monitors is a collection of Ceph monitors. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + monitors: [...string] @go(CephMonitors,[]string) @protobuf(1,bytes,rep) + + // image is the rados image name. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + image: string @go(RBDImage) @protobuf(2,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // pool is the rados pool name. + // Default is rbd. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + pool?: string @go(RBDPool) @protobuf(4,bytes,opt) + + // user is the rados user name. + // Default is admin. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + user?: string @go(RadosUser) @protobuf(5,bytes,opt) + + // keyring is the path to key ring for RBDUser. + // Default is /etc/ceph/keyring. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + keyring?: string @go(Keyring) @protobuf(6,bytes,opt) + + // secretRef is name of the authentication secret for RBDUser. If provided + // overrides keyring. + // Default is nil. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(7,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(8,varint,opt) +} + +// Represents a Rados Block Device mount that lasts the lifetime of a pod. +// RBD volumes support ownership management and SELinux relabeling. +#RBDPersistentVolumeSource: { + // monitors is a collection of Ceph monitors. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + monitors: [...string] @go(CephMonitors,[]string) @protobuf(1,bytes,rep) + + // image is the rados image name. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + image: string @go(RBDImage) @protobuf(2,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // pool is the rados pool name. + // Default is rbd. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + pool?: string @go(RBDPool) @protobuf(4,bytes,opt) + + // user is the rados user name. + // Default is admin. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + user?: string @go(RadosUser) @protobuf(5,bytes,opt) + + // keyring is the path to key ring for RBDUser. + // Default is /etc/ceph/keyring. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + keyring?: string @go(Keyring) @protobuf(6,bytes,opt) + + // secretRef is name of the authentication secret for RBDUser. If provided + // overrides keyring. + // Default is nil. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(7,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(8,varint,opt) +} + +// Represents a cinder volume resource in Openstack. +// A Cinder volume must exist before mounting to a container. +// The volume must also be in the same region as the kubelet. +// Cinder volumes support ownership management and SELinux relabeling. +#CinderVolumeSource: { + // volumeID used to identify the volume in cinder. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretRef is optional: points to a secret object containing parameters used to connect + // to OpenStack. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(4,bytes,opt) +} + +// Represents a cinder volume resource in Openstack. +// A Cinder volume must exist before mounting to a container. +// The volume must also be in the same region as the kubelet. +// Cinder volumes support ownership management and SELinux relabeling. +#CinderPersistentVolumeSource: { + // volumeID used to identify the volume in cinder. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/mysql-cinder-pd/README.md + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretRef is Optional: points to a secret object containing parameters used to connect + // to OpenStack. + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(4,bytes,opt) +} + +// Represents a Ceph Filesystem mount that lasts the lifetime of a pod +// Cephfs volumes do not support ownership management or SELinux relabeling. +#CephFSVolumeSource: { + // monitors is Required: Monitors is a collection of Ceph monitors + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + monitors: [...string] @go(Monitors,[]string) @protobuf(1,bytes,rep) + + // path is Optional: Used as the mounted root, rather than the full Ceph tree, default is / + // +optional + path?: string @go(Path) @protobuf(2,bytes,opt) + + // user is optional: User is the rados user name, default is admin + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretFile?: string @go(SecretFile) @protobuf(4,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) +} + +// SecretReference represents a Secret Reference. It has enough information to retrieve secret +// in any namespace +// +structType=atomic +#SecretReference: { + // name is unique within a namespace to reference a secret resource. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // namespace defines the space within which the secret name must be unique. + // +optional + namespace?: string @go(Namespace) @protobuf(2,bytes,opt) +} + +// Represents a Ceph Filesystem mount that lasts the lifetime of a pod +// Cephfs volumes do not support ownership management or SELinux relabeling. +#CephFSPersistentVolumeSource: { + // monitors is Required: Monitors is a collection of Ceph monitors + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + monitors: [...string] @go(Monitors,[]string) @protobuf(1,bytes,rep) + + // path is Optional: Used as the mounted root, rather than the full Ceph tree, default is / + // +optional + path?: string @go(Path) @protobuf(2,bytes,opt) + + // user is Optional: User is the rados user name, default is admin + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + user?: string @go(User) @protobuf(3,bytes,opt) + + // secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretFile?: string @go(SecretFile) @protobuf(4,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(5,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) +} + +// Represents a Flocker volume mounted by the Flocker agent. +// One and only one of datasetName and datasetUUID should be set. +// Flocker volumes do not support ownership management or SELinux relabeling. +#FlockerVolumeSource: { + // datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + // should be considered as deprecated + // +optional + datasetName?: string @go(DatasetName) @protobuf(1,bytes,opt) + + // datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset + // +optional + datasetUUID?: string @go(DatasetUUID) @protobuf(2,bytes,opt) +} + +// StorageMedium defines ways that storage can be allocated to a volume. +#StorageMedium: string // #enumStorageMedium + +#enumStorageMedium: + #StorageMediumDefault | + #StorageMediumMemory | + #StorageMediumHugePages | + #StorageMediumHugePagesPrefix + +#StorageMediumDefault: #StorageMedium & "" +#StorageMediumMemory: #StorageMedium & "Memory" +#StorageMediumHugePages: #StorageMedium & "HugePages" +#StorageMediumHugePagesPrefix: #StorageMedium & "HugePages-" + +// Protocol defines network protocols supported for things like container ports. +// +enum +#Protocol: string // #enumProtocol + +#enumProtocol: + #ProtocolTCP | + #ProtocolUDP | + #ProtocolSCTP + +// ProtocolTCP is the TCP protocol. +#ProtocolTCP: #Protocol & "TCP" + +// ProtocolUDP is the UDP protocol. +#ProtocolUDP: #Protocol & "UDP" + +// ProtocolSCTP is the SCTP protocol. +#ProtocolSCTP: #Protocol & "SCTP" + +// Represents a Persistent Disk resource in Google Compute Engine. +// +// A GCE PD must exist before mounting to a container. The disk must +// also be in the same GCE project and zone as the kubelet. A GCE PD +// can only be mounted as read/write once or read-only many times. GCE +// PDs support ownership management and SELinux relabeling. +#GCEPersistentDiskVolumeSource: { + // pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + pdName: string @go(PDName) @protobuf(1,bytes,opt) + + // fsType is filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // partition is the partition in the volume that you want to mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + partition?: int32 @go(Partition) @protobuf(3,varint,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) +} + +// Represents a Quobyte mount that lasts the lifetime of a pod. +// Quobyte volumes do not support ownership management or SELinux relabeling. +#QuobyteVolumeSource: { + // registry represents a single or multiple Quobyte Registry services + // specified as a string as host:port pair (multiple entries are separated with commas) + // which acts as the central registry for volumes + registry: string @go(Registry) @protobuf(1,bytes,opt) + + // volume is a string that references an already created Quobyte volume by name. + volume: string @go(Volume) @protobuf(2,bytes,opt) + + // readOnly here will force the Quobyte volume to be mounted with read-only permissions. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // user to map volume access to + // Defaults to serivceaccount user + // +optional + user?: string @go(User) @protobuf(4,bytes,opt) + + // group to map volume access to + // Default is no group + // +optional + group?: string @go(Group) @protobuf(5,bytes,opt) + + // tenant owning the given Quobyte volume in the Backend + // Used with dynamically provisioned Quobyte volumes, value is set by the plugin + // +optional + tenant?: string @go(Tenant) @protobuf(6,bytes,opt) +} + +// FlexPersistentVolumeSource represents a generic persistent volume resource that is +// provisioned/attached using an exec based plugin. +#FlexPersistentVolumeSource: { + // driver is the name of the driver to use for this volume. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // fsType is the Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // secretRef is Optional: SecretRef is reference to the secret object containing + // sensitive information to pass to the plugin scripts. This may be + // empty if no secret object is specified. If the secret object + // contains more than one secret, all secrets are passed to the plugin + // scripts. + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(3,bytes,opt) + + // readOnly is Optional: defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // options is Optional: this field holds extra command options if any. + // +optional + options?: {[string]: string} @go(Options,map[string]string) @protobuf(5,bytes,rep) +} + +// FlexVolume represents a generic volume resource that is +// provisioned/attached using an exec based plugin. +#FlexVolumeSource: { + // driver is the name of the driver to use for this volume. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // secretRef is Optional: secretRef is reference to the secret object containing + // sensitive information to pass to the plugin scripts. This may be + // empty if no secret object is specified. If the secret object + // contains more than one secret, all secrets are passed to the plugin + // scripts. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(3,bytes,opt) + + // readOnly is Optional: defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // options is Optional: this field holds extra command options if any. + // +optional + options?: {[string]: string} @go(Options,map[string]string) @protobuf(5,bytes,rep) +} + +// Represents a Persistent Disk resource in AWS. +// +// An AWS EBS disk must exist before mounting to a container. The disk +// must also be in the same AWS zone as the kubelet. An AWS EBS disk +// can only be mounted as read/write once. AWS EBS volumes support +// ownership management and SELinux relabeling. +#AWSElasticBlockStoreVolumeSource: { + // volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // partition is the partition in the volume that you want to mount. + // If omitted, the default is to mount by volume name. + // Examples: For volume /dev/sda1, you specify the partition as "1". + // Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + // +optional + partition?: int32 @go(Partition) @protobuf(3,varint,opt) + + // readOnly value true will force the readOnly setting in VolumeMounts. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) +} + +// Represents a volume that is populated with the contents of a git repository. +// Git repo volumes do not support ownership management. +// Git repo volumes support SELinux relabeling. +// +// DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an +// EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir +// into the Pod's container. +#GitRepoVolumeSource: { + // repository is the URL + repository: string @go(Repository) @protobuf(1,bytes,opt) + + // revision is the commit hash for the specified revision. + // +optional + revision?: string @go(Revision) @protobuf(2,bytes,opt) + + // directory is the target directory name. + // Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + // git repository. Otherwise, if specified, the volume will contain the git repository in + // the subdirectory with the given name. + // +optional + directory?: string @go(Directory) @protobuf(3,bytes,opt) +} + +// Adapts a Secret into a volume. +// +// The contents of the target Secret's Data field will be presented in a volume +// as files using the keys in the Data field as the file names. +// Secret volumes support ownership management and SELinux relabeling. +#SecretVolumeSource: { + // secretName is the name of the secret in the pod's namespace to use. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + // +optional + secretName?: string @go(SecretName) @protobuf(1,bytes,opt) + + // items If unspecified, each key-value pair in the Data field of the referenced + // Secret will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the Secret, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // defaultMode is Optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values + // for mode bits. Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(3,bytes,opt) + + // optional field specify whether the Secret or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +#SecretVolumeSourceDefaultMode: int32 & 0o644 + +// Adapts a secret into a projected volume. +// +// The contents of the target Secret's Data field will be presented in a +// projected volume as files using the keys in the Data field as the file names. +// Note that this is identical to a secret volume source without the default +// mode. +#SecretProjection: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // Secret will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the Secret, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // optional field specify whether the Secret or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +// Represents an NFS mount that lasts the lifetime of a pod. +// NFS volumes do not support ownership management or SELinux relabeling. +#NFSVolumeSource: { + // server is the hostname or IP address of the NFS server. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + server: string @go(Server) @protobuf(1,bytes,opt) + + // path that is exported by the NFS server. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + path: string @go(Path) @protobuf(2,bytes,opt) + + // readOnly here will force the NFS export to be mounted with read-only permissions. + // Defaults to false. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// Represents an ISCSI disk. +// ISCSI volumes can only be mounted as read/write once. +// ISCSI volumes support ownership management and SELinux relabeling. +#ISCSIVolumeSource: { + // targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + targetPortal: string @go(TargetPortal) @protobuf(1,bytes,opt) + + // iqn is the target iSCSI Qualified Name. + iqn: string @go(IQN) @protobuf(2,bytes,opt) + + // lun represents iSCSI Target Lun number. + lun: int32 @go(Lun) @protobuf(3,varint,opt) + + // iscsiInterface is the interface Name that uses an iSCSI transport. + // Defaults to 'default' (tcp). + // +optional + iscsiInterface?: string @go(ISCSIInterface) @protobuf(4,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(5,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) + + // portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + // +optional + portals?: [...string] @go(Portals,[]string) @protobuf(7,bytes,opt) + + // chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + // +optional + chapAuthDiscovery?: bool @go(DiscoveryCHAPAuth) @protobuf(8,varint,opt) + + // chapAuthSession defines whether support iSCSI Session CHAP authentication + // +optional + chapAuthSession?: bool @go(SessionCHAPAuth) @protobuf(11,varint,opt) + + // secretRef is the CHAP Secret for iSCSI target and initiator authentication + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(10,bytes,opt) + + // initiatorName is the custom iSCSI Initiator Name. + // If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + // : will be created for the connection. + // +optional + initiatorName?: null | string @go(InitiatorName,*string) @protobuf(12,bytes,opt) +} + +// ISCSIPersistentVolumeSource represents an ISCSI disk. +// ISCSI volumes can only be mounted as read/write once. +// ISCSI volumes support ownership management and SELinux relabeling. +#ISCSIPersistentVolumeSource: { + // targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + targetPortal: string @go(TargetPortal) @protobuf(1,bytes,opt) + + // iqn is Target iSCSI Qualified Name. + iqn: string @go(IQN) @protobuf(2,bytes,opt) + + // lun is iSCSI Target Lun number. + lun: int32 @go(Lun) @protobuf(3,varint,opt) + + // iscsiInterface is the interface Name that uses an iSCSI transport. + // Defaults to 'default' (tcp). + // +optional + iscsiInterface?: string @go(ISCSIInterface) @protobuf(4,bytes,opt) + + // fsType is the filesystem type of the volume that you want to mount. + // Tip: Ensure that the filesystem type is supported by the host operating system. + // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(5,bytes,opt) + + // readOnly here will force the ReadOnly setting in VolumeMounts. + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(6,varint,opt) + + // portals is the iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port + // is other than default (typically TCP ports 860 and 3260). + // +optional + portals?: [...string] @go(Portals,[]string) @protobuf(7,bytes,opt) + + // chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + // +optional + chapAuthDiscovery?: bool @go(DiscoveryCHAPAuth) @protobuf(8,varint,opt) + + // chapAuthSession defines whether support iSCSI Session CHAP authentication + // +optional + chapAuthSession?: bool @go(SessionCHAPAuth) @protobuf(11,varint,opt) + + // secretRef is the CHAP Secret for iSCSI target and initiator authentication + // +optional + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(10,bytes,opt) + + // initiatorName is the custom iSCSI Initiator Name. + // If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + // : will be created for the connection. + // +optional + initiatorName?: null | string @go(InitiatorName,*string) @protobuf(12,bytes,opt) +} + +// Represents a Fibre Channel volume. +// Fibre Channel volumes can only be mounted as read/write once. +// Fibre Channel volumes support ownership management and SELinux relabeling. +#FCVolumeSource: { + // targetWWNs is Optional: FC target worldwide names (WWNs) + // +optional + targetWWNs?: [...string] @go(TargetWWNs,[]string) @protobuf(1,bytes,rep) + + // lun is Optional: FC target lun number + // +optional + lun?: null | int32 @go(Lun,*int32) @protobuf(2,varint,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // TODO: how do we prevent errors in the filesystem from compromising the machine + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // wwids Optional: FC volume world wide identifiers (wwids) + // Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + // +optional + wwids?: [...string] @go(WWIDs,[]string) @protobuf(5,bytes,rep) +} + +// AzureFile represents an Azure File Service mount on the host and bind mount to the pod. +#AzureFileVolumeSource: { + // secretName is the name of secret that contains Azure Storage Account Name and Key + secretName: string @go(SecretName) @protobuf(1,bytes,opt) + + // shareName is the azure share Name + shareName: string @go(ShareName) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// AzureFile represents an Azure File Service mount on the host and bind mount to the pod. +#AzureFilePersistentVolumeSource: { + // secretName is the name of secret that contains Azure Storage Account Name and Key + secretName: string @go(SecretName) @protobuf(1,bytes,opt) + + // shareName is the azure Share Name + shareName: string @go(ShareName) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // secretNamespace is the namespace of the secret that contains Azure Storage Account Name and Key + // default is the same as the Pod + // +optional + secretNamespace?: null | string @go(SecretNamespace,*string) @protobuf(4,bytes,opt) +} + +// Represents a vSphere volume resource. +#VsphereVirtualDiskVolumeSource: { + // volumePath is the path that identifies vSphere volume vmdk + volumePath: string @go(VolumePath) @protobuf(1,bytes,opt) + + // fsType is filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // storagePolicyName is the storage Policy Based Management (SPBM) profile name. + // +optional + storagePolicyName?: string @go(StoragePolicyName) @protobuf(3,bytes,opt) + + // storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. + // +optional + storagePolicyID?: string @go(StoragePolicyID) @protobuf(4,bytes,opt) +} + +// Represents a Photon Controller persistent disk resource. +#PhotonPersistentDiskVolumeSource: { + // pdID is the ID that identifies Photon Controller persistent disk + pdID: string @go(PdID) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + fsType?: string @go(FSType) @protobuf(2,bytes,opt) +} + +// +enum +#AzureDataDiskCachingMode: string // #enumAzureDataDiskCachingMode + +#enumAzureDataDiskCachingMode: + #AzureDataDiskCachingNone | + #AzureDataDiskCachingReadOnly | + #AzureDataDiskCachingReadWrite + +// +enum +#AzureDataDiskKind: string // #enumAzureDataDiskKind + +#enumAzureDataDiskKind: + #AzureSharedBlobDisk | + #AzureDedicatedBlobDisk | + #AzureManagedDisk + +#AzureDataDiskCachingNone: #AzureDataDiskCachingMode & "None" +#AzureDataDiskCachingReadOnly: #AzureDataDiskCachingMode & "ReadOnly" +#AzureDataDiskCachingReadWrite: #AzureDataDiskCachingMode & "ReadWrite" +#AzureSharedBlobDisk: #AzureDataDiskKind & "Shared" +#AzureDedicatedBlobDisk: #AzureDataDiskKind & "Dedicated" +#AzureManagedDisk: #AzureDataDiskKind & "Managed" + +// AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. +#AzureDiskVolumeSource: { + // diskName is the Name of the data disk in the blob storage + diskName: string @go(DiskName) @protobuf(1,bytes,opt) + + // diskURI is the URI of data disk in the blob storage + diskURI: string @go(DataDiskURI) @protobuf(2,bytes,opt) + + // cachingMode is the Host Caching mode: None, Read Only, Read Write. + // +optional + cachingMode?: null | #AzureDataDiskCachingMode @go(CachingMode,*AzureDataDiskCachingMode) @protobuf(3,bytes,opt,casttype=AzureDataDiskCachingMode) + + // fsType is Filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(4,bytes,opt) + + // readOnly Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: null | bool @go(ReadOnly,*bool) @protobuf(5,varint,opt) + + // kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared + kind?: null | #AzureDataDiskKind @go(Kind,*AzureDataDiskKind) @protobuf(6,bytes,opt,casttype=AzureDataDiskKind) +} + +// PortworxVolumeSource represents a Portworx volume resource. +#PortworxVolumeSource: { + // volumeID uniquely identifies a Portworx volume + volumeID: string @go(VolumeID) @protobuf(1,bytes,opt) + + // fSType represents the filesystem type to mount + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + fsType?: string @go(FSType) @protobuf(2,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) +} + +// ScaleIOVolumeSource represents a persistent ScaleIO volume +#ScaleIOVolumeSource: { + // gateway is the host address of the ScaleIO API Gateway. + gateway: string @go(Gateway) @protobuf(1,bytes,opt) + + // system is the name of the storage system as configured in ScaleIO. + system: string @go(System) @protobuf(2,bytes,opt) + + // secretRef references to the secret for ScaleIO user and other + // sensitive information. If this is not provided, Login operation will fail. + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(3,bytes,opt) + + // sslEnabled Flag enable/disable SSL communication with Gateway, default false + // +optional + sslEnabled?: bool @go(SSLEnabled) @protobuf(4,varint,opt) + + // protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + // +optional + protectionDomain?: string @go(ProtectionDomain) @protobuf(5,bytes,opt) + + // storagePool is the ScaleIO Storage Pool associated with the protection domain. + // +optional + storagePool?: string @go(StoragePool) @protobuf(6,bytes,opt) + + // storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + // Default is ThinProvisioned. + // +optional + storageMode?: string @go(StorageMode) @protobuf(7,bytes,opt) + + // volumeName is the name of a volume already created in the ScaleIO system + // that is associated with this volume source. + volumeName?: string @go(VolumeName) @protobuf(8,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // Default is "xfs". + // +optional + fsType?: string @go(FSType) @protobuf(9,bytes,opt) + + // readOnly Defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(10,varint,opt) +} + +// ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume +#ScaleIOPersistentVolumeSource: { + // gateway is the host address of the ScaleIO API Gateway. + gateway: string @go(Gateway) @protobuf(1,bytes,opt) + + // system is the name of the storage system as configured in ScaleIO. + system: string @go(System) @protobuf(2,bytes,opt) + + // secretRef references to the secret for ScaleIO user and other + // sensitive information. If this is not provided, Login operation will fail. + secretRef?: null | #SecretReference @go(SecretRef,*SecretReference) @protobuf(3,bytes,opt) + + // sslEnabled is the flag to enable/disable SSL communication with Gateway, default false + // +optional + sslEnabled?: bool @go(SSLEnabled) @protobuf(4,varint,opt) + + // protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + // +optional + protectionDomain?: string @go(ProtectionDomain) @protobuf(5,bytes,opt) + + // storagePool is the ScaleIO Storage Pool associated with the protection domain. + // +optional + storagePool?: string @go(StoragePool) @protobuf(6,bytes,opt) + + // storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + // Default is ThinProvisioned. + // +optional + storageMode?: string @go(StorageMode) @protobuf(7,bytes,opt) + + // volumeName is the name of a volume already created in the ScaleIO system + // that is associated with this volume source. + volumeName?: string @go(VolumeName) @protobuf(8,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // Default is "xfs" + // +optional + fsType?: string @go(FSType) @protobuf(9,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(10,varint,opt) +} + +// Represents a StorageOS persistent volume resource. +#StorageOSVolumeSource: { + // volumeName is the human-readable name of the StorageOS volume. Volume + // names are only unique within a namespace. + volumeName?: string @go(VolumeName) @protobuf(1,bytes,opt) + + // volumeNamespace specifies the scope of the volume within StorageOS. If no + // namespace is specified then the Pod's namespace will be used. This allows the + // Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + // Set VolumeName to any name to override the default behaviour. + // Set to "default" if you are not using namespaces within StorageOS. + // Namespaces that do not pre-exist within StorageOS will be created. + // +optional + volumeNamespace?: string @go(VolumeNamespace) @protobuf(2,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // secretRef specifies the secret to use for obtaining the StorageOS API + // credentials. If not specified, default values will be attempted. + // +optional + secretRef?: null | #LocalObjectReference @go(SecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) +} + +// Represents a StorageOS persistent volume resource. +#StorageOSPersistentVolumeSource: { + // volumeName is the human-readable name of the StorageOS volume. Volume + // names are only unique within a namespace. + volumeName?: string @go(VolumeName) @protobuf(1,bytes,opt) + + // volumeNamespace specifies the scope of the volume within StorageOS. If no + // namespace is specified then the Pod's namespace will be used. This allows the + // Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + // Set VolumeName to any name to override the default behaviour. + // Set to "default" if you are not using namespaces within StorageOS. + // Namespaces that do not pre-exist within StorageOS will be created. + // +optional + volumeNamespace?: string @go(VolumeNamespace) @protobuf(2,bytes,opt) + + // fsType is the filesystem type to mount. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + // +optional + fsType?: string @go(FSType) @protobuf(3,bytes,opt) + + // readOnly defaults to false (read/write). ReadOnly here will force + // the ReadOnly setting in VolumeMounts. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(4,varint,opt) + + // secretRef specifies the secret to use for obtaining the StorageOS API + // credentials. If not specified, default values will be attempted. + // +optional + secretRef?: null | #ObjectReference @go(SecretRef,*ObjectReference) @protobuf(5,bytes,opt) +} + +// Adapts a ConfigMap into a volume. +// +// The contents of the target ConfigMap's Data field will be presented in a +// volume as files using the keys in the Data field as the file names, unless +// the items element is populated with specific mappings of keys to paths. +// ConfigMap volumes support ownership management and SELinux relabeling. +#ConfigMapVolumeSource: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // ConfigMap will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the ConfigMap, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // defaultMode is optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(3,varint,opt) + + // optional specify whether the ConfigMap or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +#ConfigMapVolumeSourceDefaultMode: int32 & 0o644 + +// Adapts a ConfigMap into a projected volume. +// +// The contents of the target ConfigMap's Data field will be presented in a +// projected volume as files using the keys in the Data field as the file names, +// unless the items element is populated with specific mappings of keys to paths. +// Note that this is identical to a configmap volume source without the default +// mode. +#ConfigMapProjection: { + #LocalObjectReference + + // items if unspecified, each key-value pair in the Data field of the referenced + // ConfigMap will be projected into the volume as a file whose name is the + // key and content is the value. If specified, the listed keys will be + // projected into the specified paths, and unlisted keys will not be + // present. If a key is specified which is not present in the ConfigMap, + // the volume setup will error unless it is marked optional. Paths must be + // relative and may not contain the '..' path or start with '..'. + // +optional + items?: [...#KeyToPath] @go(Items,[]KeyToPath) @protobuf(2,bytes,rep) + + // optional specify whether the ConfigMap or its keys must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(4,varint,opt) +} + +// ServiceAccountTokenProjection represents a projected service account token +// volume. This projection can be used to insert a service account token into +// the pods runtime filesystem for use against APIs (Kubernetes API Server or +// otherwise). +#ServiceAccountTokenProjection: { + // audience is the intended audience of the token. A recipient of a token + // must identify itself with an identifier specified in the audience of the + // token, and otherwise should reject the token. The audience defaults to the + // identifier of the apiserver. + // +optional + audience?: string @go(Audience) @protobuf(1,bytes,rep) + + // expirationSeconds is the requested duration of validity of the service + // account token. As the token approaches expiration, the kubelet volume + // plugin will proactively rotate the service account token. The kubelet will + // start trying to rotate the token if the token is older than 80 percent of + // its time to live or if the token is older than 24 hours.Defaults to 1 hour + // and must be at least 10 minutes. + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt) + + // path is the path relative to the mount point of the file to project the + // token into. + path: string @go(Path) @protobuf(3,bytes,opt) +} + +// Represents a projected volume source +#ProjectedVolumeSource: { + // sources is the list of volume projections + // +optional + sources: [...#VolumeProjection] @go(Sources,[]VolumeProjection) @protobuf(1,bytes,rep) + + // defaultMode are the mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(2,varint,opt) +} + +// Projection that may be projected along with other supported volume types +#VolumeProjection: { + // secret information about the secret data to project + // +optional + secret?: null | #SecretProjection @go(Secret,*SecretProjection) @protobuf(1,bytes,opt) + + // downwardAPI information about the downwardAPI data to project + // +optional + downwardAPI?: null | #DownwardAPIProjection @go(DownwardAPI,*DownwardAPIProjection) @protobuf(2,bytes,opt) + + // configMap information about the configMap data to project + // +optional + configMap?: null | #ConfigMapProjection @go(ConfigMap,*ConfigMapProjection) @protobuf(3,bytes,opt) + + // serviceAccountToken is information about the serviceAccountToken data to project + // +optional + serviceAccountToken?: null | #ServiceAccountTokenProjection @go(ServiceAccountToken,*ServiceAccountTokenProjection) @protobuf(4,bytes,opt) +} + +#ProjectedVolumeSourceDefaultMode: int32 & 0o644 + +// Maps a string key to a path within a volume. +#KeyToPath: { + // key is the key to project. + key: string @go(Key) @protobuf(1,bytes,opt) + + // path is the relative path of the file to map the key to. + // May not be an absolute path. + // May not contain the path element '..'. + // May not start with the string '..'. + path: string @go(Path) @protobuf(2,bytes,opt) + + // mode is Optional: mode bits used to set permissions on this file. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + mode?: null | int32 @go(Mode,*int32) @protobuf(3,varint,opt) +} + +// Local represents directly-attached storage with node affinity (Beta feature) +#LocalVolumeSource: { + // path of the full path to the volume on the node. + // It can be either a directory or block device (disk, partition, ...). + path: string @go(Path) @protobuf(1,bytes,opt) + + // fsType is the filesystem type to mount. + // It applies only when the Path is a block device. + // Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". The default value is to auto-select a filesystem if unspecified. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(2,bytes,opt) +} + +// Represents storage that is managed by an external CSI volume driver (Beta feature) +#CSIPersistentVolumeSource: { + // driver is the name of the driver to use for this volume. + // Required. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // volumeHandle is the unique volume name returned by the CSI volume + // plugin’s CreateVolume to refer to the volume on all subsequent calls. + // Required. + volumeHandle: string @go(VolumeHandle) @protobuf(2,bytes,opt) + + // readOnly value to pass to ControllerPublishVolumeRequest. + // Defaults to false (read/write). + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(3,varint,opt) + + // fsType to mount. Must be a filesystem type supported by the host operating system. + // Ex. "ext4", "xfs", "ntfs". + // +optional + fsType?: string @go(FSType) @protobuf(4,bytes,opt) + + // volumeAttributes of the volume to publish. + // +optional + volumeAttributes?: {[string]: string} @go(VolumeAttributes,map[string]string) @protobuf(5,bytes,rep) + + // controllerPublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // ControllerPublishVolume and ControllerUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + controllerPublishSecretRef?: null | #SecretReference @go(ControllerPublishSecretRef,*SecretReference) @protobuf(6,bytes,opt) + + // nodeStageSecretRef is a reference to the secret object containing sensitive + // information to pass to the CSI driver to complete the CSI NodeStageVolume + // and NodeStageVolume and NodeUnstageVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + nodeStageSecretRef?: null | #SecretReference @go(NodeStageSecretRef,*SecretReference) @protobuf(7,bytes,opt) + + // nodePublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodePublishVolume and NodeUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + nodePublishSecretRef?: null | #SecretReference @go(NodePublishSecretRef,*SecretReference) @protobuf(8,bytes,opt) + + // controllerExpandSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // ControllerExpandVolume call. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +optional + controllerExpandSecretRef?: null | #SecretReference @go(ControllerExpandSecretRef,*SecretReference) @protobuf(9,bytes,opt) + + // nodeExpandSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodeExpandVolume call. + // This is a beta field which is enabled default by CSINodeExpandSecret feature gate. + // This field is optional, may be omitted if no secret is required. If the + // secret object contains more than one secret, all secrets are passed. + // +featureGate=CSINodeExpandSecret + // +optional + nodeExpandSecretRef?: null | #SecretReference @go(NodeExpandSecretRef,*SecretReference) @protobuf(10,bytes,opt) +} + +// Represents a source location of a volume to mount, managed by an external CSI driver +#CSIVolumeSource: { + // driver is the name of the CSI driver that handles this volume. + // Consult with your admin for the correct name as registered in the cluster. + driver: string @go(Driver) @protobuf(1,bytes,opt) + + // readOnly specifies a read-only configuration for the volume. + // Defaults to false (read/write). + // +optional + readOnly?: null | bool @go(ReadOnly,*bool) @protobuf(2,varint,opt) + + // fsType to mount. Ex. "ext4", "xfs", "ntfs". + // If not provided, the empty value is passed to the associated CSI driver + // which will determine the default filesystem to apply. + // +optional + fsType?: null | string @go(FSType,*string) @protobuf(3,bytes,opt) + + // volumeAttributes stores driver-specific properties that are passed to the CSI + // driver. Consult your driver's documentation for supported values. + // +optional + volumeAttributes?: {[string]: string} @go(VolumeAttributes,map[string]string) @protobuf(4,bytes,rep) + + // nodePublishSecretRef is a reference to the secret object containing + // sensitive information to pass to the CSI driver to complete the CSI + // NodePublishVolume and NodeUnpublishVolume calls. + // This field is optional, and may be empty if no secret is required. If the + // secret object contains more than one secret, all secret references are passed. + // +optional + nodePublishSecretRef?: null | #LocalObjectReference @go(NodePublishSecretRef,*LocalObjectReference) @protobuf(5,bytes,opt) +} + +// Represents an ephemeral volume that is handled by a normal storage driver. +#EphemeralVolumeSource: { + // Will be used to create a stand-alone PVC to provision the volume. + // The pod in which this EphemeralVolumeSource is embedded will be the + // owner of the PVC, i.e. the PVC will be deleted together with the + // pod. The name of the PVC will be `-` where + // `` is the name from the `PodSpec.Volumes` array + // entry. Pod validation will reject the pod if the concatenated name + // is not valid for a PVC (for example, too long). + // + // An existing PVC with that name that is not owned by the pod + // will *not* be used for the pod to avoid using an unrelated + // volume by mistake. Starting the pod is then blocked until + // the unrelated PVC is removed. If such a pre-created PVC is + // meant to be used by the pod, the PVC has to updated with an + // owner reference to the pod once the pod exists. Normally + // this should not be necessary, but it may be useful when + // manually reconstructing a broken cluster. + // + // This field is read-only and no changes will be made by Kubernetes + // to the PVC after it has been created. + // + // Required, must not be nil. + volumeClaimTemplate?: null | #PersistentVolumeClaimTemplate @go(VolumeClaimTemplate,*PersistentVolumeClaimTemplate) @protobuf(1,bytes,opt) +} + +// PersistentVolumeClaimTemplate is used to produce +// PersistentVolumeClaim objects as part of an EphemeralVolumeSource. +#PersistentVolumeClaimTemplate: { + // May contain labels and annotations that will be copied into the PVC + // when creating it. No other fields are allowed and will be rejected during + // validation. + // + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The specification for the PersistentVolumeClaim. The entire content is + // copied unchanged into the PVC that gets created from this + // template. The same fields as in a PersistentVolumeClaim + // are also valid here. + spec: #PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes) +} + +// ContainerPort represents a network port in a single container. +#ContainerPort: { + // If specified, this must be an IANA_SVC_NAME and unique within the pod. Each + // named port in a pod must have a unique name. Name for the port that can be + // referred to by services. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // Number of port to expose on the host. + // If specified, this must be a valid port number, 0 < x < 65536. + // If HostNetwork is specified, this must match ContainerPort. + // Most containers do not need this. + // +optional + hostPort?: int32 @go(HostPort) @protobuf(2,varint,opt) + + // Number of port to expose on the pod's IP address. + // This must be a valid port number, 0 < x < 65536. + containerPort: int32 @go(ContainerPort) @protobuf(3,varint,opt) + + // Protocol for port. Must be UDP, TCP, or SCTP. + // Defaults to "TCP". + // +optional + // +default="TCP" + protocol?: #Protocol @go(Protocol) @protobuf(4,bytes,opt,casttype=Protocol) + + // What host IP to bind the external port to. + // +optional + hostIP?: string @go(HostIP) @protobuf(5,bytes,opt) +} + +// VolumeMount describes a mounting of a Volume within a container. +#VolumeMount: { + // This must match the Name of a Volume. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Mounted read-only if true, read-write otherwise (false or unspecified). + // Defaults to false. + // +optional + readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt) + + // Path within the container at which the volume should be mounted. Must + // not contain ':'. + mountPath: string @go(MountPath) @protobuf(3,bytes,opt) + + // Path within the volume from which the container's volume should be mounted. + // Defaults to "" (volume's root). + // +optional + subPath?: string @go(SubPath) @protobuf(4,bytes,opt) + + // mountPropagation determines how mounts are propagated from the host + // to container and the other way around. + // When not set, MountPropagationNone is used. + // This field is beta in 1.10. + // +optional + mountPropagation?: null | #MountPropagationMode @go(MountPropagation,*MountPropagationMode) @protobuf(5,bytes,opt,casttype=MountPropagationMode) + + // Expanded path within the volume from which the container's volume should be mounted. + // Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + // Defaults to "" (volume's root). + // SubPathExpr and SubPath are mutually exclusive. + // +optional + subPathExpr?: string @go(SubPathExpr) @protobuf(6,bytes,opt) +} + +// MountPropagationMode describes mount propagation. +// +enum +#MountPropagationMode: string // #enumMountPropagationMode + +#enumMountPropagationMode: + #MountPropagationNone | + #MountPropagationHostToContainer | + #MountPropagationBidirectional + +// MountPropagationNone means that the volume in a container will +// not receive new mounts from the host or other containers, and filesystems +// mounted inside the container won't be propagated to the host or other +// containers. +// Note that this mode corresponds to "private" in Linux terminology. +#MountPropagationNone: #MountPropagationMode & "None" + +// MountPropagationHostToContainer means that the volume in a container will +// receive new mounts from the host or other containers, but filesystems +// mounted inside the container won't be propagated to the host or other +// containers. +// Note that this mode is recursively applied to all mounts in the volume +// ("rslave" in Linux terminology). +#MountPropagationHostToContainer: #MountPropagationMode & "HostToContainer" + +// MountPropagationBidirectional means that the volume in a container will +// receive new mounts from the host or other containers, and its own mounts +// will be propagated from the container to the host or other containers. +// Note that this mode is recursively applied to all mounts in the volume +// ("rshared" in Linux terminology). +#MountPropagationBidirectional: #MountPropagationMode & "Bidirectional" + +// volumeDevice describes a mapping of a raw block device within a container. +#VolumeDevice: { + // name must match the name of a persistentVolumeClaim in the pod + name: string @go(Name) @protobuf(1,bytes,opt) + + // devicePath is the path inside of the container that the device will be mapped to. + devicePath: string @go(DevicePath) @protobuf(2,bytes,opt) +} + +// EnvVar represents an environment variable present in a Container. +#EnvVar: { + // Name of the environment variable. Must be a C_IDENTIFIER. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Variable references $(VAR_NAME) are expanded + // using the previously defined environment variables in the container and + // any service environment variables. If a variable cannot be resolved, + // the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + // "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + // Escaped references will never be expanded, regardless of whether the variable + // exists or not. + // Defaults to "". + // +optional + value?: string @go(Value) @protobuf(2,bytes,opt) + + // Source for the environment variable's value. Cannot be used if value is not empty. + // +optional + valueFrom?: null | #EnvVarSource @go(ValueFrom,*EnvVarSource) @protobuf(3,bytes,opt) +} + +// EnvVarSource represents a source for the value of an EnvVar. +#EnvVarSource: { + // Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + // spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + // +optional + fieldRef?: null | #ObjectFieldSelector @go(FieldRef,*ObjectFieldSelector) @protobuf(1,bytes,opt) + + // Selects a resource of the container: only resources limits and requests + // (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + // +optional + resourceFieldRef?: null | #ResourceFieldSelector @go(ResourceFieldRef,*ResourceFieldSelector) @protobuf(2,bytes,opt) + + // Selects a key of a ConfigMap. + // +optional + configMapKeyRef?: null | #ConfigMapKeySelector @go(ConfigMapKeyRef,*ConfigMapKeySelector) @protobuf(3,bytes,opt) + + // Selects a key of a secret in the pod's namespace + // +optional + secretKeyRef?: null | #SecretKeySelector @go(SecretKeyRef,*SecretKeySelector) @protobuf(4,bytes,opt) +} + +// ObjectFieldSelector selects an APIVersioned field of an object. +// +structType=atomic +#ObjectFieldSelector: { + // Version of the schema the FieldPath is written in terms of, defaults to "v1". + // +optional + apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt) + + // Path of the field to select in the specified API version. + fieldPath: string @go(FieldPath) @protobuf(2,bytes,opt) +} + +// ResourceFieldSelector represents container resources (cpu, memory) and their output format +// +structType=atomic +#ResourceFieldSelector: { + // Container name: required for volumes, optional for env vars + // +optional + containerName?: string @go(ContainerName) @protobuf(1,bytes,opt) + + // Required: resource to select + "resource": string @go(Resource) @protobuf(2,bytes,opt) + + // Specifies the output format of the exposed resources, defaults to "1" + // +optional + divisor?: resource.#Quantity @go(Divisor) @protobuf(3,bytes,opt) +} + +// Selects a key from a ConfigMap. +// +structType=atomic +#ConfigMapKeySelector: { + #LocalObjectReference + + // The key to select. + key: string @go(Key) @protobuf(2,bytes,opt) + + // Specify whether the ConfigMap or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(3,varint,opt) +} + +// SecretKeySelector selects a key of a Secret. +// +structType=atomic +#SecretKeySelector: { + #LocalObjectReference + + // The key of the secret to select from. Must be a valid secret key. + key: string @go(Key) @protobuf(2,bytes,opt) + + // Specify whether the Secret or its key must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(3,varint,opt) +} + +// EnvFromSource represents the source of a set of ConfigMaps +#EnvFromSource: { + // An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + // +optional + prefix?: string @go(Prefix) @protobuf(1,bytes,opt) + + // The ConfigMap to select from + // +optional + configMapRef?: null | #ConfigMapEnvSource @go(ConfigMapRef,*ConfigMapEnvSource) @protobuf(2,bytes,opt) + + // The Secret to select from + // +optional + secretRef?: null | #SecretEnvSource @go(SecretRef,*SecretEnvSource) @protobuf(3,bytes,opt) +} + +// ConfigMapEnvSource selects a ConfigMap to populate the environment +// variables with. +// +// The contents of the target ConfigMap's Data field will represent the +// key-value pairs as environment variables. +#ConfigMapEnvSource: { + #LocalObjectReference + + // Specify whether the ConfigMap must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(2,varint,opt) +} + +// SecretEnvSource selects a Secret to populate the environment +// variables with. +// +// The contents of the target Secret's Data field will represent the +// key-value pairs as environment variables. +#SecretEnvSource: { + #LocalObjectReference + + // Specify whether the Secret must be defined + // +optional + optional?: null | bool @go(Optional,*bool) @protobuf(2,varint,opt) +} + +// HTTPHeader describes a custom header to be used in HTTP probes +#HTTPHeader: { + // The header field name. + // This will be canonicalized upon output, so case-variant names will be understood as the same header. + name: string @go(Name) @protobuf(1,bytes,opt) + + // The header field value + value: string @go(Value) @protobuf(2,bytes,opt) +} + +// HTTPGetAction describes an action based on HTTP Get requests. +#HTTPGetAction: { + // Path to access on the HTTP server. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // Name or number of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port: intstr.#IntOrString @go(Port) @protobuf(2,bytes,opt) + + // Host name to connect to, defaults to the pod IP. You probably want to set + // "Host" in httpHeaders instead. + // +optional + host?: string @go(Host) @protobuf(3,bytes,opt) + + // Scheme to use for connecting to the host. + // Defaults to HTTP. + // +optional + scheme?: #URIScheme @go(Scheme) @protobuf(4,bytes,opt,casttype=URIScheme) + + // Custom headers to set in the request. HTTP allows repeated headers. + // +optional + httpHeaders?: [...#HTTPHeader] @go(HTTPHeaders,[]HTTPHeader) @protobuf(5,bytes,rep) +} + +// URIScheme identifies the scheme used for connection to a host for Get actions +// +enum +#URIScheme: string // #enumURIScheme + +#enumURIScheme: + #URISchemeHTTP | + #URISchemeHTTPS + +// URISchemeHTTP means that the scheme used will be http:// +#URISchemeHTTP: #URIScheme & "HTTP" + +// URISchemeHTTPS means that the scheme used will be https:// +#URISchemeHTTPS: #URIScheme & "HTTPS" + +// TCPSocketAction describes an action based on opening a socket +#TCPSocketAction: { + // Number or name of the port to access on the container. + // Number must be in the range 1 to 65535. + // Name must be an IANA_SVC_NAME. + port: intstr.#IntOrString @go(Port) @protobuf(1,bytes,opt) + + // Optional: Host name to connect to, defaults to the pod IP. + // +optional + host?: string @go(Host) @protobuf(2,bytes,opt) +} + +#GRPCAction: { + // Port number of the gRPC service. Number must be in the range 1 to 65535. + port: int32 @go(Port) @protobuf(1,bytes,opt) + + // Service is the name of the service to place in the gRPC HealthCheckRequest + // (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + // + // If this is not specified, the default behavior is defined by gRPC. + // +optional + // +default="" + service?: null | string @go(Service,*string) @protobuf(2,bytes,opt) +} + +// ExecAction describes a "run in container" action. +#ExecAction: { + // Command is the command line to execute inside the container, the working directory for the + // command is root ('/') in the container's filesystem. The command is simply exec'd, it is + // not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + // a shell, you need to explicitly call out to that shell. + // Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + // +optional + command?: [...string] @go(Command,[]string) @protobuf(1,bytes,rep) +} + +// Probe describes a health check to be performed against a container to determine whether it is +// alive or ready to receive traffic. +#Probe: { + #ProbeHandler + + // Number of seconds after the container has started before liveness probes are initiated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + initialDelaySeconds?: int32 @go(InitialDelaySeconds) @protobuf(2,varint,opt) + + // Number of seconds after which the probe times out. + // Defaults to 1 second. Minimum value is 1. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + timeoutSeconds?: int32 @go(TimeoutSeconds) @protobuf(3,varint,opt) + + // How often (in seconds) to perform the probe. + // Default to 10 seconds. Minimum value is 1. + // +optional + periodSeconds?: int32 @go(PeriodSeconds) @protobuf(4,varint,opt) + + // Minimum consecutive successes for the probe to be considered successful after having failed. + // Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + // +optional + successThreshold?: int32 @go(SuccessThreshold) @protobuf(5,varint,opt) + + // Minimum consecutive failures for the probe to be considered failed after having succeeded. + // Defaults to 3. Minimum value is 1. + // +optional + failureThreshold?: int32 @go(FailureThreshold) @protobuf(6,varint,opt) + + // Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + // The grace period is the duration in seconds after the processes running in the pod are sent + // a termination signal and the time when the processes are forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your process. + // If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + // value overrides the value provided by the pod spec. + // Value must be non-negative integer. The value zero indicates stop immediately via + // the kill signal (no opportunity to shut down). + // This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + // Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + // +optional + terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) @protobuf(7,varint,opt) +} + +// PullPolicy describes a policy for if/when to pull a container image +// +enum +#PullPolicy: string // #enumPullPolicy + +#enumPullPolicy: + #PullAlways | + #PullNever | + #PullIfNotPresent + +// PullAlways means that kubelet always attempts to pull the latest image. Container will fail If the pull fails. +#PullAlways: #PullPolicy & "Always" + +// PullNever means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present +#PullNever: #PullPolicy & "Never" + +// PullIfNotPresent means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails. +#PullIfNotPresent: #PullPolicy & "IfNotPresent" + +// ResourceResizeRestartPolicy specifies how to handle container resource resize. +#ResourceResizeRestartPolicy: string // #enumResourceResizeRestartPolicy + +#enumResourceResizeRestartPolicy: + #NotRequired | + #RestartContainer + +// 'NotRequired' means Kubernetes will try to resize the container +// without restarting it, if possible. Kubernetes may however choose to +// restart the container if it is unable to actuate resize without a +// restart. For e.g. the runtime doesn't support restart-free resizing. +#NotRequired: #ResourceResizeRestartPolicy & "NotRequired" + +// 'RestartContainer' means Kubernetes will resize the container in-place +// by stopping and starting the container when new resources are applied. +// This is needed for legacy applications. For e.g. java apps using the +// -xmxN flag which are unable to use resized memory without restarting. +#RestartContainer: #ResourceResizeRestartPolicy & "RestartContainer" + +// ContainerResizePolicy represents resource resize policy for the container. +#ContainerResizePolicy: { + // Name of the resource to which this resource resize policy applies. + // Supported values: cpu, memory. + resourceName: #ResourceName @go(ResourceName) @protobuf(1,bytes,opt,casttype=ResourceName) + + // Restart policy to apply when specified resource is resized. + // If not specified, it defaults to NotRequired. + restartPolicy: #ResourceResizeRestartPolicy @go(RestartPolicy) @protobuf(2,bytes,opt,casttype=ResourceResizeRestartPolicy) +} + +// PreemptionPolicy describes a policy for if/when to preempt a pod. +// +enum +#PreemptionPolicy: string // #enumPreemptionPolicy + +#enumPreemptionPolicy: + #PreemptLowerPriority | + #PreemptNever + +// PreemptLowerPriority means that pod can preempt other pods with lower priority. +#PreemptLowerPriority: #PreemptionPolicy & "PreemptLowerPriority" + +// PreemptNever means that pod never preempts other pods with lower priority. +#PreemptNever: #PreemptionPolicy & "Never" + +// TerminationMessagePolicy describes how termination messages are retrieved from a container. +// +enum +#TerminationMessagePolicy: string // #enumTerminationMessagePolicy + +#enumTerminationMessagePolicy: + #TerminationMessageReadFile | + #TerminationMessageFallbackToLogsOnError + +// TerminationMessageReadFile is the default behavior and will set the container status message to +// the contents of the container's terminationMessagePath when the container exits. +#TerminationMessageReadFile: #TerminationMessagePolicy & "File" + +// TerminationMessageFallbackToLogsOnError will read the most recent contents of the container logs +// for the container status message when the container exits with an error and the +// terminationMessagePath has no contents. +#TerminationMessageFallbackToLogsOnError: #TerminationMessagePolicy & "FallbackToLogsOnError" + +// Capability represent POSIX capabilities type +#Capability: string + +// Adds and removes POSIX capabilities from running containers. +#Capabilities: { + // Added capabilities + // +optional + add?: [...#Capability] @go(Add,[]Capability) @protobuf(1,bytes,rep,casttype=Capability) + + // Removed capabilities + // +optional + drop?: [...#Capability] @go(Drop,[]Capability) @protobuf(2,bytes,rep,casttype=Capability) +} + +// ResourceRequirements describes the compute resource requirements. +#ResourceRequirements: { + // Limits describes the maximum amount of compute resources allowed. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + limits?: #ResourceList @go(Limits) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Requests describes the minimum amount of compute resources required. + // If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + // otherwise to an implementation-defined value. Requests cannot exceed Limits. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + requests?: #ResourceList @go(Requests) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Claims lists the names of resources, defined in spec.resourceClaims, + // that are used by this container. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. It can only be set for containers. + // + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + claims?: [...#ResourceClaim] @go(Claims,[]ResourceClaim) @protobuf(3,bytes,opt) +} + +// ResourceClaim references one entry in PodSpec.ResourceClaims. +#ResourceClaim: { + // Name must match the name of one entry in pod.spec.resourceClaims of + // the Pod where this field is used. It makes that resource available + // inside a container. + name: string @go(Name) @protobuf(1,bytes,opt) +} + +// TerminationMessagePathDefault means the default path to capture the application termination message running in a container +#TerminationMessagePathDefault: "/dev/termination-log" + +// A single application container that you want to run within a pod. +#Container: { + // Name of the container specified as a DNS_LABEL. + // Each container in a pod must have a unique name (DNS_LABEL). + // Cannot be updated. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Container image name. + // More info: https://kubernetes.io/docs/concepts/containers/images + // This field is optional to allow higher level config management to default or override + // container images in workload controllers like Deployments and StatefulSets. + // +optional + image?: string @go(Image) @protobuf(2,bytes,opt) + + // Entrypoint array. Not executed within a shell. + // The container image's ENTRYPOINT is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + command?: [...string] @go(Command,[]string) @protobuf(3,bytes,rep) + + // Arguments to the entrypoint. + // The container image's CMD is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + args?: [...string] @go(Args,[]string) @protobuf(4,bytes,rep) + + // Container's working directory. + // If not specified, the container runtime's default will be used, which + // might be configured in the container image. + // Cannot be updated. + // +optional + workingDir?: string @go(WorkingDir) @protobuf(5,bytes,opt) + + // List of ports to expose from the container. Not specifying a port here + // DOES NOT prevent that port from being exposed. Any port which is + // listening on the default "0.0.0.0" address inside a container will be + // accessible from the network. + // Modifying this array with strategic merge patch may corrupt the data. + // For more information See https://github.com/kubernetes/kubernetes/issues/108255. + // Cannot be updated. + // +optional + // +patchMergeKey=containerPort + // +patchStrategy=merge + // +listType=map + // +listMapKey=containerPort + // +listMapKey=protocol + ports?: [...#ContainerPort] @go(Ports,[]ContainerPort) @protobuf(6,bytes,rep) + + // List of sources to populate environment variables in the container. + // The keys defined within a source must be a C_IDENTIFIER. All invalid keys + // will be reported as an event when the container is starting. When a key exists in multiple + // sources, the value associated with the last source will take precedence. + // Values defined by an Env with a duplicate key will take precedence. + // Cannot be updated. + // +optional + envFrom?: [...#EnvFromSource] @go(EnvFrom,[]EnvFromSource) @protobuf(19,bytes,rep) + + // List of environment variables to set in the container. + // Cannot be updated. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + env?: [...#EnvVar] @go(Env,[]EnvVar) @protobuf(7,bytes,rep) + + // Compute Resources required by this container. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(8,bytes,opt) + + // Resources resize policy for the container. + // +featureGate=InPlacePodVerticalScaling + // +optional + // +listType=atomic + resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep) + + // RestartPolicy defines the restart behavior of individual containers in a pod. + // This field may only be set for init containers, and the only allowed value is "Always". + // For non-init containers or when this field is not specified, + // the restart behavior is defined by the Pod's restart policy and the container type. + // Setting the RestartPolicy as "Always" for the init container will have the following effect: + // this init container will be continually restarted on + // exit until all regular containers have terminated. Once all regular + // containers have completed, all init containers with restartPolicy "Always" + // will be shut down. This lifecycle differs from normal init containers and + // is often referred to as a "sidecar" container. Although this init + // container still starts in the init container sequence, it does not wait + // for the container to complete before proceeding to the next init + // container. Instead, the next init container starts immediately after this + // init container is started, or after any startupProbe has successfully + // completed. + // +featureGate=SidecarContainers + // +optional + restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy) + + // Pod volumes to mount into the container's filesystem. + // Cannot be updated. + // +optional + // +patchMergeKey=mountPath + // +patchStrategy=merge + volumeMounts?: [...#VolumeMount] @go(VolumeMounts,[]VolumeMount) @protobuf(9,bytes,rep) + + // volumeDevices is the list of block devices to be used by the container. + // +patchMergeKey=devicePath + // +patchStrategy=merge + // +optional + volumeDevices?: [...#VolumeDevice] @go(VolumeDevices,[]VolumeDevice) @protobuf(21,bytes,rep) + + // Periodic probe of container liveness. + // Container will be restarted if the probe fails. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + livenessProbe?: null | #Probe @go(LivenessProbe,*Probe) @protobuf(10,bytes,opt) + + // Periodic probe of container service readiness. + // Container will be removed from service endpoints if the probe fails. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + readinessProbe?: null | #Probe @go(ReadinessProbe,*Probe) @protobuf(11,bytes,opt) + + // StartupProbe indicates that the Pod has successfully initialized. + // If specified, no other probes are executed until this completes successfully. + // If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. + // This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, + // when it might take a long time to load data or warm a cache, than during steady-state operation. + // This cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + // +optional + startupProbe?: null | #Probe @go(StartupProbe,*Probe) @protobuf(22,bytes,opt) + + // Actions that the management system should take in response to container lifecycle events. + // Cannot be updated. + // +optional + lifecycle?: null | #Lifecycle @go(Lifecycle,*Lifecycle) @protobuf(12,bytes,opt) + + // Optional: Path at which the file to which the container's termination message + // will be written is mounted into the container's filesystem. + // Message written is intended to be brief final status, such as an assertion failure message. + // Will be truncated by the node if greater than 4096 bytes. The total message length across + // all containers will be limited to 12kb. + // Defaults to /dev/termination-log. + // Cannot be updated. + // +optional + terminationMessagePath?: string @go(TerminationMessagePath) @protobuf(13,bytes,opt) + + // Indicate how the termination message should be populated. File will use the contents of + // terminationMessagePath to populate the container status message on both success and failure. + // FallbackToLogsOnError will use the last chunk of container log output if the termination + // message file is empty and the container exited with an error. + // The log output is limited to 2048 bytes or 80 lines, whichever is smaller. + // Defaults to File. + // Cannot be updated. + // +optional + terminationMessagePolicy?: #TerminationMessagePolicy @go(TerminationMessagePolicy) @protobuf(20,bytes,opt,casttype=TerminationMessagePolicy) + + // Image pull policy. + // One of Always, Never, IfNotPresent. + // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + // +optional + imagePullPolicy?: #PullPolicy @go(ImagePullPolicy) @protobuf(14,bytes,opt,casttype=PullPolicy) + + // SecurityContext defines the security options the container should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + // +optional + securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt) + + // Whether this container should allocate a buffer for stdin in the container runtime. If this + // is not set, reads from stdin in the container will always result in EOF. + // Default is false. + // +optional + stdin?: bool @go(Stdin) @protobuf(16,varint,opt) + + // Whether the container runtime should close the stdin channel after it has been opened by + // a single attach. When stdin is true the stdin stream will remain open across multiple attach + // sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the + // first client attaches to stdin, and then remains open and accepts data until the client disconnects, + // at which time stdin is closed and remains closed until the container is restarted. If this + // flag is false, a container processes that reads from stdin will never receive an EOF. + // Default is false + // +optional + stdinOnce?: bool @go(StdinOnce) @protobuf(17,varint,opt) + + // Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. + // Default is false. + // +optional + tty?: bool @go(TTY) @protobuf(18,varint,opt) +} + +// ProbeHandler defines a specific action that should be taken in a probe. +// One and only one of the fields must be specified. +#ProbeHandler: { + // Exec specifies the action to take. + // +optional + exec?: null | #ExecAction @go(Exec,*ExecAction) @protobuf(1,bytes,opt) + + // HTTPGet specifies the http request to perform. + // +optional + httpGet?: null | #HTTPGetAction @go(HTTPGet,*HTTPGetAction) @protobuf(2,bytes,opt) + + // TCPSocket specifies an action involving a TCP port. + // +optional + tcpSocket?: null | #TCPSocketAction @go(TCPSocket,*TCPSocketAction) @protobuf(3,bytes,opt) + + // GRPC specifies an action involving a GRPC port. + // +optional + grpc?: null | #GRPCAction @go(GRPC,*GRPCAction) @protobuf(4,bytes,opt) +} + +// LifecycleHandler defines a specific action that should be taken in a lifecycle +// hook. One and only one of the fields, except TCPSocket must be specified. +#LifecycleHandler: { + // Exec specifies the action to take. + // +optional + exec?: null | #ExecAction @go(Exec,*ExecAction) @protobuf(1,bytes,opt) + + // HTTPGet specifies the http request to perform. + // +optional + httpGet?: null | #HTTPGetAction @go(HTTPGet,*HTTPGetAction) @protobuf(2,bytes,opt) + + // Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + // for the backward compatibility. There are no validation of this field and + // lifecycle hooks will fail in runtime when tcp handler is specified. + // +optional + tcpSocket?: null | #TCPSocketAction @go(TCPSocket,*TCPSocketAction) @protobuf(3,bytes,opt) +} + +// Lifecycle describes actions that the management system should take in response to container lifecycle +// events. For the PostStart and PreStop lifecycle handlers, management of the container blocks +// until the action is complete, unless the container process fails, in which case the handler is aborted. +#Lifecycle: { + // PostStart is called immediately after a container is created. If the handler fails, + // the container is terminated and restarted according to its restart policy. + // Other management of the container blocks until the hook completes. + // More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + // +optional + postStart?: null | #LifecycleHandler @go(PostStart,*LifecycleHandler) @protobuf(1,bytes,opt) + + // PreStop is called immediately before a container is terminated due to an + // API request or management event such as liveness/startup probe failure, + // preemption, resource contention, etc. The handler is not called if the + // container crashes or exits. The Pod's termination grace period countdown begins before the + // PreStop hook is executed. Regardless of the outcome of the handler, the + // container will eventually terminate within the Pod's termination grace + // period (unless delayed by finalizers). Other management of the container blocks until the hook completes + // or until the termination grace period is reached. + // More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + // +optional + preStop?: null | #LifecycleHandler @go(PreStop,*LifecycleHandler) @protobuf(2,bytes,opt) +} + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// ContainerStateWaiting is a waiting state of a container. +#ContainerStateWaiting: { + // (brief) reason the container is not yet running. + // +optional + reason?: string @go(Reason) @protobuf(1,bytes,opt) + + // Message regarding why the container is not yet running. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) +} + +// ContainerStateRunning is a running state of a container. +#ContainerStateRunning: { + // Time at which the container was last (re-)started + // +optional + startedAt?: metav1.#Time @go(StartedAt) @protobuf(1,bytes,opt) +} + +// ContainerStateTerminated is a terminated state of a container. +#ContainerStateTerminated: { + // Exit status from the last termination of the container + exitCode: int32 @go(ExitCode) @protobuf(1,varint,opt) + + // Signal from the last termination of the container + // +optional + signal?: int32 @go(Signal) @protobuf(2,varint,opt) + + // (brief) reason from the last termination of the container + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // Message regarding the last termination of the container + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) + + // Time at which previous execution of the container started + // +optional + startedAt?: metav1.#Time @go(StartedAt) @protobuf(5,bytes,opt) + + // Time at which the container last terminated + // +optional + finishedAt?: metav1.#Time @go(FinishedAt) @protobuf(6,bytes,opt) + + // Container's ID in the format '://' + // +optional + containerID?: string @go(ContainerID) @protobuf(7,bytes,opt) +} + +// ContainerState holds a possible state of container. +// Only one of its members may be specified. +// If none of them is specified, the default one is ContainerStateWaiting. +#ContainerState: { + // Details about a waiting container + // +optional + waiting?: null | #ContainerStateWaiting @go(Waiting,*ContainerStateWaiting) @protobuf(1,bytes,opt) + + // Details about a running container + // +optional + running?: null | #ContainerStateRunning @go(Running,*ContainerStateRunning) @protobuf(2,bytes,opt) + + // Details about a terminated container + // +optional + terminated?: null | #ContainerStateTerminated @go(Terminated,*ContainerStateTerminated) @protobuf(3,bytes,opt) +} + +// ContainerStatus contains details for the current status of this container. +#ContainerStatus: { + // Name is a DNS_LABEL representing the unique name of the container. + // Each container in a pod must have a unique name across all container types. + // Cannot be updated. + name: string @go(Name) @protobuf(1,bytes,opt) + + // State holds details about the container's current condition. + // +optional + state?: #ContainerState @go(State) @protobuf(2,bytes,opt) + + // LastTerminationState holds the last termination state of the container to + // help debug container crashes and restarts. This field is not + // populated if the container is still running and RestartCount is 0. + // +optional + lastState?: #ContainerState @go(LastTerminationState) @protobuf(3,bytes,opt) + + // Ready specifies whether the container is currently passing its readiness check. + // The value will change as readiness probes keep executing. If no readiness + // probes are specified, this field defaults to true once the container is + // fully started (see Started field). + // + // The value is typically used to determine whether a container is ready to + // accept traffic. + ready: bool @go(Ready) @protobuf(4,varint,opt) + + // RestartCount holds the number of times the container has been restarted. + // Kubelet makes an effort to always increment the value, but there + // are cases when the state may be lost due to node restarts and then the value + // may be reset to 0. The value is never negative. + restartCount: int32 @go(RestartCount) @protobuf(5,varint,opt) + + // Image is the name of container image that the container is running. + // The container image may not match the image used in the PodSpec, + // as it may have been resolved by the runtime. + // More info: https://kubernetes.io/docs/concepts/containers/images. + image: string @go(Image) @protobuf(6,bytes,opt) + + // ImageID is the image ID of the container's image. The image ID may not + // match the image ID of the image used in the PodSpec, as it may have been + // resolved by the runtime. + imageID: string @go(ImageID) @protobuf(7,bytes,opt) + + // ContainerID is the ID of the container in the format '://'. + // Where type is a container runtime identifier, returned from Version call of CRI API + // (for example "containerd"). + // +optional + containerID?: string @go(ContainerID) @protobuf(8,bytes,opt) + + // Started indicates whether the container has finished its postStart lifecycle hook + // and passed its startup probe. + // Initialized as false, becomes true after startupProbe is considered + // successful. Resets to false when the container is restarted, or if kubelet + // loses state temporarily. In both cases, startup probes will run again. + // Is always true when no startupProbe is defined and container is running and + // has passed the postStart lifecycle hook. The null value must be treated the + // same as false. + // +optional + started?: null | bool @go(Started,*bool) @protobuf(9,varint,opt) + + // AllocatedResources represents the compute resources allocated for this container by the + // node. Kubelet sets this value to Container.Resources.Requests upon successful pod admission + // and after successfully admitting desired pod resize. + // +featureGate=InPlacePodVerticalScaling + // +optional + allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(10,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Resources represents the compute resource requests and limits that have been successfully + // enacted on the running container after it has been started or has been successfully resized. + // +featureGate=InPlacePodVerticalScaling + // +optional + resources?: null | #ResourceRequirements @go(Resources,*ResourceRequirements) @protobuf(11,bytes,opt) +} + +// PodPhase is a label for the condition of a pod at the current time. +// +enum +#PodPhase: string // #enumPodPhase + +#enumPodPhase: + #PodPending | + #PodRunning | + #PodSucceeded | + #PodFailed | + #PodUnknown + +// PodPending means the pod has been accepted by the system, but one or more of the containers +// has not been started. This includes time before being bound to a node, as well as time spent +// pulling images onto the host. +#PodPending: #PodPhase & "Pending" + +// PodRunning means the pod has been bound to a node and all of the containers have been started. +// At least one container is still running or is in the process of being restarted. +#PodRunning: #PodPhase & "Running" + +// PodSucceeded means that all containers in the pod have voluntarily terminated +// with a container exit code of 0, and the system is not going to restart any of these containers. +#PodSucceeded: #PodPhase & "Succeeded" + +// PodFailed means that all containers in the pod have terminated, and at least one container has +// terminated in a failure (exited with a non-zero exit code or was stopped by the system). +#PodFailed: #PodPhase & "Failed" + +// PodUnknown means that for some reason the state of the pod could not be obtained, typically due +// to an error in communicating with the host of the pod. +// Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095) +#PodUnknown: #PodPhase & "Unknown" + +// PodConditionType is a valid value for PodCondition.Type +#PodConditionType: string // #enumPodConditionType + +#enumPodConditionType: + #ContainersReady | + #PodInitialized | + #PodReady | + #PodScheduled | + #DisruptionTarget + +// ContainersReady indicates whether all containers in the pod are ready. +#ContainersReady: #PodConditionType & "ContainersReady" + +// PodInitialized means that all init containers in the pod have started successfully. +#PodInitialized: #PodConditionType & "Initialized" + +// PodReady means the pod is able to service requests and should be added to the +// load balancing pools of all matching services. +#PodReady: #PodConditionType & "Ready" + +// PodScheduled represents status of the scheduling process for this pod. +#PodScheduled: #PodConditionType & "PodScheduled" + +// DisruptionTarget indicates the pod is about to be terminated due to a +// disruption (such as preemption, eviction API or garbage-collection). +#DisruptionTarget: #PodConditionType & "DisruptionTarget" + +// PodReasonUnschedulable reason in PodScheduled PodCondition means that the scheduler +// can't schedule the pod right now, for example due to insufficient resources in the cluster. +#PodReasonUnschedulable: "Unschedulable" + +// PodReasonSchedulingGated reason in PodScheduled PodCondition means that the scheduler +// skips scheduling the pod because one or more scheduling gates are still present. +#PodReasonSchedulingGated: "SchedulingGated" + +// PodReasonSchedulerError reason in PodScheduled PodCondition means that some internal error happens +// during scheduling, for example due to nodeAffinity parsing errors. +#PodReasonSchedulerError: "SchedulerError" + +// TerminationByKubelet reason in DisruptionTarget pod condition indicates that the termination +// is initiated by kubelet +#PodReasonTerminationByKubelet: "TerminationByKubelet" + +// PodReasonPreemptionByScheduler reason in DisruptionTarget pod condition indicates that the +// disruption was initiated by scheduler's preemption. +#PodReasonPreemptionByScheduler: "PreemptionByScheduler" + +// PodCondition contains details for the current condition of this pod. +#PodCondition: { + // Type is the type of the condition. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + type: #PodConditionType @go(Type) @protobuf(1,bytes,opt,casttype=PodConditionType) + + // Status is the status of the condition. + // Can be True, False, Unknown. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Last time we probed the condition. + // +optional + lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt) + + // Last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // Unique, one-word, CamelCase reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// PodResizeStatus shows status of desired resize of a pod's containers. +#PodResizeStatus: string // #enumPodResizeStatus + +#enumPodResizeStatus: + #PodResizeStatusProposed | + #PodResizeStatusInProgress | + #PodResizeStatusDeferred | + #PodResizeStatusInfeasible + +// Pod resources resize has been requested and will be evaluated by node. +#PodResizeStatusProposed: #PodResizeStatus & "Proposed" + +// Pod resources resize has been accepted by node and is being actuated. +#PodResizeStatusInProgress: #PodResizeStatus & "InProgress" + +// Node cannot resize the pod at this time and will keep retrying. +#PodResizeStatusDeferred: #PodResizeStatus & "Deferred" + +// Requested pod resize is not feasible and will not be re-evaluated. +#PodResizeStatusInfeasible: #PodResizeStatus & "Infeasible" + +// RestartPolicy describes how the container should be restarted. +// Only one of the following restart policies may be specified. +// If none of the following policies is specified, the default one +// is RestartPolicyAlways. +// +enum +#RestartPolicy: string // #enumRestartPolicy + +#enumRestartPolicy: + #RestartPolicyAlways | + #RestartPolicyOnFailure | + #RestartPolicyNever + +#RestartPolicyAlways: #RestartPolicy & "Always" +#RestartPolicyOnFailure: #RestartPolicy & "OnFailure" +#RestartPolicyNever: #RestartPolicy & "Never" + +// ContainerRestartPolicy is the restart policy for a single container. +// This may only be set for init containers and only allowed value is "Always". +#ContainerRestartPolicy: string // #enumContainerRestartPolicy + +#enumContainerRestartPolicy: + #ContainerRestartPolicyAlways + +#ContainerRestartPolicyAlways: #ContainerRestartPolicy & "Always" + +// DNSPolicy defines how a pod's DNS will be configured. +// +enum +#DNSPolicy: string // #enumDNSPolicy + +#enumDNSPolicy: + #DNSClusterFirstWithHostNet | + #DNSClusterFirst | + #DNSDefault | + #DNSNone + +// DNSClusterFirstWithHostNet indicates that the pod should use cluster DNS +// first, if it is available, then fall back on the default +// (as determined by kubelet) DNS settings. +#DNSClusterFirstWithHostNet: #DNSPolicy & "ClusterFirstWithHostNet" + +// DNSClusterFirst indicates that the pod should use cluster DNS +// first unless hostNetwork is true, if it is available, then +// fall back on the default (as determined by kubelet) DNS settings. +#DNSClusterFirst: #DNSPolicy & "ClusterFirst" + +// DNSDefault indicates that the pod should use the default (as +// determined by kubelet) DNS settings. +#DNSDefault: #DNSPolicy & "Default" + +// DNSNone indicates that the pod should use empty DNS settings. DNS +// parameters such as nameservers and search paths should be defined via +// DNSConfig. +#DNSNone: #DNSPolicy & "None" + +// DefaultTerminationGracePeriodSeconds indicates the default duration in +// seconds a pod needs to terminate gracefully. +#DefaultTerminationGracePeriodSeconds: 30 + +// A node selector represents the union of the results of one or more label queries +// over a set of nodes; that is, it represents the OR of the selectors represented +// by the node selector terms. +// +structType=atomic +#NodeSelector: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms: [...#NodeSelectorTerm] @go(NodeSelectorTerms,[]NodeSelectorTerm) @protobuf(1,bytes,rep) +} + +// A null or empty node selector term matches no objects. The requirements of +// them are ANDed. +// The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. +// +structType=atomic +#NodeSelectorTerm: { + // A list of node selector requirements by node's labels. + // +optional + matchExpressions?: [...#NodeSelectorRequirement] @go(MatchExpressions,[]NodeSelectorRequirement) @protobuf(1,bytes,rep) + + // A list of node selector requirements by node's fields. + // +optional + matchFields?: [...#NodeSelectorRequirement] @go(MatchFields,[]NodeSelectorRequirement) @protobuf(2,bytes,rep) +} + +// A node selector requirement is a selector that contains values, a key, and an operator +// that relates the key and values. +#NodeSelectorRequirement: { + // The label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + operator: #NodeSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=NodeSelectorOperator) + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, the values + // array must have a single element, which will be interpreted as an integer. + // This array is replaced during a strategic merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A node selector operator is the set of operators that can be used in +// a node selector requirement. +// +enum +#NodeSelectorOperator: string // #enumNodeSelectorOperator + +#enumNodeSelectorOperator: + #NodeSelectorOpIn | + #NodeSelectorOpNotIn | + #NodeSelectorOpExists | + #NodeSelectorOpDoesNotExist | + #NodeSelectorOpGt | + #NodeSelectorOpLt + +#NodeSelectorOpIn: #NodeSelectorOperator & "In" +#NodeSelectorOpNotIn: #NodeSelectorOperator & "NotIn" +#NodeSelectorOpExists: #NodeSelectorOperator & "Exists" +#NodeSelectorOpDoesNotExist: #NodeSelectorOperator & "DoesNotExist" +#NodeSelectorOpGt: #NodeSelectorOperator & "Gt" +#NodeSelectorOpLt: #NodeSelectorOperator & "Lt" + +// A topology selector term represents the result of label queries. +// A null or empty topology selector term matches no objects. +// The requirements of them are ANDed. +// It provides a subset of functionality as NodeSelectorTerm. +// This is an alpha feature and may change in the future. +// +structType=atomic +#TopologySelectorTerm: { + // A list of topology selector requirements by labels. + // +optional + matchLabelExpressions?: [...#TopologySelectorLabelRequirement] @go(MatchLabelExpressions,[]TopologySelectorLabelRequirement) @protobuf(1,bytes,rep) +} + +// A topology selector requirement is a selector that matches given label. +// This is an alpha feature and may change in the future. +#TopologySelectorLabelRequirement: { + // The label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // An array of string values. One value must match the label to be selected. + // Each entry in Values is ORed. + values: [...string] @go(Values,[]string) @protobuf(2,bytes,rep) +} + +// Affinity is a group of affinity scheduling rules. +#Affinity: { + // Describes node affinity scheduling rules for the pod. + // +optional + nodeAffinity?: null | #NodeAffinity @go(NodeAffinity,*NodeAffinity) @protobuf(1,bytes,opt) + + // Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + // +optional + podAffinity?: null | #PodAffinity @go(PodAffinity,*PodAffinity) @protobuf(2,bytes,opt) + + // Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + // +optional + podAntiAffinity?: null | #PodAntiAffinity @go(PodAntiAffinity,*PodAntiAffinity) @protobuf(3,bytes,opt) +} + +// Pod affinity is a group of inter pod affinity scheduling rules. +#PodAffinity: { + // If the affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to a pod label update), the + // system may or may not try to eventually evict the pod from its node. + // When there are multiple elements, the lists of nodes corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be satisfied. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: [...#PodAffinityTerm] @go(RequiredDuringSchedulingIgnoredDuringExecution,[]PodAffinityTerm) @protobuf(1,bytes,rep) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#WeightedPodAffinityTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]WeightedPodAffinityTerm) @protobuf(2,bytes,rep) +} + +// Pod anti affinity is a group of inter pod anti affinity scheduling rules. +#PodAntiAffinity: { + // If the anti-affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to a pod label update), the + // system may or may not try to eventually evict the pod from its node. + // When there are multiple elements, the lists of nodes corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be satisfied. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: [...#PodAffinityTerm] @go(RequiredDuringSchedulingIgnoredDuringExecution,[]PodAffinityTerm) @protobuf(1,bytes,rep) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the anti-affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling anti-affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#WeightedPodAffinityTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]WeightedPodAffinityTerm) @protobuf(2,bytes,rep) +} + +// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) +#WeightedPodAffinityTerm: { + // weight associated with matching the corresponding podAffinityTerm, + // in the range 1-100. + weight: int32 @go(Weight) @protobuf(1,varint,opt) + + // Required. A pod affinity term, associated with the corresponding weight. + podAffinityTerm: #PodAffinityTerm @go(PodAffinityTerm) @protobuf(2,bytes,opt) +} + +// Defines a set of pods (namely those matching the labelSelector +// relative to the given namespace(s)) that this pod should be +// co-located (affinity) or not co-located (anti-affinity) with, +// where co-located is defined as running on a node whose value of +// the label with key matches that of any node on which +// a pod of the set of pods is running +#PodAffinityTerm: { + // A label query over a set of resources, in this case pods. + // +optional + labelSelector?: null | metav1.#LabelSelector @go(LabelSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // namespaces specifies a static list of namespace names that the term applies to. + // The term is applied to the union of the namespaces listed in this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means "this pod's namespace". + // +optional + namespaces?: [...string] @go(Namespaces,[]string) @protobuf(2,bytes,rep) + + // This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located is defined as running on a node + // whose value of the label with key topologyKey matches that of any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey: string @go(TopologyKey) @protobuf(3,bytes,opt) + + // A label query over the set of namespaces that the term applies to. + // The term is applied to the union of the namespaces selected by this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this pod's namespace". + // An empty selector ({}) matches all namespaces. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(4,bytes,opt) +} + +// Node affinity is a group of node affinity scheduling rules. +#NodeAffinity: { + // If the affinity requirements specified by this field are not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to be met + // at some point during pod execution (e.g. due to an update), the system + // may or may not try to eventually evict the pod from its node. + // +optional + requiredDuringSchedulingIgnoredDuringExecution?: null | #NodeSelector @go(RequiredDuringSchedulingIgnoredDuringExecution,*NodeSelector) @protobuf(1,bytes,opt) + + // The scheduler will prefer to schedule pods to nodes that satisfy + // the affinity expressions specified by this field, but it may choose + // a node that violates one or more of the expressions. The node that is + // most preferred is the one with the greatest sum of weights, i.e. + // for each node that meets all of the scheduling requirements (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field and adding + // "weight" to the sum if the node matches the corresponding matchExpressions; the + // node(s) with the highest sum are the most preferred. + // +optional + preferredDuringSchedulingIgnoredDuringExecution?: [...#PreferredSchedulingTerm] @go(PreferredDuringSchedulingIgnoredDuringExecution,[]PreferredSchedulingTerm) @protobuf(2,bytes,rep) +} + +// An empty preferred scheduling term matches all objects with implicit weight 0 +// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). +#PreferredSchedulingTerm: { + // Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + weight: int32 @go(Weight) @protobuf(1,varint,opt) + + // A node selector term, associated with the corresponding weight. + preference: #NodeSelectorTerm @go(Preference) @protobuf(2,bytes,opt) +} + +// The node this Taint is attached to has the "effect" on +// any pod that does not tolerate the Taint. +#Taint: { + // Required. The taint key to be applied to a node. + key: string @go(Key) @protobuf(1,bytes,opt) + + // The taint value corresponding to the taint key. + // +optional + value?: string @go(Value) @protobuf(2,bytes,opt) + + // Required. The effect of the taint on pods + // that do not tolerate the taint. + // Valid effects are NoSchedule, PreferNoSchedule and NoExecute. + effect: #TaintEffect @go(Effect) @protobuf(3,bytes,opt,casttype=TaintEffect) + + // TimeAdded represents the time at which the taint was added. + // It is only written for NoExecute taints. + // +optional + timeAdded?: null | metav1.#Time @go(TimeAdded,*metav1.Time) @protobuf(4,bytes,opt) +} + +// +enum +#TaintEffect: string // #enumTaintEffect + +#enumTaintEffect: + #TaintEffectNoSchedule | + #TaintEffectPreferNoSchedule | + #TaintEffectNoExecute + +// Do not allow new pods to schedule onto the node unless they tolerate the taint, +// but allow all pods submitted to Kubelet without going through the scheduler +// to start, and allow all already-running pods to continue running. +// Enforced by the scheduler. +#TaintEffectNoSchedule: #TaintEffect & "NoSchedule" + +// Like TaintEffectNoSchedule, but the scheduler tries not to schedule +// new pods onto the node, rather than prohibiting new pods from scheduling +// onto the node entirely. Enforced by the scheduler. +#TaintEffectPreferNoSchedule: #TaintEffect & "PreferNoSchedule" + +// Evict any already-running pods that do not tolerate the taint. +// Currently enforced by NodeController. +#TaintEffectNoExecute: #TaintEffect & "NoExecute" + +// The pod this Toleration is attached to tolerates any taint that matches +// the triple using the matching operator . +#Toleration: { + // Key is the taint key that the toleration applies to. Empty means match all taint keys. + // If the key is empty, operator must be Exists; this combination means to match all values and all keys. + // +optional + key?: string @go(Key) @protobuf(1,bytes,opt) + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + // +optional + operator?: #TolerationOperator @go(Operator) @protobuf(2,bytes,opt,casttype=TolerationOperator) + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise just a regular string. + // +optional + value?: string @go(Value) @protobuf(3,bytes,opt) + + // Effect indicates the taint effect to match. Empty means match all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + // +optional + effect?: #TaintEffect @go(Effect) @protobuf(4,bytes,opt,casttype=TaintEffect) + + // TolerationSeconds represents the period of time the toleration (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + // it is not set, which means tolerate the taint forever (do not evict). Zero and + // negative values will be treated as 0 (evict immediately) by the system. + // +optional + tolerationSeconds?: null | int64 @go(TolerationSeconds,*int64) @protobuf(5,varint,opt) +} + +// A toleration operator is the set of operators that can be used in a toleration. +// +enum +#TolerationOperator: string // #enumTolerationOperator + +#enumTolerationOperator: + #TolerationOpExists | + #TolerationOpEqual + +#TolerationOpExists: #TolerationOperator & "Exists" +#TolerationOpEqual: #TolerationOperator & "Equal" + +// PodReadinessGate contains the reference to a pod condition +#PodReadinessGate: { + // ConditionType refers to a condition in the pod's condition list with matching type. + conditionType: #PodConditionType @go(ConditionType) @protobuf(1,bytes,opt,casttype=PodConditionType) +} + +// PodSpec is a description of a pod. +#PodSpec: { + // List of volumes that can be mounted by containers belonging to the pod. + // More info: https://kubernetes.io/docs/concepts/storage/volumes + // +optional + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + volumes?: [...#Volume] @go(Volumes,[]Volume) @protobuf(1,bytes,rep) + + // List of initialization containers belonging to the pod. + // Init containers are executed in order prior to containers being started. If any + // init container fails, the pod is considered to have failed and is handled according + // to its restartPolicy. The name for an init container or normal container must be + // unique among all containers. + // Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. + // The resourceRequirements of an init container are taken into account during scheduling + // by finding the highest request/limit for each resource type, and then using the max of + // of that value or the sum of the normal containers. Limits are applied to init containers + // in a similar fashion. + // Init containers cannot currently be added or removed. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + // +patchMergeKey=name + // +patchStrategy=merge + initContainers?: [...#Container] @go(InitContainers,[]Container) @protobuf(20,bytes,rep) + + // List of containers belonging to the pod. + // Containers cannot currently be added or removed. + // There must be at least one container in a Pod. + // Cannot be updated. + // +patchMergeKey=name + // +patchStrategy=merge + containers: [...#Container] @go(Containers,[]Container) @protobuf(2,bytes,rep) + + // List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing + // pod to perform user-initiated actions such as debugging. This list cannot be specified when + // creating a pod, and it cannot be modified by updating the pod spec. In order to add an + // ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + ephemeralContainers?: [...#EphemeralContainer] @go(EphemeralContainers,[]EphemeralContainer) @protobuf(34,bytes,rep) + + // Restart policy for all containers within the pod. + // One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. + // Default to Always. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy + // +optional + restartPolicy?: #RestartPolicy @go(RestartPolicy) @protobuf(3,bytes,opt,casttype=RestartPolicy) + + // Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. + // Value must be non-negative integer. The value zero indicates stop immediately via + // the kill signal (no opportunity to shut down). + // If this value is nil, the default grace period will be used instead. + // The grace period is the duration in seconds after the processes running in the pod are sent + // a termination signal and the time when the processes are forcibly halted with a kill signal. + // Set this value longer than the expected cleanup time for your process. + // Defaults to 30 seconds. + // +optional + terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) @protobuf(4,varint,opt) + + // Optional duration in seconds the pod may be active on the node relative to + // StartTime before the system will actively try to mark it failed and kill associated containers. + // Value must be a positive integer. + // +optional + activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(5,varint,opt) + + // Set DNS policy for the pod. + // Defaults to "ClusterFirst". + // Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. + // DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. + // To have DNS options set along with hostNetwork, you have to specify DNS policy + // explicitly to 'ClusterFirstWithHostNet'. + // +optional + dnsPolicy?: #DNSPolicy @go(DNSPolicy) @protobuf(6,bytes,opt,casttype=DNSPolicy) + + // NodeSelector is a selector which must be true for the pod to fit on a node. + // Selector which must match a node's labels for the pod to be scheduled on that node. + // More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + // +optional + // +mapType=atomic + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(7,bytes,rep) + + // ServiceAccountName is the name of the ServiceAccount to use to run this pod. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + // +optional + serviceAccountName?: string @go(ServiceAccountName) @protobuf(8,bytes,opt) + + // DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. + // Deprecated: Use serviceAccountName instead. + // +k8s:conversion-gen=false + // +optional + serviceAccount?: string @go(DeprecatedServiceAccount) @protobuf(9,bytes,opt) + + // AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. + // +optional + automountServiceAccountToken?: null | bool @go(AutomountServiceAccountToken,*bool) @protobuf(21,varint,opt) + + // NodeName is a request to schedule this pod onto a specific node. If it is non-empty, + // the scheduler simply schedules this pod onto that node, assuming that it fits resource + // requirements. + // +optional + nodeName?: string @go(NodeName) @protobuf(10,bytes,opt) + + // Host networking requested for this pod. Use the host's network namespace. + // If this option is set, the ports that will be used must be specified. + // Default to false. + // +k8s:conversion-gen=false + // +optional + hostNetwork?: bool @go(HostNetwork) @protobuf(11,varint,opt) + + // Use the host's pid namespace. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + hostPID?: bool @go(HostPID) @protobuf(12,varint,opt) + + // Use the host's ipc namespace. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + hostIPC?: bool @go(HostIPC) @protobuf(13,varint,opt) + + // Share a single process namespace between all of the containers in a pod. + // When this is set containers will be able to view and signal processes from other containers + // in the same pod, and the first process in each container will not be assigned PID 1. + // HostPID and ShareProcessNamespace cannot both be set. + // Optional: Default to false. + // +k8s:conversion-gen=false + // +optional + shareProcessNamespace?: null | bool @go(ShareProcessNamespace,*bool) @protobuf(27,varint,opt) + + // SecurityContext holds pod-level security attributes and common container settings. + // Optional: Defaults to empty. See type description for default values of each field. + // +optional + securityContext?: null | #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt) + + // ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. + // If specified, these secrets will be passed to individual puller implementations for them to use. + // More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + imagePullSecrets?: [...#LocalObjectReference] @go(ImagePullSecrets,[]LocalObjectReference) @protobuf(15,bytes,rep) + + // Specifies the hostname of the Pod + // If not specified, the pod's hostname will be set to a system-defined value. + // +optional + hostname?: string @go(Hostname) @protobuf(16,bytes,opt) + + // If specified, the fully qualified Pod hostname will be "...svc.". + // If not specified, the pod will not have a domainname at all. + // +optional + subdomain?: string @go(Subdomain) @protobuf(17,bytes,opt) + + // If specified, the pod's scheduling constraints + // +optional + affinity?: null | #Affinity @go(Affinity,*Affinity) @protobuf(18,bytes,opt) + + // If specified, the pod will be dispatched by specified scheduler. + // If not specified, the pod will be dispatched by default scheduler. + // +optional + schedulerName?: string @go(SchedulerName) @protobuf(19,bytes,opt) + + // If specified, the pod's tolerations. + // +optional + tolerations?: [...#Toleration] @go(Tolerations,[]Toleration) @protobuf(22,bytes,opt) + + // HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts + // file if specified. This is only valid for non-hostNetwork pods. + // +optional + // +patchMergeKey=ip + // +patchStrategy=merge + hostAliases?: [...#HostAlias] @go(HostAliases,[]HostAlias) @protobuf(23,bytes,rep) + + // If specified, indicates the pod's priority. "system-node-critical" and + // "system-cluster-critical" are two special keywords which indicate the + // highest priorities with the former being the highest priority. Any other + // name must be defined by creating a PriorityClass object with that name. + // If not specified, the pod priority will be default or zero if there is no + // default. + // +optional + priorityClassName?: string @go(PriorityClassName) @protobuf(24,bytes,opt) + + // The priority value. Various system components use this field to find the + // priority of the pod. When Priority Admission Controller is enabled, it + // prevents users from setting this field. The admission controller populates + // this field from PriorityClassName. + // The higher the value, the higher the priority. + // +optional + priority?: null | int32 @go(Priority,*int32) @protobuf(25,bytes,opt) + + // Specifies the DNS parameters of a pod. + // Parameters specified here will be merged to the generated DNS + // configuration based on DNSPolicy. + // +optional + dnsConfig?: null | #PodDNSConfig @go(DNSConfig,*PodDNSConfig) @protobuf(26,bytes,opt) + + // If specified, all readiness gates will be evaluated for pod readiness. + // A pod is ready when all its containers are ready AND + // all conditions specified in the readiness gates have status equal to "True" + // More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates + // +optional + readinessGates?: [...#PodReadinessGate] @go(ReadinessGates,[]PodReadinessGate) @protobuf(28,bytes,opt) + + // RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used + // to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. + // If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an + // empty definition that uses the default runtime handler. + // More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class + // +optional + runtimeClassName?: null | string @go(RuntimeClassName,*string) @protobuf(29,bytes,opt) + + // EnableServiceLinks indicates whether information about services should be injected into pod's + // environment variables, matching the syntax of Docker links. + // Optional: Defaults to true. + // +optional + enableServiceLinks?: null | bool @go(EnableServiceLinks,*bool) @protobuf(30,varint,opt) + + // PreemptionPolicy is the Policy for preempting pods with lower priority. + // One of Never, PreemptLowerPriority. + // Defaults to PreemptLowerPriority if unset. + // +optional + preemptionPolicy?: null | #PreemptionPolicy @go(PreemptionPolicy,*PreemptionPolicy) @protobuf(31,bytes,opt) + + // Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. + // This field will be autopopulated at admission time by the RuntimeClass admission controller. If + // the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. + // The RuntimeClass admission controller will reject Pod create requests which have the overhead already + // set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value + // defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. + // More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md + // +optional + overhead?: #ResourceList @go(Overhead) @protobuf(32,bytes,opt) + + // TopologySpreadConstraints describes how a group of pods ought to spread across topology + // domains. Scheduler will schedule pods in a way which abides by the constraints. + // All topologySpreadConstraints are ANDed. + // +optional + // +patchMergeKey=topologyKey + // +patchStrategy=merge + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + topologySpreadConstraints?: [...#TopologySpreadConstraint] @go(TopologySpreadConstraints,[]TopologySpreadConstraint) @protobuf(33,bytes,opt) + + // If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). + // In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). + // In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters to FQDN. + // If a pod does not have FQDN, this has no effect. + // Default to false. + // +optional + setHostnameAsFQDN?: null | bool @go(SetHostnameAsFQDN,*bool) @protobuf(35,varint,opt) + + // Specifies the OS of the containers in the pod. + // Some pod and container fields are restricted if this is set. + // + // If the OS field is set to linux, the following fields must be unset: + // -securityContext.windowsOptions + // + // If the OS field is set to windows, following fields must be unset: + // - spec.hostPID + // - spec.hostIPC + // - spec.hostUsers + // - spec.securityContext.seLinuxOptions + // - spec.securityContext.seccompProfile + // - spec.securityContext.fsGroup + // - spec.securityContext.fsGroupChangePolicy + // - spec.securityContext.sysctls + // - spec.shareProcessNamespace + // - spec.securityContext.runAsUser + // - spec.securityContext.runAsGroup + // - spec.securityContext.supplementalGroups + // - spec.containers[*].securityContext.seLinuxOptions + // - spec.containers[*].securityContext.seccompProfile + // - spec.containers[*].securityContext.capabilities + // - spec.containers[*].securityContext.readOnlyRootFilesystem + // - spec.containers[*].securityContext.privileged + // - spec.containers[*].securityContext.allowPrivilegeEscalation + // - spec.containers[*].securityContext.procMount + // - spec.containers[*].securityContext.runAsUser + // - spec.containers[*].securityContext.runAsGroup + // +optional + os?: null | #PodOS @go(OS,*PodOS) @protobuf(36,bytes,opt) + + // Use the host's user namespace. + // Optional: Default to true. + // If set to true or not present, the pod will be run in the host user namespace, useful + // for when the pod needs a feature only available to the host user namespace, such as + // loading a kernel module with CAP_SYS_MODULE. + // When set to false, a new userns is created for the pod. Setting false is useful for + // mitigating container breakout vulnerabilities even allowing users to run their + // containers as root without actually having root privileges on the host. + // This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature. + // +k8s:conversion-gen=false + // +optional + hostUsers?: null | bool @go(HostUsers,*bool) @protobuf(37,bytes,opt) + + // SchedulingGates is an opaque list of values that if specified will block scheduling the pod. + // If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the + // scheduler will not attempt to schedule the pod. + // + // SchedulingGates can only be set at pod creation time, and be removed only afterwards. + // + // This is a beta feature enabled by the PodSchedulingReadiness feature gate. + // + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +featureGate=PodSchedulingReadiness + // +optional + schedulingGates?: [...#PodSchedulingGate] @go(SchedulingGates,[]PodSchedulingGate) @protobuf(38,bytes,opt) + + // ResourceClaims defines which ResourceClaims must be allocated + // and reserved before the Pod is allowed to start. The resources + // will be made available to those containers which consume them + // by name. + // + // This is an alpha field and requires enabling the + // DynamicResourceAllocation feature gate. + // + // This field is immutable. + // + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + resourceClaims?: [...#PodResourceClaim] @go(ResourceClaims,[]PodResourceClaim) @protobuf(39,bytes,rep) +} + +// PodResourceClaim references exactly one ResourceClaim through a ClaimSource. +// It adds a name to it that uniquely identifies the ResourceClaim inside the Pod. +// Containers that need access to the ResourceClaim reference it with this name. +#PodResourceClaim: { + // Name uniquely identifies this resource claim inside the pod. + // This must be a DNS_LABEL. + name: string @go(Name) @protobuf(1,bytes) + + // Source describes where to find the ResourceClaim. + source?: #ClaimSource @go(Source) @protobuf(2,bytes) +} + +// ClaimSource describes a reference to a ResourceClaim. +// +// Exactly one of these fields should be set. Consumers of this type must +// treat an empty object as if it has an unknown value. +#ClaimSource: { + // ResourceClaimName is the name of a ResourceClaim object in the same + // namespace as this pod. + resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(1,bytes,opt) + + // ResourceClaimTemplateName is the name of a ResourceClaimTemplate + // object in the same namespace as this pod. + // + // The template will be used to create a new ResourceClaim, which will + // be bound to this pod. When this pod is deleted, the ResourceClaim + // will also be deleted. The pod name and resource name, along with a + // generated component, will be used to form a unique name for the + // ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. + // + // This field is immutable and no changes will be made to the + // corresponding ResourceClaim by the control plane after creating the + // ResourceClaim. + resourceClaimTemplateName?: null | string @go(ResourceClaimTemplateName,*string) @protobuf(2,bytes,opt) +} + +// PodResourceClaimStatus is stored in the PodStatus for each PodResourceClaim +// which references a ResourceClaimTemplate. It stores the generated name for +// the corresponding ResourceClaim. +#PodResourceClaimStatus: { + // Name uniquely identifies this resource claim inside the pod. + // This must match the name of an entry in pod.spec.resourceClaims, + // which implies that the string must be a DNS_LABEL. + name: string @go(Name) @protobuf(1,bytes) + + // ResourceClaimName is the name of the ResourceClaim that was + // generated for the Pod in the namespace of the Pod. It this is + // unset, then generating a ResourceClaim was not necessary. The + // pod.spec.resourceClaims entry can be ignored in this case. + // + // +optional + resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(2,bytes,opt) +} + +// OSName is the set of OS'es that can be used in OS. +#OSName: string // #enumOSName + +#enumOSName: + #Linux | + #Windows + +#Linux: #OSName & "linux" +#Windows: #OSName & "windows" + +// PodOS defines the OS parameters of a pod. +#PodOS: { + // Name is the name of the operating system. The currently supported values are linux and windows. + // Additional value may be defined in future and can be one of: + // https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + // Clients should expect to handle additional values and treat unrecognized values in this field as os: null + name: #OSName @go(Name) @protobuf(1,bytes,opt) +} + +// PodSchedulingGate is associated to a Pod to guard its scheduling. +#PodSchedulingGate: { + // Name of the scheduling gate. + // Each scheduling gate must have a unique name field. + name: string @go(Name) @protobuf(1,bytes,opt) +} + +// +enum +#UnsatisfiableConstraintAction: string // #enumUnsatisfiableConstraintAction + +#enumUnsatisfiableConstraintAction: + #DoNotSchedule | + #ScheduleAnyway + +// DoNotSchedule instructs the scheduler not to schedule the pod +// when constraints are not satisfied. +#DoNotSchedule: #UnsatisfiableConstraintAction & "DoNotSchedule" + +// ScheduleAnyway instructs the scheduler to schedule the pod +// even if constraints are not satisfied. +#ScheduleAnyway: #UnsatisfiableConstraintAction & "ScheduleAnyway" + +// NodeInclusionPolicy defines the type of node inclusion policy +// +enum +#NodeInclusionPolicy: string // #enumNodeInclusionPolicy + +#enumNodeInclusionPolicy: + #NodeInclusionPolicyIgnore | + #NodeInclusionPolicyHonor + +// NodeInclusionPolicyIgnore means ignore this scheduling directive when calculating pod topology spread skew. +#NodeInclusionPolicyIgnore: #NodeInclusionPolicy & "Ignore" + +// NodeInclusionPolicyHonor means use this scheduling directive when calculating pod topology spread skew. +#NodeInclusionPolicyHonor: #NodeInclusionPolicy & "Honor" + +// TopologySpreadConstraint specifies how to spread matching pods among the given topology. +#TopologySpreadConstraint: { + // MaxSkew describes the degree to which pods may be unevenly distributed. + // When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + // between the number of matching pods in the target topology and the global minimum. + // The global minimum is the minimum number of matching pods in an eligible domain + // or zero if the number of eligible domains is less than MinDomains. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + // labelSelector spread as 2/2/1: + // In this case, the global minimum is 1. + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P | P P | P | + // +-------+-------+-------+ + // - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + // scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + // violate MaxSkew(1). + // - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + // When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + // to topologies that satisfy it. + // It's a required field. Default value is 1 and 0 is not allowed. + maxSkew: int32 @go(MaxSkew) @protobuf(1,varint,opt) + + // TopologyKey is the key of node labels. Nodes that have a label with this key + // and identical values are considered to be in the same topology. + // We consider each as a "bucket", and try to put balanced number + // of pods into each bucket. + // We define a domain as a particular instance of a topology. + // Also, we define an eligible domain as a domain whose nodes meet the requirements of + // nodeAffinityPolicy and nodeTaintsPolicy. + // e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + // And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + // It's a required field. + topologyKey: string @go(TopologyKey) @protobuf(2,bytes,opt) + + // WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + // the spread constraint. + // - DoNotSchedule (default) tells the scheduler not to schedule it. + // - ScheduleAnyway tells the scheduler to schedule the pod in any location, + // but giving higher precedence to topologies that would help reduce the + // skew. + // A constraint is considered "Unsatisfiable" for an incoming pod + // if and only if every possible node assignment for that pod would violate + // "MaxSkew" on some topology. + // For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + // labelSelector spread as 3/1/1: + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P P | P | P | + // +-------+-------+-------+ + // If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + // to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + // MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + // won't make it *more* imbalanced. + // It's a required field. + whenUnsatisfiable: #UnsatisfiableConstraintAction @go(WhenUnsatisfiable) @protobuf(3,bytes,opt,casttype=UnsatisfiableConstraintAction) + + // LabelSelector is used to find matching pods. + // Pods that match this label selector are counted to determine the number of pods + // in their corresponding topology domain. + // +optional + labelSelector?: null | metav1.#LabelSelector @go(LabelSelector,*metav1.LabelSelector) @protobuf(4,bytes,opt) + + // MinDomains indicates a minimum number of eligible domains. + // When the number of eligible domains with matching topology keys is less than minDomains, + // Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + // And when the number of eligible domains with matching topology keys equals or greater than minDomains, + // this value has no effect on scheduling. + // As a result, when the number of eligible domains is less than minDomains, + // scheduler won't schedule more than maxSkew Pods to those domains. + // If value is nil, the constraint behaves as if MinDomains is equal to 1. + // Valid values are integers greater than 0. + // When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + // + // For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + // labelSelector spread as 2/2/2: + // +-------+-------+-------+ + // | zone1 | zone2 | zone3 | + // +-------+-------+-------+ + // | P P | P P | P P | + // +-------+-------+-------+ + // The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + // In this situation, new pod with the same labelSelector cannot be scheduled, + // because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + // it will violate MaxSkew. + // + // This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). + // +optional + minDomains?: null | int32 @go(MinDomains,*int32) @protobuf(5,varint,opt) + + // NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + // when calculating pod topology spread skew. Options are: + // - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + // - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + // + // If this value is nil, the behavior is equivalent to the Honor policy. + // This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + // +optional + nodeAffinityPolicy?: null | #NodeInclusionPolicy @go(NodeAffinityPolicy,*NodeInclusionPolicy) @protobuf(6,bytes,opt) + + // NodeTaintsPolicy indicates how we will treat node taints when calculating + // pod topology spread skew. Options are: + // - Honor: nodes without taints, along with tainted nodes for which the incoming pod + // has a toleration, are included. + // - Ignore: node taints are ignored. All nodes are included. + // + // If this value is nil, the behavior is equivalent to the Ignore policy. + // This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + // +optional + nodeTaintsPolicy?: null | #NodeInclusionPolicy @go(NodeTaintsPolicy,*NodeInclusionPolicy) @protobuf(7,bytes,opt) + + // MatchLabelKeys is a set of pod label keys to select the pods over which + // spreading will be calculated. The keys are used to lookup values from the + // incoming pod labels, those key-value labels are ANDed with labelSelector + // to select the group of existing pods over which spreading will be calculated + // for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + // MatchLabelKeys cannot be set when LabelSelector isn't set. + // Keys that don't exist in the incoming pod labels will + // be ignored. A null or empty list means only match against labelSelector. + // + // This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + // +listType=atomic + // +optional + matchLabelKeys?: [...string] @go(MatchLabelKeys,[]string) @protobuf(8,bytes,opt) +} + +// The default value for enableServiceLinks attribute. +#DefaultEnableServiceLinks: true + +// HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the +// pod's hosts file. +#HostAlias: { + // IP address of the host file entry. + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // Hostnames for the above IP address. + hostnames?: [...string] @go(Hostnames,[]string) @protobuf(2,bytes,rep) +} + +// PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume +// when volume is mounted. +// +enum +#PodFSGroupChangePolicy: string // #enumPodFSGroupChangePolicy + +#enumPodFSGroupChangePolicy: + #FSGroupChangeOnRootMismatch | + #FSGroupChangeAlways + +// FSGroupChangeOnRootMismatch indicates that volume's ownership and permissions will be changed +// only when permission and ownership of root directory does not match with expected +// permissions on the volume. This can help shorten the time it takes to change +// ownership and permissions of a volume. +#FSGroupChangeOnRootMismatch: #PodFSGroupChangePolicy & "OnRootMismatch" + +// FSGroupChangeAlways indicates that volume's ownership and permissions +// should always be changed whenever volume is mounted inside a Pod. This the default +// behavior. +#FSGroupChangeAlways: #PodFSGroupChangePolicy & "Always" + +// PodSecurityContext holds pod-level security attributes and common container settings. +// Some fields are also present in container.securityContext. Field values of +// container.securityContext take precedence over field values of PodSecurityContext. +#PodSecurityContext: { + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seLinuxOptions?: null | #SELinuxOptions @go(SELinuxOptions,*SELinuxOptions) @protobuf(1,bytes,opt) + + // The Windows specific settings applied to all containers. + // If unspecified, the options within a container's SecurityContext will be used. + // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + // +optional + windowsOptions?: null | #WindowsSecurityContextOptions @go(WindowsOptions,*WindowsSecurityContextOptions) @protobuf(8,bytes,opt) + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsUser?: null | int64 @go(RunAsUser,*int64) @protobuf(2,varint,opt) + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsGroup?: null | int64 @go(RunAsGroup,*int64) @protobuf(6,varint,opt) + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to ensure that it + // does not run as UID 0 (root) and fail to start the container if it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsNonRoot?: null | bool @go(RunAsNonRoot,*bool) @protobuf(3,varint,opt) + + // A list of groups applied to the first process run in each container, in addition + // to the container's primary GID, the fsGroup (if specified), and group memberships + // defined in the container image for the uid of the container process. If unspecified, + // no additional groups are added to any container. Note that group memberships + // defined in the container image for the uid of the container process are still effective, + // even if they are not included in this list. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + supplementalGroups?: [...int64] @go(SupplementalGroups,[]int64) @protobuf(4,varint,rep) + + // A special supplemental group that applies to all containers in a pod. + // Some volume types allow the Kubelet to change the ownership of that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and permissions of any volume. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + fsGroup?: null | int64 @go(FSGroup,*int64) @protobuf(5,varint,opt) + + // Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + sysctls?: [...#Sysctl] @go(Sysctls,[]Sysctl) @protobuf(7,bytes,rep) + + // fsGroupChangePolicy defines behavior of changing ownership and permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and permissions). + // It will have no effect on ephemeral volume types such as: secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + fsGroupChangePolicy?: null | #PodFSGroupChangePolicy @go(FSGroupChangePolicy,*PodFSGroupChangePolicy) @protobuf(9,bytes,opt) + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seccompProfile?: null | #SeccompProfile @go(SeccompProfile,*SeccompProfile) @protobuf(10,bytes,opt) +} + +// SeccompProfile defines a pod/container's seccomp profile settings. +// Only one profile source may be set. +// +union +#SeccompProfile: { + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be used. + // RuntimeDefault - the container runtime default profile should be used. + // Unconfined - no profile should be applied. + // +unionDiscriminator + type: #SeccompProfileType @go(Type) @protobuf(1,bytes,opt,casttype=SeccompProfileType) + + // localhostProfile indicates a profile defined in a file on the node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any other type. + // +optional + localhostProfile?: null | string @go(LocalhostProfile,*string) @protobuf(2,bytes,opt) +} + +// SeccompProfileType defines the supported seccomp profile types. +// +enum +#SeccompProfileType: string // #enumSeccompProfileType + +#enumSeccompProfileType: + #SeccompProfileTypeUnconfined | + #SeccompProfileTypeRuntimeDefault | + #SeccompProfileTypeLocalhost + +// SeccompProfileTypeUnconfined indicates no seccomp profile is applied (A.K.A. unconfined). +#SeccompProfileTypeUnconfined: #SeccompProfileType & "Unconfined" + +// SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile. +#SeccompProfileTypeRuntimeDefault: #SeccompProfileType & "RuntimeDefault" + +// SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used. +// The file's location relative to /seccomp. +#SeccompProfileTypeLocalhost: #SeccompProfileType & "Localhost" + +// PodQOSClass defines the supported qos classes of Pods. +// +enum +#PodQOSClass: string // #enumPodQOSClass + +#enumPodQOSClass: + #PodQOSGuaranteed | + #PodQOSBurstable | + #PodQOSBestEffort + +// PodQOSGuaranteed is the Guaranteed qos class. +#PodQOSGuaranteed: #PodQOSClass & "Guaranteed" + +// PodQOSBurstable is the Burstable qos class. +#PodQOSBurstable: #PodQOSClass & "Burstable" + +// PodQOSBestEffort is the BestEffort qos class. +#PodQOSBestEffort: #PodQOSClass & "BestEffort" + +// PodDNSConfig defines the DNS parameters of a pod in addition to +// those generated from DNSPolicy. +#PodDNSConfig: { + // A list of DNS name server IP addresses. + // This will be appended to the base nameservers generated from DNSPolicy. + // Duplicated nameservers will be removed. + // +optional + nameservers?: [...string] @go(Nameservers,[]string) @protobuf(1,bytes,rep) + + // A list of DNS search domains for host-name lookup. + // This will be appended to the base search paths generated from DNSPolicy. + // Duplicated search paths will be removed. + // +optional + searches?: [...string] @go(Searches,[]string) @protobuf(2,bytes,rep) + + // A list of DNS resolver options. + // This will be merged with the base options generated from DNSPolicy. + // Duplicated entries will be removed. Resolution options given in Options + // will override those that appear in the base DNSPolicy. + // +optional + options?: [...#PodDNSConfigOption] @go(Options,[]PodDNSConfigOption) @protobuf(3,bytes,rep) +} + +// PodDNSConfigOption defines DNS resolver options of a pod. +#PodDNSConfigOption: { + // Required. + name?: string @go(Name) @protobuf(1,bytes,opt) + + // +optional + value?: null | string @go(Value,*string) @protobuf(2,bytes,opt) +} + +// PodIP represents a single IP address allocated to the pod. +#PodIP: { + // IP is the IP address assigned to the pod + ip?: string @go(IP) @protobuf(1,bytes,opt) +} + +// HostIP represents a single IP address allocated to the host. +#HostIP: { + // IP is the IP address assigned to the host + ip?: string @go(IP) @protobuf(1,bytes,opt) +} + +// EphemeralContainerCommon is a copy of all fields in Container to be inlined in +// EphemeralContainer. This separate type allows easy conversion from EphemeralContainer +// to Container and allows separate documentation for the fields of EphemeralContainer. +// When a new field is added to Container it must be added here as well. +#EphemeralContainerCommon: { + // Name of the ephemeral container specified as a DNS_LABEL. + // This name must be unique among all containers, init containers and ephemeral containers. + name: string @go(Name) @protobuf(1,bytes,opt) + + // Container image name. + // More info: https://kubernetes.io/docs/concepts/containers/images + image?: string @go(Image) @protobuf(2,bytes,opt) + + // Entrypoint array. Not executed within a shell. + // The image's ENTRYPOINT is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + command?: [...string] @go(Command,[]string) @protobuf(3,bytes,rep) + + // Arguments to the entrypoint. + // The image's CMD is used if this is not provided. + // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable + // cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced + // to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + // produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless + // of whether the variable exists or not. Cannot be updated. + // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell + // +optional + args?: [...string] @go(Args,[]string) @protobuf(4,bytes,rep) + + // Container's working directory. + // If not specified, the container runtime's default will be used, which + // might be configured in the container image. + // Cannot be updated. + // +optional + workingDir?: string @go(WorkingDir) @protobuf(5,bytes,opt) + + // Ports are not allowed for ephemeral containers. + // +optional + // +patchMergeKey=containerPort + // +patchStrategy=merge + // +listType=map + // +listMapKey=containerPort + // +listMapKey=protocol + ports?: [...#ContainerPort] @go(Ports,[]ContainerPort) @protobuf(6,bytes,rep) + + // List of sources to populate environment variables in the container. + // The keys defined within a source must be a C_IDENTIFIER. All invalid keys + // will be reported as an event when the container is starting. When a key exists in multiple + // sources, the value associated with the last source will take precedence. + // Values defined by an Env with a duplicate key will take precedence. + // Cannot be updated. + // +optional + envFrom?: [...#EnvFromSource] @go(EnvFrom,[]EnvFromSource) @protobuf(19,bytes,rep) + + // List of environment variables to set in the container. + // Cannot be updated. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + env?: [...#EnvVar] @go(Env,[]EnvVar) @protobuf(7,bytes,rep) + + // Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources + // already allocated to the pod. + // +optional + resources?: #ResourceRequirements @go(Resources) @protobuf(8,bytes,opt) + + // Resources resize policy for the container. + // +featureGate=InPlacePodVerticalScaling + // +optional + // +listType=atomic + resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep) + + // Restart policy for the container to manage the restart behavior of each + // container within a pod. + // This may only be set for init containers. You cannot set this field on + // ephemeral containers. + // +featureGate=SidecarContainers + // +optional + restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy) + + // Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers. + // Cannot be updated. + // +optional + // +patchMergeKey=mountPath + // +patchStrategy=merge + volumeMounts?: [...#VolumeMount] @go(VolumeMounts,[]VolumeMount) @protobuf(9,bytes,rep) + + // volumeDevices is the list of block devices to be used by the container. + // +patchMergeKey=devicePath + // +patchStrategy=merge + // +optional + volumeDevices?: [...#VolumeDevice] @go(VolumeDevices,[]VolumeDevice) @protobuf(21,bytes,rep) + + // Probes are not allowed for ephemeral containers. + // +optional + livenessProbe?: null | #Probe @go(LivenessProbe,*Probe) @protobuf(10,bytes,opt) + + // Probes are not allowed for ephemeral containers. + // +optional + readinessProbe?: null | #Probe @go(ReadinessProbe,*Probe) @protobuf(11,bytes,opt) + + // Probes are not allowed for ephemeral containers. + // +optional + startupProbe?: null | #Probe @go(StartupProbe,*Probe) @protobuf(22,bytes,opt) + + // Lifecycle is not allowed for ephemeral containers. + // +optional + lifecycle?: null | #Lifecycle @go(Lifecycle,*Lifecycle) @protobuf(12,bytes,opt) + + // Optional: Path at which the file to which the container's termination message + // will be written is mounted into the container's filesystem. + // Message written is intended to be brief final status, such as an assertion failure message. + // Will be truncated by the node if greater than 4096 bytes. The total message length across + // all containers will be limited to 12kb. + // Defaults to /dev/termination-log. + // Cannot be updated. + // +optional + terminationMessagePath?: string @go(TerminationMessagePath) @protobuf(13,bytes,opt) + + // Indicate how the termination message should be populated. File will use the contents of + // terminationMessagePath to populate the container status message on both success and failure. + // FallbackToLogsOnError will use the last chunk of container log output if the termination + // message file is empty and the container exited with an error. + // The log output is limited to 2048 bytes or 80 lines, whichever is smaller. + // Defaults to File. + // Cannot be updated. + // +optional + terminationMessagePolicy?: #TerminationMessagePolicy @go(TerminationMessagePolicy) @protobuf(20,bytes,opt,casttype=TerminationMessagePolicy) + + // Image pull policy. + // One of Always, Never, IfNotPresent. + // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + // +optional + imagePullPolicy?: #PullPolicy @go(ImagePullPolicy) @protobuf(14,bytes,opt,casttype=PullPolicy) + + // Optional: SecurityContext defines the security options the ephemeral container should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. + // +optional + securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt) + + // Whether this container should allocate a buffer for stdin in the container runtime. If this + // is not set, reads from stdin in the container will always result in EOF. + // Default is false. + // +optional + stdin?: bool @go(Stdin) @protobuf(16,varint,opt) + + // Whether the container runtime should close the stdin channel after it has been opened by + // a single attach. When stdin is true the stdin stream will remain open across multiple attach + // sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the + // first client attaches to stdin, and then remains open and accepts data until the client disconnects, + // at which time stdin is closed and remains closed until the container is restarted. If this + // flag is false, a container processes that reads from stdin will never receive an EOF. + // Default is false + // +optional + stdinOnce?: bool @go(StdinOnce) @protobuf(17,varint,opt) + + // Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. + // Default is false. + // +optional + tty?: bool @go(TTY) @protobuf(18,varint,opt) +} + +// An EphemeralContainer is a temporary container that you may add to an existing Pod for +// user-initiated activities such as debugging. Ephemeral containers have no resource or +// scheduling guarantees, and they will not be restarted when they exit or when a Pod is +// removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the +// Pod to exceed its resource allocation. +// +// To add an ephemeral container, use the ephemeralcontainers subresource of an existing +// Pod. Ephemeral containers may not be removed or restarted. +#EphemeralContainer: { + #EphemeralContainerCommon + + // If set, the name of the container from PodSpec that this ephemeral container targets. + // The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. + // If not set then the ephemeral container uses the namespaces configured in the Pod spec. + // + // The container runtime must implement support for this feature. If the runtime does not + // support namespace targeting then the result of setting this field is undefined. + // +optional + targetContainerName?: string @go(TargetContainerName) @protobuf(2,bytes,opt) +} + +// PodStatus represents information about the status of a pod. Status may trail the actual +// state of a system, especially if the node that hosts the pod cannot contact the control +// plane. +#PodStatus: { + // The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. + // The conditions array, the reason and message fields, and the individual container status + // arrays contain more detail about the pod's status. + // There are five possible phase values: + // + // Pending: The pod has been accepted by the Kubernetes system, but one or more of the + // container images has not been created. This includes time before being scheduled as + // well as time spent downloading images over the network, which could take a while. + // Running: The pod has been bound to a node, and all of the containers have been created. + // At least one container is still running, or is in the process of starting or restarting. + // Succeeded: All containers in the pod have terminated in success, and will not be restarted. + // Failed: All containers in the pod have terminated, and at least one container has + // terminated in failure. The container either exited with non-zero status or was terminated + // by the system. + // Unknown: For some reason the state of the pod could not be obtained, typically due to an + // error in communicating with the host of the pod. + // + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase + // +optional + phase?: #PodPhase @go(Phase) @protobuf(1,bytes,opt,casttype=PodPhase) + + // Current service state of pod. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#PodCondition] @go(Conditions,[]PodCondition) @protobuf(2,bytes,rep) + + // A human readable message indicating details about why the pod is in this condition. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // A brief CamelCase message indicating details about why the pod is in this state. + // e.g. 'Evicted' + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be + // scheduled right away as preemption victims receive their graceful termination periods. + // This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide + // to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to + // give the resources on this node to a higher priority pod that is created after preemption. + // As a result, this field may be different than PodSpec.nodeName when the pod is + // scheduled. + // +optional + nominatedNodeName?: string @go(NominatedNodeName) @protobuf(11,bytes,opt) + + // hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet. + // A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will + // not be updated even if there is a node is assigned to pod + // +optional + hostIP?: string @go(HostIP) @protobuf(5,bytes,opt) + + // hostIPs holds the IP addresses allocated to the host. If this field is specified, the first entry must + // match the hostIP field. This list is empty if the pod has not started yet. + // A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will + // not be updated even if there is a node is assigned to this pod. + // +optional + // +patchStrategy=merge + // +patchMergeKey=ip + // +listType=atomic + hostIPs?: [...#HostIP] @go(HostIPs,[]HostIP) @protobuf(16,bytes,rep) + + // podIP address allocated to the pod. Routable at least within the cluster. + // Empty if not yet allocated. + // +optional + podIP?: string @go(PodIP) @protobuf(6,bytes,opt) + + // podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must + // match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list + // is empty if no IPs have been allocated yet. + // +optional + // +patchStrategy=merge + // +patchMergeKey=ip + podIPs?: [...#PodIP] @go(PodIPs,[]PodIP) @protobuf(12,bytes,rep) + + // RFC 3339 date and time at which the object was acknowledged by the Kubelet. + // This is before the Kubelet pulled the container image(s) for the pod. + // +optional + startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(7,bytes,opt) + + // The list has one entry per init container in the manifest. The most recent successful + // init container will have ready = true, the most recently started container will have + // startTime set. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status + initContainerStatuses?: [...#ContainerStatus] @go(InitContainerStatuses,[]ContainerStatus) @protobuf(10,bytes,rep) + + // The list has one entry per container in the manifest. + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status + // +optional + containerStatuses?: [...#ContainerStatus] @go(ContainerStatuses,[]ContainerStatus) @protobuf(8,bytes,rep) + + // The Quality of Service (QOS) classification assigned to the pod based on resource requirements + // See PodQOSClass type for available QOS classes + // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes + // +optional + qosClass?: #PodQOSClass @go(QOSClass) @protobuf(9,bytes,rep) + + // Status for any ephemeral containers that have run in this pod. + // +optional + ephemeralContainerStatuses?: [...#ContainerStatus] @go(EphemeralContainerStatuses,[]ContainerStatus) @protobuf(13,bytes,rep) + + // Status of resources resize desired for pod's containers. + // It is empty if no resources resize is pending. + // Any changes to container resources will automatically set this to "Proposed" + // +featureGate=InPlacePodVerticalScaling + // +optional + resize?: #PodResizeStatus @go(Resize) @protobuf(14,bytes,opt,casttype=PodResizeStatus) + + // Status of resource claims. + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + resourceClaimStatuses?: [...#PodResourceClaimStatus] @go(ResourceClaimStatuses,[]PodResourceClaimStatus) @protobuf(15,bytes,rep) +} + +// PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded +#PodStatusResult: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Most recently observed status of the pod. + // This data may not be up to date. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #PodStatus @go(Status) @protobuf(2,bytes,opt) +} + +// Pod is a collection of containers that can run on a host. This resource is created +// by clients and scheduled onto hosts. +#Pod: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the pod. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #PodSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the pod. + // This data may not be up to date. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #PodStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodList is a list of Pods. +#PodList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of pods. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md + items: [...#Pod] @go(Items,[]Pod) @protobuf(2,bytes,rep) +} + +// PodTemplateSpec describes the data a pod should have when created from a template +#PodTemplateSpec: { + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the pod. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #PodSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// PodTemplate describes a template for creating copies of a predefined pod. +#PodTemplate: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Template defines the pods that will be created from this pod template. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + template?: #PodTemplateSpec @go(Template) @protobuf(2,bytes,opt) +} + +// PodTemplateList is a list of PodTemplates. +#PodTemplateList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of pod templates + items: [...#PodTemplate] @go(Items,[]PodTemplate) @protobuf(2,bytes,rep) +} + +// ReplicationControllerSpec is the specification of a replication controller. +#ReplicationControllerSpec: { + // Replicas is the number of desired replicas. + // This is a pointer to distinguish between explicit zero and unspecified. + // Defaults to 1. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller + // +optional + replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt) + + // Minimum number of seconds for which a newly created pod should be ready + // without any of its container crashing, for it to be considered available. + // Defaults to 0 (pod will be considered available as soon as it is ready) + // +optional + minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt) + + // Selector is a label query over pods that should match the Replicas count. + // If Selector is empty, it is defaulted to the labels present on the Pod template. + // Label keys and values that must match in order to be controlled by this replication + // controller, if empty defaulted to labels on Pod template. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + // +optional + // +mapType=atomic + selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep) + + // Template is the object that describes the pod that will be created if + // insufficient replicas are detected. This takes precedence over a TemplateRef. + // The only allowed template.spec.restartPolicy value is "Always". + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template + // +optional + template?: null | #PodTemplateSpec @go(Template,*PodTemplateSpec) @protobuf(3,bytes,opt) +} + +// ReplicationControllerStatus represents the current status of a replication +// controller. +#ReplicationControllerStatus: { + // Replicas is the most recently observed number of replicas. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller + replicas: int32 @go(Replicas) @protobuf(1,varint,opt) + + // The number of pods that have labels matching the labels of the pod template of the replication controller. + // +optional + fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt) + + // The number of ready replicas for this replication controller. + // +optional + readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt) + + // The number of available replicas (ready for at least minReadySeconds) for this replication controller. + // +optional + availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt) + + // ObservedGeneration reflects the generation of the most recently observed replication controller. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // Represents the latest available observations of a replication controller's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ReplicationControllerCondition] @go(Conditions,[]ReplicationControllerCondition) @protobuf(6,bytes,rep) +} + +#ReplicationControllerConditionType: string // #enumReplicationControllerConditionType + +#enumReplicationControllerConditionType: + #ReplicationControllerReplicaFailure + +// ReplicationControllerReplicaFailure is added in a replication controller when one of its pods +// fails to be created due to insufficient quota, limit ranges, pod security policy, node selectors, +// etc. or deleted due to kubelet being down or finalizers are failing. +#ReplicationControllerReplicaFailure: #ReplicationControllerConditionType & "ReplicaFailure" + +// ReplicationControllerCondition describes the state of a replication controller at a certain point. +#ReplicationControllerCondition: { + // Type of replication controller condition. + type: #ReplicationControllerConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicationControllerConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // The last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // The reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // A human readable message indicating details about the transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// ReplicationController represents the configuration of a replication controller. +#ReplicationController: { + metav1.#TypeMeta + + // If the Labels of a ReplicationController are empty, they are defaulted to + // be the same as the Pod(s) that the replication controller manages. + // Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the specification of the desired behavior of the replication controller. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ReplicationControllerSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status is the most recently observed status of the replication controller. + // This data may be out of date by some window of time. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ReplicationControllerStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ReplicationControllerList is a collection of replication controllers. +#ReplicationControllerList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of replication controllers. + // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller + items: [...#ReplicationController] @go(Items,[]ReplicationController) @protobuf(2,bytes,rep) +} + +// Session Affinity Type string +// +enum +#ServiceAffinity: string // #enumServiceAffinity + +#enumServiceAffinity: + #ServiceAffinityClientIP | + #ServiceAffinityNone + +// ServiceAffinityClientIP is the Client IP based. +#ServiceAffinityClientIP: #ServiceAffinity & "ClientIP" + +// ServiceAffinityNone - no session affinity. +#ServiceAffinityNone: #ServiceAffinity & "None" + +#DefaultClientIPServiceAffinitySeconds: int32 & 10800 + +// SessionAffinityConfig represents the configurations of session affinity. +#SessionAffinityConfig: { + // clientIP contains the configurations of Client IP based session affinity. + // +optional + clientIP?: null | #ClientIPConfig @go(ClientIP,*ClientIPConfig) @protobuf(1,bytes,opt) +} + +// ClientIPConfig represents the configurations of Client IP based session affinity. +#ClientIPConfig: { + // timeoutSeconds specifies the seconds of ClientIP type session sticky time. + // The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". + // Default value is 10800(for 3 hours). + // +optional + timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(1,varint,opt) +} + +// Service Type string describes ingress methods for a service +// +enum +#ServiceType: string // #enumServiceType + +#enumServiceType: + #ServiceTypeClusterIP | + #ServiceTypeNodePort | + #ServiceTypeLoadBalancer | + #ServiceTypeExternalName + +// ServiceTypeClusterIP means a service will only be accessible inside the +// cluster, via the cluster IP. +#ServiceTypeClusterIP: #ServiceType & "ClusterIP" + +// ServiceTypeNodePort means a service will be exposed on one port of +// every node, in addition to 'ClusterIP' type. +#ServiceTypeNodePort: #ServiceType & "NodePort" + +// ServiceTypeLoadBalancer means a service will be exposed via an +// external load balancer (if the cloud provider supports it), in addition +// to 'NodePort' type. +#ServiceTypeLoadBalancer: #ServiceType & "LoadBalancer" + +// ServiceTypeExternalName means a service consists of only a reference to +// an external name that kubedns or equivalent will return as a CNAME +// record, with no exposing or proxying of any pods involved. +#ServiceTypeExternalName: #ServiceType & "ExternalName" + +// ServiceInternalTrafficPolicy describes how nodes distribute service traffic they +// receive on the ClusterIP. +// +enum +#ServiceInternalTrafficPolicy: string // #enumServiceInternalTrafficPolicy + +#enumServiceInternalTrafficPolicy: + #ServiceInternalTrafficPolicyCluster | + #ServiceInternalTrafficPolicyLocal + +// ServiceInternalTrafficPolicyCluster routes traffic to all endpoints. +#ServiceInternalTrafficPolicyCluster: #ServiceInternalTrafficPolicy & "Cluster" + +// ServiceInternalTrafficPolicyLocal routes traffic only to endpoints on the same +// node as the client pod (dropping the traffic if there are no local endpoints). +#ServiceInternalTrafficPolicyLocal: #ServiceInternalTrafficPolicy & "Local" + +// for backwards compat +// +enum +#ServiceInternalTrafficPolicyType: #ServiceInternalTrafficPolicy // #enumServiceInternalTrafficPolicyType + +#enumServiceInternalTrafficPolicyType: + #ServiceInternalTrafficPolicyCluster | + #ServiceInternalTrafficPolicyLocal + +// ServiceExternalTrafficPolicy describes how nodes distribute service traffic they +// receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, +// and LoadBalancer IPs. +// +enum +#ServiceExternalTrafficPolicy: string // #enumServiceExternalTrafficPolicy + +#enumServiceExternalTrafficPolicy: + #ServiceExternalTrafficPolicyCluster | + #ServiceExternalTrafficPolicyLocal | + #ServiceExternalTrafficPolicyTypeLocal | + #ServiceExternalTrafficPolicyTypeCluster + +// ServiceExternalTrafficPolicyCluster routes traffic to all endpoints. +#ServiceExternalTrafficPolicyCluster: #ServiceExternalTrafficPolicy & "Cluster" + +// ServiceExternalTrafficPolicyLocal preserves the source IP of the traffic by +// routing only to endpoints on the same node as the traffic was received on +// (dropping the traffic if there are no local endpoints). +#ServiceExternalTrafficPolicyLocal: #ServiceExternalTrafficPolicy & "Local" + +// for backwards compat +// +enum +#ServiceExternalTrafficPolicyType: #ServiceExternalTrafficPolicy // #enumServiceExternalTrafficPolicyType + +#enumServiceExternalTrafficPolicyType: + #ServiceExternalTrafficPolicyCluster | + #ServiceExternalTrafficPolicyLocal | + #ServiceExternalTrafficPolicyTypeLocal | + #ServiceExternalTrafficPolicyTypeCluster + +#ServiceExternalTrafficPolicyTypeLocal: #ServiceExternalTrafficPolicy & "Local" +#ServiceExternalTrafficPolicyTypeCluster: #ServiceExternalTrafficPolicy & "Cluster" + +// LoadBalancerPortsError represents the condition of the requested ports +// on the cloud load balancer instance. +#LoadBalancerPortsError: "LoadBalancerPortsError" + +// LoadBalancerPortsErrorReason reason in ServiceStatus condition LoadBalancerPortsError +// means the LoadBalancer was not able to be configured correctly. +#LoadBalancerPortsErrorReason: "LoadBalancerMixedProtocolNotSupported" + +// ServiceStatus represents the current status of a service. +#ServiceStatus: { + // LoadBalancer contains the current status of the load-balancer, + // if one is present. + // +optional + loadBalancer?: #LoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt) + + // Current service state + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(2,bytes,rep) +} + +// LoadBalancerStatus represents the status of a load-balancer. +#LoadBalancerStatus: { + // Ingress is a list containing ingress points for the load-balancer. + // Traffic intended for the service should be sent to these ingress points. + // +optional + ingress?: [...#LoadBalancerIngress] @go(Ingress,[]LoadBalancerIngress) @protobuf(1,bytes,rep) +} + +// LoadBalancerIngress represents the status of a load-balancer ingress point: +// traffic intended for the service should be sent to an ingress point. +#LoadBalancerIngress: { + // IP is set for load-balancer ingress points that are IP based + // (typically GCE or OpenStack load-balancers) + // +optional + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // Hostname is set for load-balancer ingress points that are DNS based + // (typically AWS load-balancers) + // +optional + hostname?: string @go(Hostname) @protobuf(2,bytes,opt) + + // Ports is a list of records of service ports + // If used, every port defined in the service should have an entry in it + // +listType=atomic + // +optional + ports?: [...#PortStatus] @go(Ports,[]PortStatus) @protobuf(4,bytes,rep) +} + +// IPFamily represents the IP Family (IPv4 or IPv6). This type is used +// to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). +// +enum +#IPFamily: string // #enumIPFamily + +#enumIPFamily: + #IPv4Protocol | + #IPv6Protocol + +// IPv4Protocol indicates that this IP is IPv4 protocol +#IPv4Protocol: #IPFamily & "IPv4" + +// IPv6Protocol indicates that this IP is IPv6 protocol +#IPv6Protocol: #IPFamily & "IPv6" + +// IPFamilyPolicy represents the dual-stack-ness requested or required by a Service +// +enum +#IPFamilyPolicy: string // #enumIPFamilyPolicy + +#enumIPFamilyPolicy: + #IPFamilyPolicySingleStack | + #IPFamilyPolicyPreferDualStack | + #IPFamilyPolicyRequireDualStack + +// IPFamilyPolicySingleStack indicates that this service is required to have a single IPFamily. +// The IPFamily assigned is based on the default IPFamily used by the cluster +// or as identified by service.spec.ipFamilies field +#IPFamilyPolicySingleStack: #IPFamilyPolicy & "SingleStack" + +// IPFamilyPolicyPreferDualStack indicates that this service prefers dual-stack when +// the cluster is configured for dual-stack. If the cluster is not configured +// for dual-stack the service will be assigned a single IPFamily. If the IPFamily is not +// set in service.spec.ipFamilies then the service will be assigned the default IPFamily +// configured on the cluster +#IPFamilyPolicyPreferDualStack: #IPFamilyPolicy & "PreferDualStack" + +// IPFamilyPolicyRequireDualStack indicates that this service requires dual-stack. Using +// IPFamilyPolicyRequireDualStack on a single stack cluster will result in validation errors. The +// IPFamilies (and their order) assigned to this service is based on service.spec.ipFamilies. If +// service.spec.ipFamilies was not provided then it will be assigned according to how they are +// configured on the cluster. If service.spec.ipFamilies has only one entry then the alternative +// IPFamily will be added by apiserver +#IPFamilyPolicyRequireDualStack: #IPFamilyPolicy & "RequireDualStack" + +// for backwards compat +// +enum +#IPFamilyPolicyType: #IPFamilyPolicy // #enumIPFamilyPolicyType + +#enumIPFamilyPolicyType: + #IPFamilyPolicySingleStack | + #IPFamilyPolicyPreferDualStack | + #IPFamilyPolicyRequireDualStack + +// ServiceSpec describes the attributes that a user creates on a service. +#ServiceSpec: { + // The list of ports that are exposed by this service. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +patchMergeKey=port + // +patchStrategy=merge + // +listType=map + // +listMapKey=port + // +listMapKey=protocol + ports?: [...#ServicePort] @go(Ports,[]ServicePort) @protobuf(1,bytes,rep) + + // Route service traffic to pods with label keys and values matching this + // selector. If empty or not present, the service is assumed to have an + // external process managing its endpoints, which Kubernetes will not + // modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. + // Ignored if type is ExternalName. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/ + // +optional + // +mapType=atomic + selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep) + + // clusterIP is the IP address of the service and is usually assigned + // randomly. If an address is specified manually, is in-range (as per + // system configuration), and is not in use, it will be allocated to the + // service; otherwise creation of the service will fail. This field may not + // be changed through updates unless the type field is also being changed + // to ExternalName (which requires this field to be blank) or the type + // field is being changed from ExternalName (in which case this field may + // optionally be specified, as describe above). Valid values are "None", + // empty string (""), or a valid IP address. Setting this to "None" makes a + // "headless service" (no virtual IP), which is useful when direct endpoint + // connections are preferred and proxying is not required. Only applies to + // types ClusterIP, NodePort, and LoadBalancer. If this field is specified + // when creating a Service of type ExternalName, creation will fail. This + // field will be wiped when updating a Service to type ExternalName. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +optional + clusterIP?: string @go(ClusterIP) @protobuf(3,bytes,opt) + + // ClusterIPs is a list of IP addresses assigned to this service, and are + // usually assigned randomly. If an address is specified manually, is + // in-range (as per system configuration), and is not in use, it will be + // allocated to the service; otherwise creation of the service will fail. + // This field may not be changed through updates unless the type field is + // also being changed to ExternalName (which requires this field to be + // empty) or the type field is being changed from ExternalName (in which + // case this field may optionally be specified, as describe above). Valid + // values are "None", empty string (""), or a valid IP address. Setting + // this to "None" makes a "headless service" (no virtual IP), which is + // useful when direct endpoint connections are preferred and proxying is + // not required. Only applies to types ClusterIP, NodePort, and + // LoadBalancer. If this field is specified when creating a Service of type + // ExternalName, creation will fail. This field will be wiped when updating + // a Service to type ExternalName. If this field is not specified, it will + // be initialized from the clusterIP field. If this field is specified, + // clients must ensure that clusterIPs[0] and clusterIP have the same + // value. + // + // This field may hold a maximum of two entries (dual-stack IPs, in either order). + // These IPs must correspond to the values of the ipFamilies field. Both + // clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +listType=atomic + // +optional + clusterIPs?: [...string] @go(ClusterIPs,[]string) @protobuf(18,bytes,opt) + + // type determines how the Service is exposed. Defaults to ClusterIP. Valid + // options are ExternalName, ClusterIP, NodePort, and LoadBalancer. + // "ClusterIP" allocates a cluster-internal IP address for load-balancing + // to endpoints. Endpoints are determined by the selector or if that is not + // specified, by manual construction of an Endpoints object or + // EndpointSlice objects. If clusterIP is "None", no virtual IP is + // allocated and the endpoints are published as a set of endpoints rather + // than a virtual IP. + // "NodePort" builds on ClusterIP and allocates a port on every node which + // routes to the same endpoints as the clusterIP. + // "LoadBalancer" builds on NodePort and creates an external load-balancer + // (if supported in the current cloud) which routes to the same endpoints + // as the clusterIP. + // "ExternalName" aliases this service to the specified externalName. + // Several other fields do not apply to ExternalName services. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + // +optional + type?: #ServiceType @go(Type) @protobuf(4,bytes,opt,casttype=ServiceType) + + // externalIPs is a list of IP addresses for which nodes in the cluster + // will also accept traffic for this service. These IPs are not managed by + // Kubernetes. The user is responsible for ensuring that traffic arrives + // at a node with this IP. A common example is external load-balancers + // that are not part of the Kubernetes system. + // +optional + externalIPs?: [...string] @go(ExternalIPs,[]string) @protobuf(5,bytes,rep) + + // Supports "ClientIP" and "None". Used to maintain session affinity. + // Enable client IP based session affinity. + // Must be ClientIP or None. + // Defaults to None. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + // +optional + sessionAffinity?: #ServiceAffinity @go(SessionAffinity) @protobuf(7,bytes,opt,casttype=ServiceAffinity) + + // Only applies to Service Type: LoadBalancer. + // This feature depends on whether the underlying cloud-provider supports specifying + // the loadBalancerIP when a load balancer is created. + // This field will be ignored if the cloud-provider does not support the feature. + // Deprecated: This field was under-specified and its meaning varies across implementations. + // Using it is non-portable and it may not support dual-stack. + // Users are encouraged to use implementation-specific annotations when available. + // +optional + loadBalancerIP?: string @go(LoadBalancerIP) @protobuf(8,bytes,opt) + + // If specified and supported by the platform, this will restrict traffic through the cloud-provider + // load-balancer will be restricted to the specified client IPs. This field will be ignored if the + // cloud-provider does not support the feature." + // More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ + // +optional + loadBalancerSourceRanges?: [...string] @go(LoadBalancerSourceRanges,[]string) @protobuf(9,bytes,opt) + + // externalName is the external reference that discovery mechanisms will + // return as an alias for this service (e.g. a DNS CNAME record). No + // proxying will be involved. Must be a lowercase RFC-1123 hostname + // (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". + // +optional + externalName?: string @go(ExternalName) @protobuf(10,bytes,opt) + + // externalTrafficPolicy describes how nodes distribute service traffic they + // receive on one of the Service's "externally-facing" addresses (NodePorts, + // ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure + // the service in a way that assumes that external load balancers will take care + // of balancing the service traffic between nodes, and so each node will deliver + // traffic only to the node-local endpoints of the service, without masquerading + // the client source IP. (Traffic mistakenly sent to a node with no endpoints will + // be dropped.) The default value, "Cluster", uses the standard behavior of + // routing to all endpoints evenly (possibly modified by topology and other + // features). Note that traffic sent to an External IP or LoadBalancer IP from + // within the cluster will always get "Cluster" semantics, but clients sending to + // a NodePort from within the cluster may need to take traffic policy into account + // when picking a node. + // +optional + externalTrafficPolicy?: #ServiceExternalTrafficPolicy @go(ExternalTrafficPolicy) @protobuf(11,bytes,opt) + + // healthCheckNodePort specifies the healthcheck nodePort for the service. + // This only applies when type is set to LoadBalancer and + // externalTrafficPolicy is set to Local. If a value is specified, is + // in-range, and is not in use, it will be used. If not specified, a value + // will be automatically allocated. External systems (e.g. load-balancers) + // can use this port to determine if a given node holds endpoints for this + // service or not. If this field is specified when creating a Service + // which does not need it, creation will fail. This field will be wiped + // when updating a Service to no longer need it (e.g. changing type). + // This field cannot be updated once set. + // +optional + healthCheckNodePort?: int32 @go(HealthCheckNodePort) @protobuf(12,bytes,opt) + + // publishNotReadyAddresses indicates that any agent which deals with endpoints for this + // Service should disregard any indications of ready/not-ready. + // The primary use case for setting this field is for a StatefulSet's Headless Service to + // propagate SRV DNS records for its Pods for the purpose of peer discovery. + // The Kubernetes controllers that generate Endpoints and EndpointSlice resources for + // Services interpret this to mean that all endpoints are considered "ready" even if the + // Pods themselves are not. Agents which consume only Kubernetes generated endpoints + // through the Endpoints or EndpointSlice resources can safely assume this behavior. + // +optional + publishNotReadyAddresses?: bool @go(PublishNotReadyAddresses) @protobuf(13,varint,opt) + + // sessionAffinityConfig contains the configurations of session affinity. + // +optional + sessionAffinityConfig?: null | #SessionAffinityConfig @go(SessionAffinityConfig,*SessionAffinityConfig) @protobuf(14,bytes,opt) + + // IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this + // service. This field is usually assigned automatically based on cluster + // configuration and the ipFamilyPolicy field. If this field is specified + // manually, the requested family is available in the cluster, + // and ipFamilyPolicy allows it, it will be used; otherwise creation of + // the service will fail. This field is conditionally mutable: it allows + // for adding or removing a secondary IP family, but it does not allow + // changing the primary IP family of the Service. Valid values are "IPv4" + // and "IPv6". This field only applies to Services of types ClusterIP, + // NodePort, and LoadBalancer, and does apply to "headless" services. + // This field will be wiped when updating a Service to type ExternalName. + // + // This field may hold a maximum of two entries (dual-stack families, in + // either order). These families must correspond to the values of the + // clusterIPs field, if specified. Both clusterIPs and ipFamilies are + // governed by the ipFamilyPolicy field. + // +listType=atomic + // +optional + ipFamilies?: [...#IPFamily] @go(IPFamilies,[]IPFamily) @protobuf(19,bytes,opt,casttype=IPFamily) + + // IPFamilyPolicy represents the dual-stack-ness requested or required by + // this Service. If there is no value provided, then this field will be set + // to SingleStack. Services can be "SingleStack" (a single IP family), + // "PreferDualStack" (two IP families on dual-stack configured clusters or + // a single IP family on single-stack clusters), or "RequireDualStack" + // (two IP families on dual-stack configured clusters, otherwise fail). The + // ipFamilies and clusterIPs fields depend on the value of this field. This + // field will be wiped when updating a service to type ExternalName. + // +optional + ipFamilyPolicy?: null | #IPFamilyPolicy @go(IPFamilyPolicy,*IPFamilyPolicy) @protobuf(17,bytes,opt,casttype=IPFamilyPolicy) + + // allocateLoadBalancerNodePorts defines if NodePorts will be automatically + // allocated for services with type LoadBalancer. Default is "true". It + // may be set to "false" if the cluster load-balancer does not rely on + // NodePorts. If the caller requests specific NodePorts (by specifying a + // value), those requests will be respected, regardless of this field. + // This field may only be set for services with type LoadBalancer and will + // be cleared if the type is changed to any other type. + // +optional + allocateLoadBalancerNodePorts?: null | bool @go(AllocateLoadBalancerNodePorts,*bool) @protobuf(20,bytes,opt) + + // loadBalancerClass is the class of the load balancer implementation this Service belongs to. + // If specified, the value of this field must be a label-style identifier, with an optional prefix, + // e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. + // This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load + // balancer implementation is used, today this is typically done through the cloud provider integration, + // but should apply for any default implementation. If set, it is assumed that a load balancer + // implementation is watching for Services with a matching class. Any default load balancer + // implementation (e.g. cloud providers) should ignore Services that set this field. + // This field can only be set when creating or updating a Service to type 'LoadBalancer'. + // Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. + // +optional + loadBalancerClass?: null | string @go(LoadBalancerClass,*string) @protobuf(21,bytes,opt) + + // InternalTrafficPolicy describes how nodes distribute service traffic they + // receive on the ClusterIP. If set to "Local", the proxy will assume that pods + // only want to talk to endpoints of the service on the same node as the pod, + // dropping the traffic if there are no local endpoints. The default value, + // "Cluster", uses the standard behavior of routing to all endpoints evenly + // (possibly modified by topology and other features). + // +optional + internalTrafficPolicy?: null | #ServiceInternalTrafficPolicy @go(InternalTrafficPolicy,*ServiceInternalTrafficPolicy) @protobuf(22,bytes,opt) +} + +// ServicePort contains information on service's port. +#ServicePort: { + // The name of this port within the service. This must be a DNS_LABEL. + // All ports within a ServiceSpec must have unique names. When considering + // the endpoints for a Service, this must match the 'name' field in the + // EndpointPort. + // Optional if only one ServicePort is defined on this service. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". + // Default is TCP. + // +default="TCP" + // +optional + protocol?: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(6,bytes,opt) + + // The port that will be exposed by this service. + port: int32 @go(Port) @protobuf(3,varint,opt) + + // Number or name of the port to access on the pods targeted by the service. + // Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + // If this is a string, it will be looked up as a named port in the + // target Pod's container ports. If this is not specified, the value + // of the 'port' field is used (an identity map). + // This field is ignored for services with clusterIP=None, and should be + // omitted or set equal to the 'port' field. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + // +optional + targetPort?: intstr.#IntOrString @go(TargetPort) @protobuf(4,bytes,opt) + + // The port on each node on which this service is exposed when type is + // NodePort or LoadBalancer. Usually assigned by the system. If a value is + // specified, in-range, and not in use it will be used, otherwise the + // operation will fail. If not specified, a port will be allocated if this + // Service requires one. If this field is specified when creating a + // Service which does not need it, creation will fail. This field will be + // wiped when updating a Service to no longer need it (e.g. changing type + // from NodePort to ClusterIP). + // More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + // +optional + nodePort?: int32 @go(NodePort) @protobuf(5,varint,opt) +} + +// Service is a named abstraction of software service (for example, mysql) consisting of local port +// (for example 3306) that the proxy listens on, and the selector that determines which pods +// will answer requests sent through the proxy. +#Service: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of a service. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ServiceSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the service. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ServiceStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ClusterIPNone - do not assign a cluster IP +// no proxying required and no environment variables should be created for pods +#ClusterIPNone: "None" + +// ServiceList holds a list of services. +#ServiceList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of services + items: [...#Service] @go(Items,[]Service) @protobuf(2,bytes,rep) +} + +// ServiceAccount binds together: +// * a name, understood by users, and perhaps by peripheral systems, for an identity +// * a principal that can be authenticated and authorized +// * a set of secrets +#ServiceAccount: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. + // Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true". + // This field should not be used to find auto-generated service account token secrets for use outside of pods. + // Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. + // More info: https://kubernetes.io/docs/concepts/configuration/secret + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + secrets?: [...#ObjectReference] @go(Secrets,[]ObjectReference) @protobuf(2,bytes,rep) + + // ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images + // in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets + // can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. + // More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + // +optional + imagePullSecrets?: [...#LocalObjectReference] @go(ImagePullSecrets,[]LocalObjectReference) @protobuf(3,bytes,rep) + + // AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. + // Can be overridden at the pod level. + // +optional + automountServiceAccountToken?: null | bool @go(AutomountServiceAccountToken,*bool) @protobuf(4,varint,opt) +} + +// ServiceAccountList is a list of ServiceAccount objects +#ServiceAccountList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ServiceAccounts. + // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + items: [...#ServiceAccount] @go(Items,[]ServiceAccount) @protobuf(2,bytes,rep) +} + +// Endpoints is a collection of endpoints that implement the actual service. Example: +// +// Name: "mysvc", +// Subsets: [ +// { +// Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}], +// Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}] +// }, +// { +// Addresses: [{"ip": "10.10.3.3"}], +// Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}] +// }, +// ] +#Endpoints: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The set of all endpoints is the union of all subsets. Addresses are placed into + // subsets according to the IPs they share. A single address with multiple ports, + // some of which are ready and some of which are not (because they come from + // different containers) will result in the address being displayed in different + // subsets for the different ports. No address will appear in both Addresses and + // NotReadyAddresses in the same subset. + // Sets of addresses and ports that comprise a service. + // +optional + subsets?: [...#EndpointSubset] @go(Subsets,[]EndpointSubset) @protobuf(2,bytes,rep) +} + +// EndpointSubset is a group of addresses with a common set of ports. The +// expanded set of endpoints is the Cartesian product of Addresses x Ports. +// For example, given: +// +// { +// Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}], +// Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}] +// } +// +// The resulting set of endpoints can be viewed as: +// +// a: [ 10.10.1.1:8675, 10.10.2.2:8675 ], +// b: [ 10.10.1.1:309, 10.10.2.2:309 ] +#EndpointSubset: { + // IP addresses which offer the related ports that are marked as ready. These endpoints + // should be considered safe for load balancers and clients to utilize. + // +optional + addresses?: [...#EndpointAddress] @go(Addresses,[]EndpointAddress) @protobuf(1,bytes,rep) + + // IP addresses which offer the related ports but are not currently marked as ready + // because they have not yet finished starting, have recently failed a readiness check, + // or have recently failed a liveness check. + // +optional + notReadyAddresses?: [...#EndpointAddress] @go(NotReadyAddresses,[]EndpointAddress) @protobuf(2,bytes,rep) + + // Port numbers available on the related IP addresses. + // +optional + ports?: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep) +} + +// EndpointAddress is a tuple that describes single IP address. +// +structType=atomic +#EndpointAddress: { + // The IP of this endpoint. + // May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), + // or link-local multicast (224.0.0.0/24 or ff02::/16). + ip: string @go(IP) @protobuf(1,bytes,opt) + + // The Hostname of this endpoint + // +optional + hostname?: string @go(Hostname) @protobuf(3,bytes,opt) + + // Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node. + // +optional + nodeName?: null | string @go(NodeName,*string) @protobuf(4,bytes,opt) + + // Reference to object providing the endpoint. + // +optional + targetRef?: null | #ObjectReference @go(TargetRef,*ObjectReference) @protobuf(2,bytes,opt) +} + +// EndpointPort is a tuple that describes a single port. +// +structType=atomic +#EndpointPort: { + // The name of this port. This must match the 'name' field in the + // corresponding ServicePort. + // Must be a DNS_LABEL. + // Optional only if one port is defined. + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The port number of the endpoint. + port: int32 @go(Port) @protobuf(2,varint,opt) + + // The IP protocol for this port. + // Must be UDP, TCP, or SCTP. + // Default is TCP. + // +optional + protocol?: #Protocol @go(Protocol) @protobuf(3,bytes,opt,casttype=Protocol) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes,opt) +} + +// EndpointsList is a list of endpoints. +#EndpointsList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of endpoints. + items: [...#Endpoints] @go(Items,[]Endpoints) @protobuf(2,bytes,rep) +} + +// NodeSpec describes the attributes that a node is created with. +#NodeSpec: { + // PodCIDR represents the pod IP range assigned to the node. + // +optional + podCIDR?: string @go(PodCIDR) @protobuf(1,bytes,opt) + + // podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this + // field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for + // each of IPv4 and IPv6. + // +optional + // +patchStrategy=merge + podCIDRs?: [...string] @go(PodCIDRs,[]string) @protobuf(7,bytes,opt) + + // ID of the node assigned by the cloud provider in the format: :// + // +optional + providerID?: string @go(ProviderID) @protobuf(3,bytes,opt) + + // Unschedulable controls node schedulability of new pods. By default, node is schedulable. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration + // +optional + unschedulable?: bool @go(Unschedulable) @protobuf(4,varint,opt) + + // If specified, the node's taints. + // +optional + taints?: [...#Taint] @go(Taints,[]Taint) @protobuf(5,bytes,opt) + + // Deprecated: Previously used to specify the source of the node's configuration for the DynamicKubeletConfig feature. This feature is removed. + // +optional + configSource?: null | #NodeConfigSource @go(ConfigSource,*NodeConfigSource) @protobuf(6,bytes,opt) + + // Deprecated. Not all kubelets will set this field. Remove field after 1.13. + // see: https://issues.k8s.io/61966 + // +optional + externalID?: string @go(DoNotUseExternalID) @protobuf(2,bytes,opt) +} + +// NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. +// This API is deprecated since 1.22 +#NodeConfigSource: { + // ConfigMap is a reference to a Node's ConfigMap + configMap?: null | #ConfigMapNodeConfigSource @go(ConfigMap,*ConfigMapNodeConfigSource) @protobuf(2,bytes,opt) +} + +// ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node. +// This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration +#ConfigMapNodeConfigSource: { + // Namespace is the metadata.namespace of the referenced ConfigMap. + // This field is required in all cases. + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // Name is the metadata.name of the referenced ConfigMap. + // This field is required in all cases. + name: string @go(Name) @protobuf(2,bytes,opt) + + // UID is the metadata.UID of the referenced ConfigMap. + // This field is forbidden in Node.Spec, and required in Node.Status. + // +optional + uid?: types.#UID @go(UID) @protobuf(3,bytes,opt) + + // ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. + // This field is forbidden in Node.Spec, and required in Node.Status. + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(4,bytes,opt) + + // KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure + // This field is required in all cases. + kubeletConfigKey: string @go(KubeletConfigKey) @protobuf(5,bytes,opt) +} + +// DaemonEndpoint contains information about a single Daemon endpoint. +#DaemonEndpoint: { + // Port number of the given endpoint. + Port: int32 @protobuf(1,varint,opt) +} + +// NodeDaemonEndpoints lists ports opened by daemons running on the Node. +#NodeDaemonEndpoints: { + // Endpoint on which Kubelet is listening. + // +optional + kubeletEndpoint?: #DaemonEndpoint @go(KubeletEndpoint) @protobuf(1,bytes,opt) +} + +// NodeSystemInfo is a set of ids/uuids to uniquely identify the node. +#NodeSystemInfo: { + // MachineID reported by the node. For unique machine identification + // in the cluster this field is preferred. Learn more from man(5) + // machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html + machineID: string @go(MachineID) @protobuf(1,bytes,opt) + + // SystemUUID reported by the node. For unique machine identification + // MachineID is preferred. This field is specific to Red Hat hosts + // https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid + systemUUID: string @go(SystemUUID) @protobuf(2,bytes,opt) + + // Boot ID reported by the node. + bootID: string @go(BootID) @protobuf(3,bytes,opt) + + // Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64). + kernelVersion: string @go(KernelVersion) @protobuf(4,bytes,opt) + + // OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)). + osImage: string @go(OSImage) @protobuf(5,bytes,opt) + + // ContainerRuntime Version reported by the node through runtime remote API (e.g. containerd://1.4.2). + containerRuntimeVersion: string @go(ContainerRuntimeVersion) @protobuf(6,bytes,opt) + + // Kubelet Version reported by the node. + kubeletVersion: string @go(KubeletVersion) @protobuf(7,bytes,opt) + + // KubeProxy Version reported by the node. + kubeProxyVersion: string @go(KubeProxyVersion) @protobuf(8,bytes,opt) + + // The Operating System reported by the node + operatingSystem: string @go(OperatingSystem) @protobuf(9,bytes,opt) + + // The Architecture reported by the node + architecture: string @go(Architecture) @protobuf(10,bytes,opt) +} + +// NodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource. +#NodeConfigStatus: { + // Assigned reports the checkpointed config the node will try to use. + // When Node.Spec.ConfigSource is updated, the node checkpoints the associated + // config payload to local disk, along with a record indicating intended + // config. The node refers to this record to choose its config checkpoint, and + // reports this record in Assigned. Assigned only updates in the status after + // the record has been checkpointed to disk. When the Kubelet is restarted, + // it tries to make the Assigned config the Active config by loading and + // validating the checkpointed payload identified by Assigned. + // +optional + assigned?: null | #NodeConfigSource @go(Assigned,*NodeConfigSource) @protobuf(1,bytes,opt) + + // Active reports the checkpointed config the node is actively using. + // Active will represent either the current version of the Assigned config, + // or the current LastKnownGood config, depending on whether attempting to use the + // Assigned config results in an error. + // +optional + active?: null | #NodeConfigSource @go(Active,*NodeConfigSource) @protobuf(2,bytes,opt) + + // LastKnownGood reports the checkpointed config the node will fall back to + // when it encounters an error attempting to use the Assigned config. + // The Assigned config becomes the LastKnownGood config when the node determines + // that the Assigned config is stable and correct. + // This is currently implemented as a 10-minute soak period starting when the local + // record of Assigned config is updated. If the Assigned config is Active at the end + // of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is + // reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, + // because the local default config is always assumed good. + // You should not make assumptions about the node's method of determining config stability + // and correctness, as this may change or become configurable in the future. + // +optional + lastKnownGood?: null | #NodeConfigSource @go(LastKnownGood,*NodeConfigSource) @protobuf(3,bytes,opt) + + // Error describes any problems reconciling the Spec.ConfigSource to the Active config. + // Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned + // record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting + // to load or validate the Assigned config, etc. + // Errors may occur at different points while syncing config. Earlier errors (e.g. download or + // checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across + // Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in + // a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error + // by fixing the config assigned in Spec.ConfigSource. + // You can find additional information for debugging by searching the error message in the Kubelet log. + // Error is a human-readable description of the error state; machines can check whether or not Error + // is empty, but should not rely on the stability of the Error text across Kubelet versions. + // +optional + error?: string @go(Error) @protobuf(4,bytes,opt) +} + +// NodeStatus is information about the current status of a node. +#NodeStatus: { + // Capacity represents the total resources of a node. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity + // +optional + capacity?: #ResourceList @go(Capacity) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Allocatable represents the resources of a node that are available for scheduling. + // Defaults to Capacity. + // +optional + allocatable?: #ResourceList @go(Allocatable) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // NodePhase is the recently observed lifecycle phase of the node. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#phase + // The field is never populated, and now is deprecated. + // +optional + phase?: #NodePhase @go(Phase) @protobuf(3,bytes,opt,casttype=NodePhase) + + // Conditions is an array of current observed node conditions. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#condition + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#NodeCondition] @go(Conditions,[]NodeCondition) @protobuf(4,bytes,rep) + + // List of addresses reachable to the node. + // Queried from cloud provider, if available. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses + // Note: This field is declared as mergeable, but the merge key is not sufficiently + // unique, which can cause data corruption when it is merged. Callers should instead + // use a full-replacement patch. See https://pr.k8s.io/79391 for an example. + // Consumers should assume that addresses can change during the + // lifetime of a Node. However, there are some exceptions where this may not + // be possible, such as Pods that inherit a Node's address in its own status or + // consumers of the downward API (status.hostIP). + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + addresses?: [...#NodeAddress] @go(Addresses,[]NodeAddress) @protobuf(5,bytes,rep) + + // Endpoints of daemons running on the Node. + // +optional + daemonEndpoints?: #NodeDaemonEndpoints @go(DaemonEndpoints) @protobuf(6,bytes,opt) + + // Set of ids/uuids to uniquely identify the node. + // More info: https://kubernetes.io/docs/concepts/nodes/node/#info + // +optional + nodeInfo?: #NodeSystemInfo @go(NodeInfo) @protobuf(7,bytes,opt) + + // List of container images on this node + // +optional + images?: [...#ContainerImage] @go(Images,[]ContainerImage) @protobuf(8,bytes,rep) + + // List of attachable volumes in use (mounted) by the node. + // +optional + volumesInUse?: [...#UniqueVolumeName] @go(VolumesInUse,[]UniqueVolumeName) @protobuf(9,bytes,rep) + + // List of volumes that are attached to the node. + // +optional + volumesAttached?: [...#AttachedVolume] @go(VolumesAttached,[]AttachedVolume) @protobuf(10,bytes,rep) + + // Status of the config assigned to the node via the dynamic Kubelet config feature. + // +optional + config?: null | #NodeConfigStatus @go(Config,*NodeConfigStatus) @protobuf(11,bytes,opt) +} + +#UniqueVolumeName: string + +// AttachedVolume describes a volume attached to a node +#AttachedVolume: { + // Name of the attached volume + name: #UniqueVolumeName @go(Name) @protobuf(1,bytes,rep) + + // DevicePath represents the device path where the volume should be available + devicePath: string @go(DevicePath) @protobuf(2,bytes,rep) +} + +// AvoidPods describes pods that should avoid this node. This is the value for a +// Node annotation with key scheduler.alpha.kubernetes.io/preferAvoidPods and +// will eventually become a field of NodeStatus. +#AvoidPods: { + // Bounded-sized list of signatures of pods that should avoid this node, sorted + // in timestamp order from oldest to newest. Size of the slice is unspecified. + // +optional + preferAvoidPods?: [...#PreferAvoidPodsEntry] @go(PreferAvoidPods,[]PreferAvoidPodsEntry) @protobuf(1,bytes,rep) +} + +// Describes a class of pods that should avoid this node. +#PreferAvoidPodsEntry: { + // The class of pods. + podSignature: #PodSignature @go(PodSignature) @protobuf(1,bytes,opt) + + // Time at which this entry was added to the list. + // +optional + evictionTime?: metav1.#Time @go(EvictionTime) @protobuf(2,bytes,opt) + + // (brief) reason why this entry was added to the list. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // Human readable message indicating why this entry was added to the list. + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) +} + +// Describes the class of pods that should avoid this node. +// Exactly one field should be set. +#PodSignature: { + // Reference to controller whose pods should avoid this node. + // +optional + podController?: null | metav1.#OwnerReference @go(PodController,*metav1.OwnerReference) @protobuf(1,bytes,opt) +} + +// Describe a container image +#ContainerImage: { + // Names by which this image is known. + // e.g. ["kubernetes.example/hyperkube:v1.0.7", "cloud-vendor.registry.example/cloud-vendor/hyperkube:v1.0.7"] + // +optional + names: [...string] @go(Names,[]string) @protobuf(1,bytes,rep) + + // The size of the image in bytes. + // +optional + sizeBytes?: int64 @go(SizeBytes) @protobuf(2,varint,opt) +} + +// +enum +#NodePhase: string // #enumNodePhase + +#enumNodePhase: + #NodePending | + #NodeRunning | + #NodeTerminated + +// NodePending means the node has been created/added by the system, but not configured. +#NodePending: #NodePhase & "Pending" + +// NodeRunning means the node has been configured and has Kubernetes components running. +#NodeRunning: #NodePhase & "Running" + +// NodeTerminated means the node has been removed from the cluster. +#NodeTerminated: #NodePhase & "Terminated" + +#NodeConditionType: string // #enumNodeConditionType + +#enumNodeConditionType: + #NodeReady | + #NodeMemoryPressure | + #NodeDiskPressure | + #NodePIDPressure | + #NodeNetworkUnavailable + +// NodeReady means kubelet is healthy and ready to accept pods. +#NodeReady: #NodeConditionType & "Ready" + +// NodeMemoryPressure means the kubelet is under pressure due to insufficient available memory. +#NodeMemoryPressure: #NodeConditionType & "MemoryPressure" + +// NodeDiskPressure means the kubelet is under pressure due to insufficient available disk. +#NodeDiskPressure: #NodeConditionType & "DiskPressure" + +// NodePIDPressure means the kubelet is under pressure due to insufficient available PID. +#NodePIDPressure: #NodeConditionType & "PIDPressure" + +// NodeNetworkUnavailable means that network for the node is not correctly configured. +#NodeNetworkUnavailable: #NodeConditionType & "NetworkUnavailable" + +// NodeCondition contains condition information for a node. +#NodeCondition: { + // Type of node condition. + type: #NodeConditionType @go(Type) @protobuf(1,bytes,opt,casttype=NodeConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Last time we got an update on a given condition. + // +optional + lastHeartbeatTime?: metav1.#Time @go(LastHeartbeatTime) @protobuf(3,bytes,opt) + + // Last time the condition transit from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // (brief) reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +#NodeAddressType: string // #enumNodeAddressType + +#enumNodeAddressType: + #NodeHostName | + #NodeInternalIP | + #NodeExternalIP | + #NodeInternalDNS | + #NodeExternalDNS + +// NodeHostName identifies a name of the node. Although every node can be assumed +// to have a NodeAddress of this type, its exact syntax and semantics are not +// defined, and are not consistent between different clusters. +#NodeHostName: #NodeAddressType & "Hostname" + +// NodeInternalIP identifies an IP address which is assigned to one of the node's +// network interfaces. Every node should have at least one address of this type. +// +// An internal IP is normally expected to be reachable from every other node, but +// may not be visible to hosts outside the cluster. By default it is assumed that +// kube-apiserver can reach node internal IPs, though it is possible to configure +// clusters where this is not the case. +// +// NodeInternalIP is the default type of node IP, and does not necessarily imply +// that the IP is ONLY reachable internally. If a node has multiple internal IPs, +// no specific semantics are assigned to the additional IPs. +#NodeInternalIP: #NodeAddressType & "InternalIP" + +// NodeExternalIP identifies an IP address which is, in some way, intended to be +// more usable from outside the cluster then an internal IP, though no specific +// semantics are defined. It may be a globally routable IP, though it is not +// required to be. +// +// External IPs may be assigned directly to an interface on the node, like a +// NodeInternalIP, or alternatively, packets sent to the external IP may be NAT'ed +// to an internal node IP rather than being delivered directly (making the IP less +// efficient for node-to-node traffic than a NodeInternalIP). +#NodeExternalIP: #NodeAddressType & "ExternalIP" + +// NodeInternalDNS identifies a DNS name which resolves to an IP address which has +// the characteristics of a NodeInternalIP. The IP it resolves to may or may not +// be a listed NodeInternalIP address. +#NodeInternalDNS: #NodeAddressType & "InternalDNS" + +// NodeExternalDNS identifies a DNS name which resolves to an IP address which has +// the characteristics of a NodeExternalIP. The IP it resolves to may or may not +// be a listed NodeExternalIP address. +#NodeExternalDNS: #NodeAddressType & "ExternalDNS" + +// NodeAddress contains information for the node's address. +#NodeAddress: { + // Node address type, one of Hostname, ExternalIP or InternalIP. + type: #NodeAddressType @go(Type) @protobuf(1,bytes,opt,casttype=NodeAddressType) + + // The node address. + address: string @go(Address) @protobuf(2,bytes,opt) +} + +// ResourceName is the name identifying various resources in a ResourceList. +#ResourceName: string // #enumResourceName + +#enumResourceName: + #ResourceCPU | + #ResourceMemory | + #ResourceStorage | + #ResourceEphemeralStorage | + #ResourcePods | + #ResourceServices | + #ResourceReplicationControllers | + #ResourceQuotas | + #ResourceSecrets | + #ResourceConfigMaps | + #ResourcePersistentVolumeClaims | + #ResourceServicesNodePorts | + #ResourceServicesLoadBalancers | + #ResourceRequestsCPU | + #ResourceRequestsMemory | + #ResourceRequestsStorage | + #ResourceRequestsEphemeralStorage | + #ResourceLimitsCPU | + #ResourceLimitsMemory | + #ResourceLimitsEphemeralStorage + +// CPU, in cores. (500m = .5 cores) +#ResourceCPU: #ResourceName & "cpu" + +// Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceMemory: #ResourceName & "memory" + +// Volume size, in bytes (e,g. 5Gi = 5GiB = 5 * 1024 * 1024 * 1024) +#ResourceStorage: #ResourceName & "storage" + +// Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +// The resource name for ResourceEphemeralStorage is alpha and it can change across releases. +#ResourceEphemeralStorage: #ResourceName & "ephemeral-storage" + +// Default namespace prefix. +#ResourceDefaultNamespacePrefix: "kubernetes.io/" + +// Name prefix for huge page resources (alpha). +#ResourceHugePagesPrefix: "hugepages-" + +// Name prefix for storage resource limits +#ResourceAttachableVolumesPrefix: "attachable-volumes-" + +// ResourceList is a set of (resource name, quantity) pairs. +#ResourceList: {[string]: resource.#Quantity} + +// Node is a worker node in Kubernetes. +// Each node will have a unique identifier in the cache (i.e. in etcd). +#Node: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of a node. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #NodeSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the node. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #NodeStatus @go(Status) @protobuf(3,bytes,opt) +} + +// NodeList is the whole list of all Nodes which have been registered with master. +#NodeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of nodes + items: [...#Node] @go(Items,[]Node) @protobuf(2,bytes,rep) +} + +// FinalizerName is the name identifying a finalizer during namespace lifecycle. +#FinalizerName: string // #enumFinalizerName + +#enumFinalizerName: + #FinalizerKubernetes + +#FinalizerKubernetes: #FinalizerName & "kubernetes" + +// NamespaceSpec describes the attributes on a Namespace. +#NamespaceSpec: { + // Finalizers is an opaque list of values that must be empty to permanently remove object from storage. + // More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/ + // +optional + finalizers?: [...#FinalizerName] @go(Finalizers,[]FinalizerName) @protobuf(1,bytes,rep,casttype=FinalizerName) +} + +// NamespaceStatus is information about the current status of a Namespace. +#NamespaceStatus: { + // Phase is the current lifecycle phase of the namespace. + // More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/ + // +optional + phase?: #NamespacePhase @go(Phase) @protobuf(1,bytes,opt,casttype=NamespacePhase) + + // Represents the latest available observations of a namespace's current state. + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#NamespaceCondition] @go(Conditions,[]NamespaceCondition) @protobuf(2,bytes,rep) +} + +// +enum +#NamespacePhase: string // #enumNamespacePhase + +#enumNamespacePhase: + #NamespaceActive | + #NamespaceTerminating + +// NamespaceActive means the namespace is available for use in the system +#NamespaceActive: #NamespacePhase & "Active" + +// NamespaceTerminating means the namespace is undergoing graceful termination +#NamespaceTerminating: #NamespacePhase & "Terminating" + +// NamespaceTerminatingCause is returned as a defaults.cause item when a change is +// forbidden due to the namespace being terminated. +#NamespaceTerminatingCause: metav1.#CauseType & "NamespaceTerminating" + +#NamespaceConditionType: string // #enumNamespaceConditionType + +#enumNamespaceConditionType: + #NamespaceDeletionDiscoveryFailure | + #NamespaceDeletionContentFailure | + #NamespaceDeletionGVParsingFailure | + #NamespaceContentRemaining | + #NamespaceFinalizersRemaining + +// NamespaceDeletionDiscoveryFailure contains information about namespace deleter errors during resource discovery. +#NamespaceDeletionDiscoveryFailure: #NamespaceConditionType & "NamespaceDeletionDiscoveryFailure" + +// NamespaceDeletionContentFailure contains information about namespace deleter errors during deletion of resources. +#NamespaceDeletionContentFailure: #NamespaceConditionType & "NamespaceDeletionContentFailure" + +// NamespaceDeletionGVParsingFailure contains information about namespace deleter errors parsing GV for legacy types. +#NamespaceDeletionGVParsingFailure: #NamespaceConditionType & "NamespaceDeletionGroupVersionParsingFailure" + +// NamespaceContentRemaining contains information about resources remaining in a namespace. +#NamespaceContentRemaining: #NamespaceConditionType & "NamespaceContentRemaining" + +// NamespaceFinalizersRemaining contains information about which finalizers are on resources remaining in a namespace. +#NamespaceFinalizersRemaining: #NamespaceConditionType & "NamespaceFinalizersRemaining" + +// NamespaceCondition contains details about state of namespace. +#NamespaceCondition: { + // Type of namespace controller condition. + type: #NamespaceConditionType @go(Type) @protobuf(1,bytes,opt,casttype=NamespaceConditionType) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // +optional + reason?: string @go(Reason) @protobuf(5,bytes,opt) + + // +optional + message?: string @go(Message) @protobuf(6,bytes,opt) +} + +// Namespace provides a scope for Names. +// Use of multiple namespaces is optional. +#Namespace: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the behavior of the Namespace. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #NamespaceSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status describes the current status of a Namespace. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #NamespaceStatus @go(Status) @protobuf(3,bytes,opt) +} + +// NamespaceList is a list of Namespaces. +#NamespaceList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of Namespace objects in the list. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + items: [...#Namespace] @go(Items,[]Namespace) @protobuf(2,bytes,rep) +} + +// Binding ties one object to another; for example, a pod is bound to a node by a scheduler. +// Deprecated in 1.7, please use the bindings subresource of pods instead. +#Binding: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The target object that you want to bind to the standard object. + target: #ObjectReference @go(Target) @protobuf(2,bytes,opt) +} + +// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out. +// +k8s:openapi-gen=false +#Preconditions: { + // Specifies the target UID. + // +optional + uid?: null | types.#UID @go(UID,*types.UID) @protobuf(1,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) +} + +// PodLogOptions is the query options for a Pod's logs REST call. +#PodLogOptions: { + metav1.#TypeMeta + + // The container for which to stream logs. Defaults to only container if there is one container in the pod. + // +optional + container?: string @go(Container) @protobuf(1,bytes,opt) + + // Follow the log stream of the pod. Defaults to false. + // +optional + follow?: bool @go(Follow) @protobuf(2,varint,opt) + + // Return previous terminated container logs. Defaults to false. + // +optional + previous?: bool @go(Previous) @protobuf(3,varint,opt) + + // A relative time in seconds before the current time from which to show logs. If this value + // precedes the time a pod was started, only logs since the pod start will be returned. + // If this value is in the future, no logs will be returned. + // Only one of sinceSeconds or sinceTime may be specified. + // +optional + sinceSeconds?: null | int64 @go(SinceSeconds,*int64) @protobuf(4,varint,opt) + + // An RFC3339 timestamp from which to show logs. If this value + // precedes the time a pod was started, only logs since the pod start will be returned. + // If this value is in the future, no logs will be returned. + // Only one of sinceSeconds or sinceTime may be specified. + // +optional + sinceTime?: null | metav1.#Time @go(SinceTime,*metav1.Time) @protobuf(5,bytes,opt) + + // If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line + // of log output. Defaults to false. + // +optional + timestamps?: bool @go(Timestamps) @protobuf(6,varint,opt) + + // If set, the number of lines from the end of the logs to show. If not specified, + // logs are shown from the creation of the container or sinceSeconds or sinceTime + // +optional + tailLines?: null | int64 @go(TailLines,*int64) @protobuf(7,varint,opt) + + // If set, the number of bytes to read from the server before terminating the + // log output. This may not display a complete final line of logging, and may return + // slightly more or slightly less than the specified limit. + // +optional + limitBytes?: null | int64 @go(LimitBytes,*int64) @protobuf(8,varint,opt) + + // insecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the + // serving certificate of the backend it is connecting to. This will make the HTTPS connection between the apiserver + // and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real + // kubelet. If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the + // connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept + // the actual log data coming from the real kubelet). + // +optional + insecureSkipTLSVerifyBackend?: bool @go(InsecureSkipTLSVerifyBackend) @protobuf(9,varint,opt) +} + +// PodAttachOptions is the query options to a Pod's remote attach call. +// --- +// TODO: merge w/ PodExecOptions below for stdin, stdout, etc +// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY +#PodAttachOptions: { + metav1.#TypeMeta + + // Stdin if true, redirects the standard input stream of the pod for this call. + // Defaults to false. + // +optional + stdin?: bool @go(Stdin) @protobuf(1,varint,opt) + + // Stdout if true indicates that stdout is to be redirected for the attach call. + // Defaults to true. + // +optional + stdout?: bool @go(Stdout) @protobuf(2,varint,opt) + + // Stderr if true indicates that stderr is to be redirected for the attach call. + // Defaults to true. + // +optional + stderr?: bool @go(Stderr) @protobuf(3,varint,opt) + + // TTY if true indicates that a tty will be allocated for the attach call. + // This is passed through the container runtime so the tty + // is allocated on the worker node by the container runtime. + // Defaults to false. + // +optional + tty?: bool @go(TTY) @protobuf(4,varint,opt) + + // The container in which to execute the command. + // Defaults to only container if there is only one container in the pod. + // +optional + container?: string @go(Container) @protobuf(5,bytes,opt) +} + +// PodExecOptions is the query options to a Pod's remote exec call. +// --- +// TODO: This is largely identical to PodAttachOptions above, make sure they stay in sync and see about merging +// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY +#PodExecOptions: { + metav1.#TypeMeta + + // Redirect the standard input stream of the pod for this call. + // Defaults to false. + // +optional + stdin?: bool @go(Stdin) @protobuf(1,varint,opt) + + // Redirect the standard output stream of the pod for this call. + // +optional + stdout?: bool @go(Stdout) @protobuf(2,varint,opt) + + // Redirect the standard error stream of the pod for this call. + // +optional + stderr?: bool @go(Stderr) @protobuf(3,varint,opt) + + // TTY if true indicates that a tty will be allocated for the exec call. + // Defaults to false. + // +optional + tty?: bool @go(TTY) @protobuf(4,varint,opt) + + // Container in which to execute the command. + // Defaults to only container if there is only one container in the pod. + // +optional + container?: string @go(Container) @protobuf(5,bytes,opt) + + // Command is the remote command to execute. argv array. Not executed within a shell. + command: [...string] @go(Command,[]string) @protobuf(6,bytes,rep) +} + +// PodPortForwardOptions is the query options to a Pod's port forward call +// when using WebSockets. +// The `port` query parameter must specify the port or +// ports (comma separated) to forward over. +// Port forwarding over SPDY does not use these options. It requires the port +// to be passed in the `port` header as part of request. +#PodPortForwardOptions: { + metav1.#TypeMeta + + // List of ports to forward + // Required when using WebSockets + // +optional + ports?: [...int32] @go(Ports,[]int32) @protobuf(1,varint,rep) +} + +// PodProxyOptions is the query options to a Pod's proxy call. +#PodProxyOptions: { + metav1.#TypeMeta + + // Path is the URL path to use for the current proxy request to pod. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// NodeProxyOptions is the query options to a Node's proxy call. +#NodeProxyOptions: { + metav1.#TypeMeta + + // Path is the URL path to use for the current proxy request to node. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// ServiceProxyOptions is the query options to a Service's proxy call. +#ServiceProxyOptions: { + metav1.#TypeMeta + + // Path is the part of URLs that include service endpoints, suffixes, + // and parameters to use for the current proxy request to service. + // For example, the whole request URL is + // http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. + // Path is _search?q=user:kimchy. + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) +} + +// ObjectReference contains enough information to let you inspect or modify the referred object. +// --- +// New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. +// 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. +// 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular +// restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". +// Those cannot be well described when embedded. +// 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. +// 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity +// during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple +// and the version of the actual struct is irrelevant. +// 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type +// will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. +// +// Instead of using this type, create a locally provided and used type that is well-focused on your reference. +// For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +structType=atomic +#ObjectReference: { + // Kind of the referent. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // Namespace of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + // +optional + namespace?: string @go(Namespace) @protobuf(2,bytes,opt) + + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + // +optional + name?: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // API version of the referent. + // +optional + apiVersion?: string @go(APIVersion) @protobuf(5,bytes,opt) + + // Specific resourceVersion to which this reference is made, if any. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(6,bytes,opt) + + // If referring to a piece of an object instead of an entire object, this string + // should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + // For example, if the object reference is to a container within a pod, this would take on a value like: + // "spec.containers{name}" (where "name" refers to the name of the container that triggered + // the event) or if no container name is specified "spec.containers[2]" (container with + // index 2 in this pod). This syntax is chosen only to have some well-defined way of + // referencing a part of an object. + // TODO: this design is not final and this field is subject to change in the future. + // +optional + fieldPath?: string @go(FieldPath) @protobuf(7,bytes,opt) +} + +// LocalObjectReference contains enough information to let you locate the +// referenced object inside the same namespace. +// +structType=atomic +#LocalObjectReference: { + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + // TODO: Add other useful fields. apiVersion, kind, uid? + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) +} + +// TypedLocalObjectReference contains enough information to let you locate the +// typed referenced object inside the same namespace. +// +structType=atomic +#TypedLocalObjectReference: { + // APIGroup is the group for the resource being referenced. + // If APIGroup is not specified, the specified Kind must be in the core API group. + // For any other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) +} + +// SerializedReference is a reference to serialized object. +#SerializedReference: { + metav1.#TypeMeta + + // The reference to an object in the system. + // +optional + reference?: #ObjectReference @go(Reference) @protobuf(1,bytes,opt) +} + +// EventSource contains information for an event. +#EventSource: { + // Component from which the event is generated. + // +optional + component?: string @go(Component) @protobuf(1,bytes,opt) + + // Node name on which the event is generated. + // +optional + host?: string @go(Host) @protobuf(2,bytes,opt) +} + +// Information only and will not cause any problems +#EventTypeNormal: "Normal" + +// These events are to warn that something might go wrong +#EventTypeWarning: "Warning" + +// Event is a report of an event somewhere in the cluster. Events +// have a limited retention time and triggers and messages may evolve +// with time. Event consumers should not rely on the timing of an event +// with a given Reason reflecting a consistent underlying trigger, or the +// continued existence of events with that Reason. Events should be +// treated as informative, best-effort, supplemental data. +#Event: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // The object that this event is about. + involvedObject: #ObjectReference @go(InvolvedObject) @protobuf(2,bytes,opt) + + // This should be a short, machine understandable string that gives the reason + // for the transition into the object's current status. + // TODO: provide exact specification for format. + // +optional + reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // A human-readable description of the status of this operation. + // TODO: decide on maximum length. + // +optional + message?: string @go(Message) @protobuf(4,bytes,opt) + + // The component reporting this event. Should be a short machine understandable string. + // +optional + source?: #EventSource @go(Source) @protobuf(5,bytes,opt) + + // The time at which the event was first recorded. (Time of server receipt is in TypeMeta.) + // +optional + firstTimestamp?: metav1.#Time @go(FirstTimestamp) @protobuf(6,bytes,opt) + + // The time at which the most recent occurrence of this event was recorded. + // +optional + lastTimestamp?: metav1.#Time @go(LastTimestamp) @protobuf(7,bytes,opt) + + // The number of times this event has occurred. + // +optional + count?: int32 @go(Count) @protobuf(8,varint,opt) + + // Type of this event (Normal, Warning), new types could be added in the future + // +optional + type?: string @go(Type) @protobuf(9,bytes,opt) + + // Time when this Event was first observed. + // +optional + eventTime?: metav1.#MicroTime @go(EventTime) @protobuf(10,bytes,opt) + + // Data about the Event series this event represents or nil if it's a singleton Event. + // +optional + series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(11,bytes,opt) + + // What action was taken/failed regarding to the Regarding object. + // +optional + action?: string @go(Action) @protobuf(12,bytes,opt) + + // Optional secondary object for more complex actions. + // +optional + related?: null | #ObjectReference @go(Related,*ObjectReference) @protobuf(13,bytes,opt) + + // Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. + // +optional + reportingComponent: string @go(ReportingController) @protobuf(14,bytes,opt) + + // ID of the controller instance, e.g. `kubelet-xyzf`. + // +optional + reportingInstance: string @go(ReportingInstance) @protobuf(15,bytes,opt) +} + +// EventSeries contain information on series of events, i.e. thing that was/is happening +// continuously for some time. +#EventSeries: { + // Number of occurrences in this series up to the last heartbeat time + count?: int32 @go(Count) @protobuf(1,varint) + + // Time of the last occurrence observed + lastObservedTime?: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes) +} + +// EventList is a list of events. +#EventList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of events + items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep) +} + +// List holds a list of objects, which may not be known by the server. +#List: metav1.#List + +// LimitType is a type of object that is limited. It can be Pod, Container, PersistentVolumeClaim or +// a fully qualified resource name. +#LimitType: string // #enumLimitType + +#enumLimitType: + #LimitTypePod | + #LimitTypeContainer | + #LimitTypePersistentVolumeClaim + +// Limit that applies to all pods in a namespace +#LimitTypePod: #LimitType & "Pod" + +// Limit that applies to all containers in a namespace +#LimitTypeContainer: #LimitType & "Container" + +// Limit that applies to all persistent volume claims in a namespace +#LimitTypePersistentVolumeClaim: #LimitType & "PersistentVolumeClaim" + +// LimitRangeItem defines a min/max usage limit for any resource that matches on kind. +#LimitRangeItem: { + // Type of resource that this limit applies to. + type: #LimitType @go(Type) @protobuf(1,bytes,opt,casttype=LimitType) + + // Max usage constraints on this kind by resource name. + // +optional + max?: #ResourceList @go(Max) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Min usage constraints on this kind by resource name. + // +optional + min?: #ResourceList @go(Min) @protobuf(3,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Default resource requirement limit value by resource name if resource limit is omitted. + // +optional + default?: #ResourceList @go(Default) @protobuf(4,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // DefaultRequest is the default resource requirement request value by resource name if resource request is omitted. + // +optional + defaultRequest?: #ResourceList @go(DefaultRequest) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource. + // +optional + maxLimitRequestRatio?: #ResourceList @go(MaxLimitRequestRatio) @protobuf(6,bytes,rep,casttype=ResourceList,castkey=ResourceName) +} + +// LimitRangeSpec defines a min/max usage limit for resources that match on kind. +#LimitRangeSpec: { + // Limits is the list of LimitRangeItem objects that are enforced. + limits: [...#LimitRangeItem] @go(Limits,[]LimitRangeItem) @protobuf(1,bytes,rep) +} + +// LimitRange sets resource usage limits for each kind of resource in a Namespace. +#LimitRange: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the limits enforced. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #LimitRangeSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// LimitRangeList is a list of LimitRange items. +#LimitRangeList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of LimitRange objects. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + items: [...#LimitRange] @go(Items,[]LimitRange) @protobuf(2,bytes,rep) +} + +// Pods, number +#ResourcePods: #ResourceName & "pods" + +// Services, number +#ResourceServices: #ResourceName & "services" + +// ReplicationControllers, number +#ResourceReplicationControllers: #ResourceName & "replicationcontrollers" + +// ResourceQuotas, number +#ResourceQuotas: #ResourceName & "resourcequotas" + +// ResourceSecrets, number +#ResourceSecrets: #ResourceName & "secrets" + +// ResourceConfigMaps, number +#ResourceConfigMaps: #ResourceName & "configmaps" + +// ResourcePersistentVolumeClaims, number +#ResourcePersistentVolumeClaims: #ResourceName & "persistentvolumeclaims" + +// ResourceServicesNodePorts, number +#ResourceServicesNodePorts: #ResourceName & "services.nodeports" + +// ResourceServicesLoadBalancers, number +#ResourceServicesLoadBalancers: #ResourceName & "services.loadbalancers" + +// CPU request, in cores. (500m = .5 cores) +#ResourceRequestsCPU: #ResourceName & "requests.cpu" + +// Memory request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceRequestsMemory: #ResourceName & "requests.memory" + +// Storage request, in bytes +#ResourceRequestsStorage: #ResourceName & "requests.storage" + +// Local ephemeral storage request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceRequestsEphemeralStorage: #ResourceName & "requests.ephemeral-storage" + +// CPU limit, in cores. (500m = .5 cores) +#ResourceLimitsCPU: #ResourceName & "limits.cpu" + +// Memory limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceLimitsMemory: #ResourceName & "limits.memory" + +// Local ephemeral storage limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +#ResourceLimitsEphemeralStorage: #ResourceName & "limits.ephemeral-storage" + +// HugePages request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) +// As burst is not supported for HugePages, we would only quota its request, and ignore the limit. +#ResourceRequestsHugePagesPrefix: "requests.hugepages-" + +// Default resource requests prefix +#DefaultResourceRequestsPrefix: "requests." + +// A ResourceQuotaScope defines a filter that must match each object tracked by a quota +// +enum +#ResourceQuotaScope: string // #enumResourceQuotaScope + +#enumResourceQuotaScope: + #ResourceQuotaScopeTerminating | + #ResourceQuotaScopeNotTerminating | + #ResourceQuotaScopeBestEffort | + #ResourceQuotaScopeNotBestEffort | + #ResourceQuotaScopePriorityClass | + #ResourceQuotaScopeCrossNamespacePodAffinity + +// Match all pod objects where spec.activeDeadlineSeconds >=0 +#ResourceQuotaScopeTerminating: #ResourceQuotaScope & "Terminating" + +// Match all pod objects where spec.activeDeadlineSeconds is nil +#ResourceQuotaScopeNotTerminating: #ResourceQuotaScope & "NotTerminating" + +// Match all pod objects that have best effort quality of service +#ResourceQuotaScopeBestEffort: #ResourceQuotaScope & "BestEffort" + +// Match all pod objects that do not have best effort quality of service +#ResourceQuotaScopeNotBestEffort: #ResourceQuotaScope & "NotBestEffort" + +// Match all pod objects that have priority class mentioned +#ResourceQuotaScopePriorityClass: #ResourceQuotaScope & "PriorityClass" + +// Match all pod objects that have cross-namespace pod (anti)affinity mentioned. +#ResourceQuotaScopeCrossNamespacePodAffinity: #ResourceQuotaScope & "CrossNamespacePodAffinity" + +// ResourceQuotaSpec defines the desired hard limits to enforce for Quota. +#ResourceQuotaSpec: { + // hard is the set of desired hard limits for each named resource. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + // +optional + hard?: #ResourceList @go(Hard) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // A collection of filters that must match each object tracked by a quota. + // If not specified, the quota matches all objects. + // +optional + scopes?: [...#ResourceQuotaScope] @go(Scopes,[]ResourceQuotaScope) @protobuf(2,bytes,rep,casttype=ResourceQuotaScope) + + // scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota + // but expressed using ScopeSelectorOperator in combination with possible values. + // For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. + // +optional + scopeSelector?: null | #ScopeSelector @go(ScopeSelector,*ScopeSelector) @protobuf(3,bytes,opt) +} + +// A scope selector represents the AND of the selectors represented +// by the scoped-resource selector requirements. +// +structType=atomic +#ScopeSelector: { + // A list of scope selector requirements by scope of the resources. + // +optional + matchExpressions?: [...#ScopedResourceSelectorRequirement] @go(MatchExpressions,[]ScopedResourceSelectorRequirement) @protobuf(1,bytes,rep) +} + +// A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator +// that relates the scope name and values. +#ScopedResourceSelectorRequirement: { + // The name of the scope that the selector applies to. + scopeName: #ResourceQuotaScope @go(ScopeName) @protobuf(1,bytes,opt) + + // Represents a scope's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. + operator: #ScopeSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=ScopedResourceSelectorOperator) + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. + // This array is replaced during a strategic merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A scope selector operator is the set of operators that can be used in +// a scope selector requirement. +// +enum +#ScopeSelectorOperator: string // #enumScopeSelectorOperator + +#enumScopeSelectorOperator: + #ScopeSelectorOpIn | + #ScopeSelectorOpNotIn | + #ScopeSelectorOpExists | + #ScopeSelectorOpDoesNotExist + +#ScopeSelectorOpIn: #ScopeSelectorOperator & "In" +#ScopeSelectorOpNotIn: #ScopeSelectorOperator & "NotIn" +#ScopeSelectorOpExists: #ScopeSelectorOperator & "Exists" +#ScopeSelectorOpDoesNotExist: #ScopeSelectorOperator & "DoesNotExist" + +// ResourceQuotaStatus defines the enforced hard limits and observed use. +#ResourceQuotaStatus: { + // Hard is the set of enforced hard limits for each named resource. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + // +optional + hard?: #ResourceList @go(Hard) @protobuf(1,bytes,rep,casttype=ResourceList,castkey=ResourceName) + + // Used is the current observed total usage of the resource in the namespace. + // +optional + used?: #ResourceList @go(Used) @protobuf(2,bytes,rep,casttype=ResourceList,castkey=ResourceName) +} + +// ResourceQuota sets aggregate quota restrictions enforced per namespace +#ResourceQuota: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Spec defines the desired quota. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #ResourceQuotaSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status defines the actual enforced quota and its current usage. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #ResourceQuotaStatus @go(Status) @protobuf(3,bytes,opt) +} + +// ResourceQuotaList is a list of ResourceQuota items. +#ResourceQuotaList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ResourceQuota objects. + // More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ + items: [...#ResourceQuota] @go(Items,[]ResourceQuota) @protobuf(2,bytes,rep) +} + +// Secret holds secret data of a certain type. The total bytes of the values in +// the Data field must be less than MaxSecretSize bytes. +#Secret: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Immutable, if set to true, ensures that data stored in the Secret cannot + // be updated (only object metadata can be modified). + // If not set to true, the field can be modified at any time. + // Defaulted to nil. + // +optional + immutable?: null | bool @go(Immutable,*bool) @protobuf(5,varint,opt) + + // Data contains the secret data. Each key must consist of alphanumeric + // characters, '-', '_' or '.'. The serialized form of the secret data is a + // base64 encoded string, representing the arbitrary (possibly non-string) + // data value here. Described in https://tools.ietf.org/html/rfc4648#section-4 + // +optional + data?: {[string]: bytes} @go(Data,map[string][]byte) @protobuf(2,bytes,rep) + + // stringData allows specifying non-binary secret data in string form. + // It is provided as a write-only input field for convenience. + // All keys and values are merged into the data field on write, overwriting any existing values. + // The stringData field is never output when reading from the API. + // +k8s:conversion-gen=false + // +optional + stringData?: {[string]: string} @go(StringData,map[string]string) @protobuf(4,bytes,rep) + + // Used to facilitate programmatic handling of secret data. + // More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types + // +optional + type?: #SecretType @go(Type) @protobuf(3,bytes,opt,casttype=SecretType) +} + +#MaxSecretSize: 1048576 + +#SecretType: string // #enumSecretType + +#enumSecretType: + #SecretTypeOpaque | + #SecretTypeServiceAccountToken | + #SecretTypeDockercfg | + #SecretTypeDockerConfigJson | + #SecretTypeBasicAuth | + #SecretTypeSSHAuth | + #SecretTypeTLS | + #SecretTypeBootstrapToken + +// SecretTypeOpaque is the default. Arbitrary user-defined data +#SecretTypeOpaque: #SecretType & "Opaque" + +// SecretTypeServiceAccountToken contains a token that identifies a service account to the API +// +// Required fields: +// - Secret.Annotations["kubernetes.io/service-account.name"] - the name of the ServiceAccount the token identifies +// - Secret.Annotations["kubernetes.io/service-account.uid"] - the UID of the ServiceAccount the token identifies +// - Secret.Data["token"] - a token that identifies the service account to the API +#SecretTypeServiceAccountToken: #SecretType & "kubernetes.io/service-account-token" + +// ServiceAccountNameKey is the key of the required annotation for SecretTypeServiceAccountToken secrets +#ServiceAccountNameKey: "kubernetes.io/service-account.name" + +// ServiceAccountUIDKey is the key of the required annotation for SecretTypeServiceAccountToken secrets +#ServiceAccountUIDKey: "kubernetes.io/service-account.uid" + +// ServiceAccountTokenKey is the key of the required data for SecretTypeServiceAccountToken secrets +#ServiceAccountTokenKey: "token" + +// ServiceAccountKubeconfigKey is the key of the optional kubeconfig data for SecretTypeServiceAccountToken secrets +#ServiceAccountKubeconfigKey: "kubernetes.kubeconfig" + +// ServiceAccountRootCAKey is the key of the optional root certificate authority for SecretTypeServiceAccountToken secrets +#ServiceAccountRootCAKey: "ca.crt" + +// ServiceAccountNamespaceKey is the key of the optional namespace to use as the default for namespaced API calls +#ServiceAccountNamespaceKey: "namespace" + +// SecretTypeDockercfg contains a dockercfg file that follows the same format rules as ~/.dockercfg +// +// Required fields: +// - Secret.Data[".dockercfg"] - a serialized ~/.dockercfg file +#SecretTypeDockercfg: #SecretType & "kubernetes.io/dockercfg" + +// DockerConfigKey is the key of the required data for SecretTypeDockercfg secrets +#DockerConfigKey: ".dockercfg" + +// SecretTypeDockerConfigJson contains a dockercfg file that follows the same format rules as ~/.docker/config.json +// +// Required fields: +// - Secret.Data[".dockerconfigjson"] - a serialized ~/.docker/config.json file +#SecretTypeDockerConfigJson: #SecretType & "kubernetes.io/dockerconfigjson" + +// DockerConfigJsonKey is the key of the required data for SecretTypeDockerConfigJson secrets +#DockerConfigJsonKey: ".dockerconfigjson" + +// SecretTypeBasicAuth contains data needed for basic authentication. +// +// Required at least one of fields: +// - Secret.Data["username"] - username used for authentication +// - Secret.Data["password"] - password or token needed for authentication +#SecretTypeBasicAuth: #SecretType & "kubernetes.io/basic-auth" + +// BasicAuthUsernameKey is the key of the username for SecretTypeBasicAuth secrets +#BasicAuthUsernameKey: "username" + +// BasicAuthPasswordKey is the key of the password or token for SecretTypeBasicAuth secrets +#BasicAuthPasswordKey: "password" + +// SecretTypeSSHAuth contains data needed for SSH authetication. +// +// Required field: +// - Secret.Data["ssh-privatekey"] - private SSH key needed for authentication +#SecretTypeSSHAuth: #SecretType & "kubernetes.io/ssh-auth" + +// SSHAuthPrivateKey is the key of the required SSH private key for SecretTypeSSHAuth secrets +#SSHAuthPrivateKey: "ssh-privatekey" + +// SecretTypeTLS contains information about a TLS client or server secret. It +// is primarily used with TLS termination of the Ingress resource, but may be +// used in other types. +// +// Required fields: +// - Secret.Data["tls.key"] - TLS private key. +// Secret.Data["tls.crt"] - TLS certificate. +// TODO: Consider supporting different formats, specifying CA/destinationCA. +#SecretTypeTLS: #SecretType & "kubernetes.io/tls" + +// TLSCertKey is the key for tls certificates in a TLS secret. +#TLSCertKey: "tls.crt" + +// TLSPrivateKeyKey is the key for the private key field in a TLS secret. +#TLSPrivateKeyKey: "tls.key" + +// SecretTypeBootstrapToken is used during the automated bootstrap process (first +// implemented by kubeadm). It stores tokens that are used to sign well known +// ConfigMaps. They are used for authn. +#SecretTypeBootstrapToken: #SecretType & "bootstrap.kubernetes.io/token" + +// SecretList is a list of Secret. +#SecretList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of secret objects. + // More info: https://kubernetes.io/docs/concepts/configuration/secret + items: [...#Secret] @go(Items,[]Secret) @protobuf(2,bytes,rep) +} + +// ConfigMap holds configuration data for pods to consume. +#ConfigMap: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Immutable, if set to true, ensures that data stored in the ConfigMap cannot + // be updated (only object metadata can be modified). + // If not set to true, the field can be modified at any time. + // Defaulted to nil. + // +optional + immutable?: null | bool @go(Immutable,*bool) @protobuf(4,varint,opt) + + // Data contains the configuration data. + // Each key must consist of alphanumeric characters, '-', '_' or '.'. + // Values with non-UTF-8 byte sequences must use the BinaryData field. + // The keys stored in Data must not overlap with the keys in + // the BinaryData field, this is enforced during validation process. + // +optional + data?: {[string]: string} @go(Data,map[string]string) @protobuf(2,bytes,rep) + + // BinaryData contains the binary data. + // Each key must consist of alphanumeric characters, '-', '_' or '.'. + // BinaryData can contain byte sequences that are not in the UTF-8 range. + // The keys stored in BinaryData must not overlap with the ones in + // the Data field, this is enforced during validation process. + // Using this field will require 1.10+ apiserver and + // kubelet. + // +optional + binaryData?: {[string]: bytes} @go(BinaryData,map[string][]byte) @protobuf(3,bytes,rep) +} + +// ConfigMapList is a resource containing a list of ConfigMap objects. +#ConfigMapList: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is the list of ConfigMaps. + items: [...#ConfigMap] @go(Items,[]ConfigMap) @protobuf(2,bytes,rep) +} + +// Type and constants for component health validation. +#ComponentConditionType: string // #enumComponentConditionType + +#enumComponentConditionType: + #ComponentHealthy + +#ComponentHealthy: #ComponentConditionType & "Healthy" + +// Information about the condition of a component. +#ComponentCondition: { + // Type of condition for a component. + // Valid value: "Healthy" + type: #ComponentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ComponentConditionType) + + // Status of the condition for a component. + // Valid values for "Healthy": "True", "False", or "Unknown". + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // Message about the condition for a component. + // For example, information about a health check. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // Condition error code for a component. + // For example, a health check error code. + // +optional + error?: string @go(Error) @protobuf(4,bytes,opt) +} + +// ComponentStatus (and ComponentStatusList) holds the cluster validation info. +// Deprecated: This API is deprecated in v1.19+ +#ComponentStatus: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // List of component conditions observed + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + conditions?: [...#ComponentCondition] @go(Conditions,[]ComponentCondition) @protobuf(2,bytes,rep) +} + +// Status of all the conditions for the component as a list of ComponentStatus objects. +// Deprecated: This API is deprecated in v1.19+ +#ComponentStatusList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of ComponentStatus objects. + items: [...#ComponentStatus] @go(Items,[]ComponentStatus) @protobuf(2,bytes,rep) +} + +// DownwardAPIVolumeSource represents a volume containing downward API info. +// Downward API volumes support ownership management and SELinux relabeling. +#DownwardAPIVolumeSource: { + // Items is a list of downward API volume file + // +optional + items?: [...#DownwardAPIVolumeFile] @go(Items,[]DownwardAPIVolumeFile) @protobuf(1,bytes,rep) + + // Optional: mode bits to use on created files by default. Must be a + // Optional: mode bits used to set permissions on created files by default. + // Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // Defaults to 0644. + // Directories within the path are not affected by this setting. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + defaultMode?: null | int32 @go(DefaultMode,*int32) @protobuf(2,varint,opt) +} + +#DownwardAPIVolumeSourceDefaultMode: int32 & 0o644 + +// DownwardAPIVolumeFile represents information to create the file containing the pod field +#DownwardAPIVolumeFile: { + // Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..' + path: string @go(Path) @protobuf(1,bytes,opt) + + // Required: Selects a field of the pod: only annotations, labels, name and namespace are supported. + // +optional + fieldRef?: null | #ObjectFieldSelector @go(FieldRef,*ObjectFieldSelector) @protobuf(2,bytes,opt) + + // Selects a resource of the container: only resources limits and requests + // (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + // +optional + resourceFieldRef?: null | #ResourceFieldSelector @go(ResourceFieldRef,*ResourceFieldSelector) @protobuf(3,bytes,opt) + + // Optional: mode bits used to set permissions on this file, must be an octal value + // between 0000 and 0777 or a decimal value between 0 and 511. + // YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + // If not specified, the volume defaultMode will be used. + // This might be in conflict with other options that affect the file + // mode, like fsGroup, and the result can be other mode bits set. + // +optional + mode?: null | int32 @go(Mode,*int32) @protobuf(4,varint,opt) +} + +// Represents downward API info for projecting into a projected volume. +// Note that this is identical to a downwardAPI volume source without the default +// mode. +#DownwardAPIProjection: { + // Items is a list of DownwardAPIVolume file + // +optional + items?: [...#DownwardAPIVolumeFile] @go(Items,[]DownwardAPIVolumeFile) @protobuf(1,bytes,rep) +} + +// SecurityContext holds security configuration that will be applied to a container. +// Some fields are present in both SecurityContext and PodSecurityContext. When both +// are set, the values in SecurityContext take precedence. +#SecurityContext: { + // The capabilities to add/drop when running containers. + // Defaults to the default set of capabilities granted by the container runtime. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + capabilities?: null | #Capabilities @go(Capabilities,*Capabilities) @protobuf(1,bytes,opt) + + // Run container in privileged mode. + // Processes in privileged containers are essentially equivalent to root on the host. + // Defaults to false. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + privileged?: null | bool @go(Privileged,*bool) @protobuf(2,varint,opt) + + // The SELinux context to be applied to the container. + // If unspecified, the container runtime will allocate a random SELinux context for each + // container. May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seLinuxOptions?: null | #SELinuxOptions @go(SELinuxOptions,*SELinuxOptions) @protobuf(3,bytes,opt) + + // The Windows specific settings applied to all containers. + // If unspecified, the options from the PodSecurityContext will be used. + // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is linux. + // +optional + windowsOptions?: null | #WindowsSecurityContextOptions @go(WindowsOptions,*WindowsSecurityContextOptions) @protobuf(10,bytes,opt) + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsUser?: null | int64 @go(RunAsUser,*int64) @protobuf(4,varint,opt) + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + runAsGroup?: null | int64 @go(RunAsGroup,*int64) @protobuf(8,varint,opt) + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to ensure that it + // does not run as UID 0 (root) and fail to start the container if it does. + // If unset or false, no such validation will be performed. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsNonRoot?: null | bool @go(RunAsNonRoot,*bool) @protobuf(5,varint,opt) + + // Whether this container has a read-only root filesystem. + // Default is false. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + readOnlyRootFilesystem?: null | bool @go(ReadOnlyRootFilesystem,*bool) @protobuf(6,varint,opt) + + // AllowPrivilegeEscalation controls whether a process can gain more + // privileges than its parent process. This bool directly controls if + // the no_new_privs flag will be set on the container process. + // AllowPrivilegeEscalation is true always when the container is: + // 1) run as Privileged + // 2) has CAP_SYS_ADMIN + // Note that this field cannot be set when spec.os.name is windows. + // +optional + allowPrivilegeEscalation?: null | bool @go(AllowPrivilegeEscalation,*bool) @protobuf(7,varint,opt) + + // procMount denotes the type of proc mount to use for the containers. + // The default is DefaultProcMount which uses the container runtime defaults for + // readonly paths and masked paths. + // This requires the ProcMountType feature flag to be enabled. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + procMount?: null | #ProcMountType @go(ProcMount,*ProcMountType) @protobuf(9,bytes,opt) + + // The seccomp options to use by this container. If seccomp options are + // provided at both the pod & container level, the container options + // override the pod options. + // Note that this field cannot be set when spec.os.name is windows. + // +optional + seccompProfile?: null | #SeccompProfile @go(SeccompProfile,*SeccompProfile) @protobuf(11,bytes,opt) +} + +// +enum +#ProcMountType: string // #enumProcMountType + +#enumProcMountType: + #DefaultProcMount | + #UnmaskedProcMount + +// DefaultProcMount uses the container runtime defaults for readonly and masked +// paths for /proc. Most container runtimes mask certain paths in /proc to avoid +// accidental security exposure of special devices or information. +#DefaultProcMount: #ProcMountType & "Default" + +// UnmaskedProcMount bypasses the default masking behavior of the container +// runtime and ensures the newly created /proc the container stays in tact with +// no modifications. +#UnmaskedProcMount: #ProcMountType & "Unmasked" + +// SELinuxOptions are the labels to be applied to the container +#SELinuxOptions: { + // User is a SELinux user label that applies to the container. + // +optional + user?: string @go(User) @protobuf(1,bytes,opt) + + // Role is a SELinux role label that applies to the container. + // +optional + role?: string @go(Role) @protobuf(2,bytes,opt) + + // Type is a SELinux type label that applies to the container. + // +optional + type?: string @go(Type) @protobuf(3,bytes,opt) + + // Level is SELinux level label that applies to the container. + // +optional + level?: string @go(Level) @protobuf(4,bytes,opt) +} + +// WindowsSecurityContextOptions contain Windows-specific options and credentials. +#WindowsSecurityContextOptions: { + // GMSACredentialSpecName is the name of the GMSA credential spec to use. + // +optional + gmsaCredentialSpecName?: null | string @go(GMSACredentialSpecName,*string) @protobuf(1,bytes,opt) + + // GMSACredentialSpec is where the GMSA admission webhook + // (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + // GMSA credential spec named by the GMSACredentialSpecName field. + // +optional + gmsaCredentialSpec?: null | string @go(GMSACredentialSpec,*string) @protobuf(2,bytes,opt) + + // The UserName in Windows to run the entrypoint of the container process. + // Defaults to the user specified in image metadata if unspecified. + // May also be set in PodSecurityContext. If set in both SecurityContext and + // PodSecurityContext, the value specified in SecurityContext takes precedence. + // +optional + runAsUserName?: null | string @go(RunAsUserName,*string) @protobuf(3,bytes,opt) + + // HostProcess determines if a container should be run as a 'Host Process' container. + // All of a Pod's containers must have the same effective HostProcess value + // (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + // In addition, if HostProcess is true then HostNetwork must also be set to true. + // +optional + hostProcess?: null | bool @go(HostProcess,*bool) @protobuf(4,bytes,opt) +} + +// RangeAllocation is not a public type. +#RangeAllocation: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Range is string that identifies the range represented by 'data'. + range: string @go(Range) @protobuf(2,bytes,opt) + + // Data is a bit array containing all allocated addresses in the previous segment. + data: bytes @go(Data,[]byte) @protobuf(3,bytes,opt) +} + +// DefaultSchedulerName defines the name of default scheduler. +#DefaultSchedulerName: "default-scheduler" + +// RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule +// corresponding to every RequiredDuringScheduling affinity rule. +// When the --hard-pod-affinity-weight scheduler flag is not specified, +// DefaultHardPodAffinityWeight defines the weight of the implicit PreferredDuringScheduling affinity rule. +#DefaultHardPodAffinitySymmetricWeight: int32 & 1 + +// Sysctl defines a kernel parameter to be set +#Sysctl: { + // Name of a property to set + name: string @go(Name) @protobuf(1,bytes,opt) + + // Value of a property to set + value: string @go(Value) @protobuf(2,bytes,opt) +} + +// NodeResources is an object for conveying resource information about a node. +// see https://kubernetes.io/docs/concepts/architecture/nodes/#capacity for more details. +#NodeResources: { + // Capacity represents the available resources of a node + Capacity: #ResourceList @protobuf(1,bytes,rep,name=capacity,casttype=ResourceList,castkey=ResourceName) +} + +// Enable stdin for remote command execution +#ExecStdinParam: "input" + +// Enable stdout for remote command execution +#ExecStdoutParam: "output" + +// Enable stderr for remote command execution +#ExecStderrParam: "error" + +// Enable TTY for remote command execution +#ExecTTYParam: "tty" + +// Command to run for remote command execution +#ExecCommandParam: "command" + +// Name of header that specifies stream type +#StreamType: "streamType" + +// Value for streamType header for stdin stream +#StreamTypeStdin: "stdin" + +// Value for streamType header for stdout stream +#StreamTypeStdout: "stdout" + +// Value for streamType header for stderr stream +#StreamTypeStderr: "stderr" + +// Value for streamType header for data stream +#StreamTypeData: "data" + +// Value for streamType header for error stream +#StreamTypeError: "error" + +// Value for streamType header for terminal resize stream +#StreamTypeResize: "resize" + +// Name of header that specifies the port being forwarded +#PortHeader: "port" + +// Name of header that specifies a request ID used to associate the error +// and data streams for a single forwarded connection +#PortForwardRequestIDHeader: "requestID" + +// MixedProtocolNotSupported error in PortStatus means that the cloud provider +// can't publish the port on the load balancer because mixed values of protocols +// on the same LoadBalancer type of Service are not supported by the cloud provider. +#MixedProtocolNotSupported: "MixedProtocolNotSupported" + +#PortStatus: { + // Port is the port number of the service port of which status is recorded here + port: int32 @go(Port) @protobuf(1,varint,opt) + + // Protocol is the protocol of the service port of which status is recorded here + // The supported values are: "TCP", "UDP", "SCTP" + protocol: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // Error is to record the problem with the service port + // The format of the error shall comply with the following rules: + // - built-in error values shall be specified in this file and those shall use + // CamelCase names + // - cloud provider specific error values must have names that comply with the + // format foo.example.com/CamelCase. + // --- + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +optional + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + error?: null | string @go(Error,*string) @protobuf(3,bytes,opt) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue new file mode 100644 index 000000000..2a1f060b6 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue @@ -0,0 +1,59 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +#LabelHostname: "kubernetes.io/hostname" + +// Label value is the network location of kube-apiserver stored as +// Stored in APIServer Identity lease objects to view what address is used for peer proxy +#AnnotationPeerAdvertiseAddress: "kubernetes.io/peer-advertise-address" +#LabelTopologyZone: "topology.kubernetes.io/zone" +#LabelTopologyRegion: "topology.kubernetes.io/region" + +// These label have been deprecated since 1.17, but will be supported for +// the foreseeable future, to accommodate things like long-lived PVs that +// use them. New users should prefer the "topology.kubernetes.io/*" +// equivalents. +#LabelFailureDomainBetaZone: "failure-domain.beta.kubernetes.io/zone" +#LabelFailureDomainBetaRegion: "failure-domain.beta.kubernetes.io/region" + +// Retained for compat when vendored. Do not use these consts in new code. +#LabelZoneFailureDomain: "failure-domain.beta.kubernetes.io/zone" +#LabelZoneRegion: "failure-domain.beta.kubernetes.io/region" +#LabelZoneFailureDomainStable: "topology.kubernetes.io/zone" +#LabelZoneRegionStable: "topology.kubernetes.io/region" +#LabelInstanceType: "beta.kubernetes.io/instance-type" +#LabelInstanceTypeStable: "node.kubernetes.io/instance-type" +#LabelOSStable: "kubernetes.io/os" +#LabelArchStable: "kubernetes.io/arch" + +// LabelWindowsBuild is used on Windows nodes to specify the Windows build number starting with v1.17.0. +// It's in the format MajorVersion.MinorVersion.BuildNumber (for ex: 10.0.17763) +#LabelWindowsBuild: "node.kubernetes.io/windows-build" + +// LabelNamespaceSuffixKubelet is an allowed label namespace suffix kubelets can self-set ([*.]kubelet.kubernetes.io/*) +#LabelNamespaceSuffixKubelet: "kubelet.kubernetes.io" + +// LabelNamespaceSuffixNode is an allowed label namespace suffix kubelets can self-set ([*.]node.kubernetes.io/*) +#LabelNamespaceSuffixNode: "node.kubernetes.io" + +// LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled +#LabelNamespaceNodeRestriction: "node-restriction.kubernetes.io" + +// IsHeadlessService is added by Controller to an Endpoint denoting if its parent +// Service is Headless. The existence of this label can be used further by other +// controllers and kube-proxy to check if the Endpoint objects should be replicated when +// using Headless Services +#IsHeadlessService: "service.kubernetes.io/headless" + +// LabelNodeExcludeBalancers specifies that the node should not be considered as a target +// for external load-balancers which use nodes as a second hop (e.g. many cloud LBs which only +// understand nodes). For services that use externalTrafficPolicy=Local, this may mean that +// any backends on excluded nodes are not reachable by those external load-balancers. +// Implementations of this exclusion may vary based on provider. +#LabelNodeExcludeBalancers: "node.kubernetes.io/exclude-from-external-load-balancers" + +// LabelMetadataName is the label name which, in-tree, is used to automatically label namespaces, so they can be selected easily by tools which require definitive labels +#LabelMetadataName: "kubernetes.io/metadata.name" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue new file mode 100644 index 000000000..b7c097336 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue @@ -0,0 +1,38 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/core/v1 + +package v1 + +// TaintNodeNotReady will be added when node is not ready +// and removed when node becomes ready. +#TaintNodeNotReady: "node.kubernetes.io/not-ready" + +// TaintNodeUnreachable will be added when node becomes unreachable +// (corresponding to NodeReady status ConditionUnknown) +// and removed when node becomes reachable (NodeReady status ConditionTrue). +#TaintNodeUnreachable: "node.kubernetes.io/unreachable" + +// TaintNodeUnschedulable will be added when node becomes unschedulable +// and removed when node becomes schedulable. +#TaintNodeUnschedulable: "node.kubernetes.io/unschedulable" + +// TaintNodeMemoryPressure will be added when node has memory pressure +// and removed when node has enough memory. +#TaintNodeMemoryPressure: "node.kubernetes.io/memory-pressure" + +// TaintNodeDiskPressure will be added when node has disk pressure +// and removed when node has enough disk. +#TaintNodeDiskPressure: "node.kubernetes.io/disk-pressure" + +// TaintNodeNetworkUnavailable will be added when node's network is unavailable +// and removed when network becomes ready. +#TaintNodeNetworkUnavailable: "node.kubernetes.io/network-unavailable" + +// TaintNodePIDPressure will be added when node has pid pressure +// and removed when node has enough pid. +#TaintNodePIDPressure: "node.kubernetes.io/pid-pressure" + +// TaintNodeOutOfService can be added when node is out of service in case of +// a non-graceful shutdown +#TaintNodeOutOfService: "node.kubernetes.io/out-of-service" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue new file mode 100644 index 000000000..19a7d631a --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +#GroupName: "discovery.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue new file mode 100644 index 000000000..144ef53e7 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue @@ -0,0 +1,206 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" +) + +// EndpointSlice represents a subset of the endpoints that implement a service. +// For a given service there may be multiple EndpointSlice objects, selected by +// labels, which must be joined to produce the full set of endpoints. +#EndpointSlice: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // addressType specifies the type of address carried by this EndpointSlice. + // All addresses in this slice must be the same type. This field is + // immutable after creation. The following address types are currently + // supported: + // * IPv4: Represents an IPv4 Address. + // * IPv6: Represents an IPv6 Address. + // * FQDN: Represents a Fully Qualified Domain Name. + addressType: #AddressType @go(AddressType) @protobuf(4,bytes,rep) + + // endpoints is a list of unique endpoints in this slice. Each slice may + // include a maximum of 1000 endpoints. + // +listType=atomic + endpoints: [...#Endpoint] @go(Endpoints,[]Endpoint) @protobuf(2,bytes,rep) + + // ports specifies the list of network ports exposed by each endpoint in + // this slice. Each port must have a unique name. When ports is empty, it + // indicates that there are no defined ports. When a port is defined with a + // nil port value, it indicates "all ports". Each slice may include a + // maximum of 100 ports. + // +optional + // +listType=atomic + ports: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep) +} + +// AddressType represents the type of address referred to by an endpoint. +// +enum +#AddressType: string // #enumAddressType + +#enumAddressType: + #AddressTypeIPv4 | + #AddressTypeIPv6 | + #AddressTypeFQDN + +// AddressTypeIPv4 represents an IPv4 Address. +#AddressTypeIPv4: #AddressType & "IPv4" + +// AddressTypeIPv6 represents an IPv6 Address. +#AddressTypeIPv6: #AddressType & "IPv6" + +// AddressTypeFQDN represents a FQDN. +#AddressTypeFQDN: #AddressType & "FQDN" + +// Endpoint represents a single logical "backend" implementing a service. +#Endpoint: { + // addresses of this endpoint. The contents of this field are interpreted + // according to the corresponding EndpointSlice addressType field. Consumers + // must handle different types of addresses in the context of their own + // capabilities. This must contain at least one address but no more than + // 100. These are all assumed to be fungible and clients may choose to only + // use the first element. Refer to: https://issue.k8s.io/106267 + // +listType=set + addresses: [...string] @go(Addresses,[]string) @protobuf(1,bytes,rep) + + // conditions contains information about the current status of the endpoint. + conditions?: #EndpointConditions @go(Conditions) @protobuf(2,bytes,opt) + + // hostname of this endpoint. This field may be used by consumers of + // endpoints to distinguish endpoints from each other (e.g. in DNS names). + // Multiple endpoints which use the same hostname should be considered + // fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS + // Label (RFC 1123) validation. + // +optional + hostname?: null | string @go(Hostname,*string) @protobuf(3,bytes,opt) + + // targetRef is a reference to a Kubernetes object that represents this + // endpoint. + // +optional + targetRef?: null | v1.#ObjectReference @go(TargetRef,*v1.ObjectReference) @protobuf(4,bytes,opt) + + // deprecatedTopology contains topology information part of the v1beta1 + // API. This field is deprecated, and will be removed when the v1beta1 + // API is removed (no sooner than kubernetes v1.24). While this field can + // hold values, it is not writable through the v1 API, and any attempts to + // write to it will be silently ignored. Topology information can be found + // in the zone and nodeName fields instead. + // +optional + deprecatedTopology?: {[string]: string} @go(DeprecatedTopology,map[string]string) @protobuf(5,bytes,opt) + + // nodeName represents the name of the Node hosting this endpoint. This can + // be used to determine endpoints local to a Node. + // +optional + nodeName?: null | string @go(NodeName,*string) @protobuf(6,bytes,opt) + + // zone is the name of the Zone this endpoint exists in. + // +optional + zone?: null | string @go(Zone,*string) @protobuf(7,bytes,opt) + + // hints contains information associated with how an endpoint should be + // consumed. + // +optional + hints?: null | #EndpointHints @go(Hints,*EndpointHints) @protobuf(8,bytes,opt) +} + +// EndpointConditions represents the current condition of an endpoint. +#EndpointConditions: { + // ready indicates that this endpoint is prepared to receive traffic, + // according to whatever system is managing the endpoint. A nil value + // indicates an unknown state. In most cases consumers should interpret this + // unknown state as ready. For compatibility reasons, ready should never be + // "true" for terminating endpoints, except when the normal readiness + // behavior is being explicitly overridden, for example when the associated + // Service has set the publishNotReadyAddresses flag. + // +optional + ready?: null | bool @go(Ready,*bool) @protobuf(1,bytes) + + // serving is identical to ready except that it is set regardless of the + // terminating state of endpoints. This condition should be set to true for + // a ready endpoint that is terminating. If nil, consumers should defer to + // the ready condition. + // +optional + serving?: null | bool @go(Serving,*bool) @protobuf(2,bytes) + + // terminating indicates that this endpoint is terminating. A nil value + // indicates an unknown state. Consumers should interpret this unknown state + // to mean that the endpoint is not terminating. + // +optional + terminating?: null | bool @go(Terminating,*bool) @protobuf(3,bytes) +} + +// EndpointHints provides hints describing how an endpoint should be consumed. +#EndpointHints: { + // forZones indicates the zone(s) this endpoint should be consumed by to + // enable topology aware routing. + // +listType=atomic + forZones?: [...#ForZone] @go(ForZones,[]ForZone) @protobuf(1,bytes) +} + +// ForZone provides information about which zones should consume this endpoint. +#ForZone: { + // name represents the name of the zone. + name: string @go(Name) @protobuf(1,bytes) +} + +// EndpointPort represents a Port used by an EndpointSlice +// +structType=atomic +#EndpointPort: { + // name represents the name of this port. All ports in an EndpointSlice must have a unique name. + // If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. + // Name must either be an empty string or pass DNS_LABEL validation: + // * must be no more than 63 characters long. + // * must consist of lower case alphanumeric characters or '-'. + // * must start and end with an alphanumeric character. + // Default is empty string. + name?: null | string @go(Name,*string) @protobuf(1,bytes) + + // protocol represents the IP protocol for this port. + // Must be UDP, TCP, or SCTP. + // Default is TCP. + protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(2,bytes) + + // port represents the port number of the endpoint. + // If this is not specified, ports are not restricted and must be + // interpreted in the context of the specific consumer. + port?: null | int32 @go(Port,*int32) @protobuf(3,bytes,opt) + + // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. + // This field follows standard Kubernetes label syntax. + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per + // RFC-6335 and https://www.iana.org/assignments/service-names). + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as + // mycompany.com/my-custom-protocol. + // +optional + appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes) +} + +// EndpointSliceList represents a list of endpoint slices +#EndpointSliceList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of endpoint slices + items: [...#EndpointSlice] @go(Items,[]EndpointSlice) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue new file mode 100644 index 000000000..9c40d30e9 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue @@ -0,0 +1,20 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/discovery/v1 + +package v1 + +// LabelServiceName is used to indicate the name of a Kubernetes service. +#LabelServiceName: "kubernetes.io/service-name" + +// LabelManagedBy is used to indicate the controller or entity that manages +// an EndpointSlice. This label aims to enable different EndpointSlice +// objects to be managed by different controllers or entities within the +// same cluster. It is highly recommended to configure this label for all +// EndpointSlices. +#LabelManagedBy: "endpointslice.kubernetes.io/managed-by" + +// LabelSkipMirror can be set to true on an Endpoints resource to indicate +// that the EndpointSliceMirroring controller should not mirror this +// resource with EndpointSlices. +#LabelSkipMirror: "endpointslice.kubernetes.io/skip-mirror" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue new file mode 100644 index 000000000..c4138c1c7 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/events/v1 + +package v1 + +#GroupName: "events.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue new file mode 100644 index 000000000..47acc8fc0 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue @@ -0,0 +1,111 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/events/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" +) + +// Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. +// Events have a limited retention time and triggers and messages may evolve +// with time. Event consumers should not rely on the timing of an event +// with a given Reason reflecting a consistent underlying trigger, or the +// continued existence of events with that Reason. Events should be +// treated as informative, best-effort, supplemental data. +#Event: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // eventTime is the time when this Event was first observed. It is required. + eventTime: metav1.#MicroTime @go(EventTime) @protobuf(2,bytes,opt) + + // series is data about the Event series this event represents or nil if it's a singleton Event. + // +optional + series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(3,bytes,opt) + + // reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. + // This field cannot be empty for new Events. + reportingController?: string @go(ReportingController) @protobuf(4,bytes,opt) + + // reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`. + // This field cannot be empty for new Events and it can have at most 128 characters. + reportingInstance?: string @go(ReportingInstance) @protobuf(5,bytes,opt) + + // action is what action was taken/failed regarding to the regarding object. It is machine-readable. + // This field cannot be empty for new Events and it can have at most 128 characters. + action?: string @go(Action) @protobuf(6,bytes) + + // reason is why the action was taken. It is human-readable. + // This field cannot be empty for new Events and it can have at most 128 characters. + reason?: string @go(Reason) @protobuf(7,bytes) + + // regarding contains the object this Event is about. In most cases it's an Object reporting controller + // implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because + // it acts on some changes in a ReplicaSet object. + // +optional + regarding?: corev1.#ObjectReference @go(Regarding) @protobuf(8,bytes,opt) + + // related is the optional secondary object for more complex actions. E.g. when regarding object triggers + // a creation or deletion of related object. + // +optional + related?: null | corev1.#ObjectReference @go(Related,*corev1.ObjectReference) @protobuf(9,bytes,opt) + + // note is a human-readable description of the status of this operation. + // Maximal length of the note is 1kB, but libraries should be prepared to + // handle values up to 64kB. + // +optional + note?: string @go(Note) @protobuf(10,bytes,opt) + + // type is the type of this event (Normal, Warning), new types could be added in the future. + // It is machine-readable. + // This field cannot be empty for new Events. + type?: string @go(Type) @protobuf(11,bytes,opt) + + // deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedSource?: corev1.#EventSource @go(DeprecatedSource) @protobuf(12,bytes,opt) + + // deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedFirstTimestamp?: metav1.#Time @go(DeprecatedFirstTimestamp) @protobuf(13,bytes,opt) + + // deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedLastTimestamp?: metav1.#Time @go(DeprecatedLastTimestamp) @protobuf(14,bytes,opt) + + // deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type. + // +optional + deprecatedCount?: int32 @go(DeprecatedCount) @protobuf(15,varint,opt) +} + +// EventSeries contain information on series of events, i.e. thing that was/is happening +// continuously for some time. How often to update the EventSeries is up to the event reporters. +// The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows +// how this struct is updated on heartbeats and can guide customized reporter implementations. +#EventSeries: { + // count is the number of occurrences in this series up to the last heartbeat time. + count: int32 @go(Count) @protobuf(1,varint,opt) + + // lastObservedTime is the time when last Event from the series was seen before last heartbeat. + lastObservedTime: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes,opt) +} + +// EventList is a list of Event objects. +#EventList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue new file mode 100644 index 000000000..f10426220 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +#GroupName: "networking.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue new file mode 100644 index 000000000..bbdc7f2b1 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue @@ -0,0 +1,588 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +// NetworkPolicy describes what network traffic is allowed for a set of Pods +#NetworkPolicy: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents the specification of the desired behavior for this NetworkPolicy. + // +optional + spec?: #NetworkPolicySpec @go(Spec) @protobuf(2,bytes,opt) +} + +// PolicyType string describes the NetworkPolicy type +// This type is beta-level in 1.8 +// +enum +#PolicyType: string // #enumPolicyType + +#enumPolicyType: + #PolicyTypeIngress | + #PolicyTypeEgress + +// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods +#PolicyTypeIngress: #PolicyType & "Ingress" + +// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods +#PolicyTypeEgress: #PolicyType & "Egress" + +// NetworkPolicySpec provides the specification of a NetworkPolicy +#NetworkPolicySpec: { + // podSelector selects the pods to which this NetworkPolicy object applies. + // The array of ingress rules is applied to any pods selected by this field. + // Multiple network policies can select the same set of pods. In this case, + // the ingress rules for each are combined additively. + // This field is NOT optional and follows standard label selector semantics. + // An empty podSelector matches all pods in this namespace. + podSelector: metav1.#LabelSelector @go(PodSelector) @protobuf(1,bytes,opt) + + // ingress is a list of ingress rules to be applied to the selected pods. + // Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod + // (and cluster policy otherwise allows the traffic), OR if the traffic source is + // the pod's local node, OR if the traffic matches at least one ingress rule + // across all of the NetworkPolicy objects whose podSelector matches the pod. If + // this field is empty then this NetworkPolicy does not allow any traffic (and serves + // solely to ensure that the pods it selects are isolated by default) + // +optional + ingress?: [...#NetworkPolicyIngressRule] @go(Ingress,[]NetworkPolicyIngressRule) @protobuf(2,bytes,rep) + + // egress is a list of egress rules to be applied to the selected pods. Outgoing traffic + // is allowed if there are no NetworkPolicies selecting the pod (and cluster policy + // otherwise allows the traffic), OR if the traffic matches at least one egress rule + // across all of the NetworkPolicy objects whose podSelector matches the pod. If + // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves + // solely to ensure that the pods it selects are isolated by default). + // This field is beta-level in 1.8 + // +optional + egress?: [...#NetworkPolicyEgressRule] @go(Egress,[]NetworkPolicyEgressRule) @protobuf(3,bytes,rep) + + // policyTypes is a list of rule types that the NetworkPolicy relates to. + // Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. + // If this field is not specified, it will default based on the existence of ingress or egress rules; + // policies that contain an egress section are assumed to affect egress, and all policies + // (whether or not they contain an ingress section) are assumed to affect ingress. + // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. + // Likewise, if you want to write a policy that specifies that no egress is allowed, + // you must specify a policyTypes value that include "Egress" (since such a policy would not include + // an egress section and would otherwise default to just [ "Ingress" ]). + // This field is beta-level in 1.8 + // +optional + policyTypes?: [...#PolicyType] @go(PolicyTypes,[]PolicyType) @protobuf(4,bytes,rep,casttype=PolicyType) +} + +// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods +// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. +#NetworkPolicyIngressRule: { + // ports is a list of ports which should be made accessible on the pods selected for + // this rule. Each item in this list is combined using a logical OR. If this field is + // empty or missing, this rule matches all ports (traffic not restricted by port). + // If this field is present and contains at least one item, then this rule allows + // traffic only if the traffic matches at least one port in the list. + // +optional + ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep) + + // from is a list of sources which should be able to access the pods selected for this rule. + // Items in this list are combined using a logical OR operation. If this field is + // empty or missing, this rule matches all sources (traffic not restricted by + // source). If this field is present and contains at least one item, this rule + // allows traffic only if the traffic matches at least one item in the from list. + // +optional + from?: [...#NetworkPolicyPeer] @go(From,[]NetworkPolicyPeer) @protobuf(2,bytes,rep) +} + +// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods +// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. +// This type is beta-level in 1.8 +#NetworkPolicyEgressRule: { + // ports is a list of destination ports for outgoing traffic. + // Each item in this list is combined using a logical OR. If this field is + // empty or missing, this rule matches all ports (traffic not restricted by port). + // If this field is present and contains at least one item, then this rule allows + // traffic only if the traffic matches at least one port in the list. + // +optional + ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep) + + // to is a list of destinations for outgoing traffic of pods selected for this rule. + // Items in this list are combined using a logical OR operation. If this field is + // empty or missing, this rule matches all destinations (traffic not restricted by + // destination). If this field is present and contains at least one item, this rule + // allows traffic only if the traffic matches at least one item in the to list. + // +optional + to?: [...#NetworkPolicyPeer] @go(To,[]NetworkPolicyPeer) @protobuf(2,bytes,rep) +} + +// NetworkPolicyPort describes a port to allow traffic on +#NetworkPolicyPort: { + // protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + // If not specified, this field defaults to TCP. + // +optional + protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.Protocol) + + // port represents the port on the given protocol. This can either be a numerical or named + // port on a pod. If this field is not provided, this matches all port names and + // numbers. + // If present, only traffic on the specified protocol AND port will be matched. + // +optional + port?: null | intstr.#IntOrString @go(Port,*intstr.IntOrString) @protobuf(2,bytes,opt) + + // endPort indicates that the range of ports from port to endPort if set, inclusive, + // should be allowed by the policy. This field cannot be defined if the port field + // is not defined or if the port field is defined as a named (string) port. + // The endPort must be equal or greater than port. + // +optional + endPort?: null | int32 @go(EndPort,*int32) @protobuf(3,bytes,opt) +} + +// IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed +// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs +// that should not be included within this rule. +#IPBlock: { + // cidr is a string representing the IPBlock + // Valid examples are "192.168.1.0/24" or "2001:db8::/64" + cidr: string @go(CIDR) @protobuf(1,bytes) + + // except is a slice of CIDRs that should not be included within an IPBlock + // Valid examples are "192.168.1.0/24" or "2001:db8::/64" + // Except values will be rejected if they are outside the cidr range + // +optional + except?: [...string] @go(Except,[]string) @protobuf(2,bytes,rep) +} + +// NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of +// fields are allowed +#NetworkPolicyPeer: { + // podSelector is a label selector which selects pods. This field follows standard label + // selector semantics; if present but empty, it selects all pods. + // + // If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + // the pods matching podSelector in the Namespaces selected by NamespaceSelector. + // Otherwise it selects the pods matching podSelector in the policy's own namespace. + // +optional + podSelector?: null | metav1.#LabelSelector @go(PodSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt) + + // namespaceSelector selects namespaces using cluster-scoped labels. This field follows + // standard label selector semantics; if present but empty, it selects all namespaces. + // + // If podSelector is also set, then the NetworkPolicyPeer as a whole selects + // the pods matching podSelector in the namespaces selected by namespaceSelector. + // Otherwise it selects all pods in the namespaces selected by namespaceSelector. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // ipBlock defines policy on a particular IPBlock. If this field is set then + // neither of the other fields can be. + // +optional + ipBlock?: null | #IPBlock @go(IPBlock,*IPBlock) @protobuf(3,bytes,rep) +} + +// NetworkPolicyList is a list of NetworkPolicy objects. +#NetworkPolicyList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#NetworkPolicy] @go(Items,[]NetworkPolicy) @protobuf(2,bytes,rep) +} + +// Ingress is a collection of rules that allow inbound connections to reach the +// endpoints defined by a backend. An Ingress can be configured to give services +// externally-reachable urls, load balance traffic, terminate SSL, offer name +// based virtual hosting etc. +#Ingress: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the desired state of the Ingress. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #IngressSpec @go(Spec) @protobuf(2,bytes,opt) + + // status is the current state of the Ingress. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: #IngressStatus @go(Status) @protobuf(3,bytes,opt) +} + +// IngressList is a collection of Ingress. +#IngressList: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of Ingress. + items: [...#Ingress] @go(Items,[]Ingress) @protobuf(2,bytes,rep) +} + +// IngressSpec describes the Ingress the user wishes to exist. +#IngressSpec: { + // ingressClassName is the name of an IngressClass cluster resource. Ingress + // controller implementations use this field to know whether they should be + // serving this Ingress resource, by a transitive connection + // (controller -> IngressClass -> Ingress resource). Although the + // `kubernetes.io/ingress.class` annotation (simple constant name) was never + // formally defined, it was widely supported by Ingress controllers to create + // a direct binding between Ingress controller and Ingress resources. Newly + // created Ingress resources should prefer using the field. However, even + // though the annotation is officially deprecated, for backwards compatibility + // reasons, ingress controllers should still honor that annotation if present. + // +optional + ingressClassName?: null | string @go(IngressClassName,*string) @protobuf(4,bytes,opt) + + // defaultBackend is the backend that should handle requests that don't + // match any rule. If Rules are not specified, DefaultBackend must be specified. + // If DefaultBackend is not set, the handling of requests that do not match any + // of the rules will be up to the Ingress controller. + // +optional + defaultBackend?: null | #IngressBackend @go(DefaultBackend,*IngressBackend) @protobuf(1,bytes,opt) + + // tls represents the TLS configuration. Currently the Ingress only supports a + // single TLS port, 443. If multiple members of this list specify different hosts, + // they will be multiplexed on the same port according to the hostname specified + // through the SNI TLS extension, if the ingress controller fulfilling the + // ingress supports SNI. + // +listType=atomic + // +optional + tls?: [...#IngressTLS] @go(TLS,[]IngressTLS) @protobuf(2,bytes,rep) + + // rules is a list of host rules used to configure the Ingress. If unspecified, + // or no rule matches, all traffic is sent to the default backend. + // +listType=atomic + // +optional + rules?: [...#IngressRule] @go(Rules,[]IngressRule) @protobuf(3,bytes,rep) +} + +// IngressTLS describes the transport layer security associated with an ingress. +#IngressTLS: { + // hosts is a list of hosts included in the TLS certificate. The values in + // this list must match the name/s used in the tlsSecret. Defaults to the + // wildcard host setting for the loadbalancer controller fulfilling this + // Ingress, if left unspecified. + // +listType=atomic + // +optional + hosts?: [...string] @go(Hosts,[]string) @protobuf(1,bytes,rep) + + // secretName is the name of the secret used to terminate TLS traffic on + // port 443. Field is left optional to allow TLS routing based on SNI + // hostname alone. If the SNI host in a listener conflicts with the "Host" + // header field used by an IngressRule, the SNI host is used for termination + // and value of the "Host" header is used for routing. + // +optional + secretName?: string @go(SecretName) @protobuf(2,bytes,opt) +} + +// IngressStatus describe the current state of the Ingress. +#IngressStatus: { + // loadBalancer contains the current status of the load-balancer. + // +optional + loadBalancer?: #IngressLoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt) +} + +// IngressLoadBalancerStatus represents the status of a load-balancer. +#IngressLoadBalancerStatus: { + // ingress is a list containing ingress points for the load-balancer. + // +optional + ingress?: [...#IngressLoadBalancerIngress] @go(Ingress,[]IngressLoadBalancerIngress) @protobuf(1,bytes,rep) +} + +// IngressLoadBalancerIngress represents the status of a load-balancer ingress point. +#IngressLoadBalancerIngress: { + // ip is set for load-balancer ingress points that are IP based. + // +optional + ip?: string @go(IP) @protobuf(1,bytes,opt) + + // hostname is set for load-balancer ingress points that are DNS based. + // +optional + hostname?: string @go(Hostname) @protobuf(2,bytes,opt) + + // ports provides information about the ports exposed by this LoadBalancer. + // +listType=atomic + // +optional + ports?: [...#IngressPortStatus] @go(Ports,[]IngressPortStatus) @protobuf(4,bytes,rep) +} + +// IngressPortStatus represents the error condition of a service port +#IngressPortStatus: { + // port is the port number of the ingress port. + port: int32 @go(Port) @protobuf(1,varint,opt) + + // protocol is the protocol of the ingress port. + // The supported values are: "TCP", "UDP", "SCTP" + protocol: v1.#Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) + + // error is to record the problem with the service port + // The format of the error shall comply with the following rules: + // - built-in error values shall be specified in this file and those shall use + // CamelCase names + // - cloud provider specific error values must have names that comply with the + // format foo.example.com/CamelCase. + // --- + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +optional + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + error?: null | string @go(Error,*string) @protobuf(3,bytes,opt) +} + +// IngressRule represents the rules mapping the paths under a specified host to +// the related backend services. Incoming requests are first evaluated for a host +// match, then routed to the backend associated with the matching IngressRuleValue. +#IngressRule: { + // host is the fully qualified domain name of a network host, as defined by RFC 3986. + // Note the following deviations from the "host" part of the + // URI as defined in RFC 3986: + // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to + // the IP in the Spec of the parent Ingress. + // 2. The `:` delimiter is not respected because ports are not allowed. + // Currently the port of an Ingress is implicitly :80 for http and + // :443 for https. + // Both these may change in the future. + // Incoming requests are matched against the host before the + // IngressRuleValue. If the host is unspecified, the Ingress routes all + // traffic based on the specified IngressRuleValue. + // + // host can be "precise" which is a domain name without the terminating dot of + // a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name + // prefixed with a single wildcard label (e.g. "*.foo.com"). + // The wildcard character '*' must appear by itself as the first DNS label and + // matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). + // Requests will be matched against the Host field in the following way: + // 1. If host is precise, the request matches this rule if the http host header is equal to Host. + // 2. If host is a wildcard, then the request matches this rule if the http host header + // is to equal to the suffix (removing the first label) of the wildcard rule. + // +optional + host?: string @go(Host) @protobuf(1,bytes,opt) + + #IngressRuleValue +} + +// IngressRuleValue represents a rule to apply against incoming requests. If the +// rule is satisfied, the request is routed to the specified backend. Currently +// mixing different types of rules in a single Ingress is disallowed, so exactly +// one of the following must be set. +#IngressRuleValue: { + // +optional + http?: null | #HTTPIngressRuleValue @go(HTTP,*HTTPIngressRuleValue) @protobuf(1,bytes,opt) +} + +// HTTPIngressRuleValue is a list of http selectors pointing to backends. +// In the example: http:///? -> backend where +// where parts of the url correspond to RFC 3986, this resource will be used +// to match against everything after the last '/' and before the first '?' +// or '#'. +#HTTPIngressRuleValue: { + // paths is a collection of paths that map requests to backends. + // +listType=atomic + paths: [...#HTTPIngressPath] @go(Paths,[]HTTPIngressPath) @protobuf(1,bytes,rep) +} + +// PathType represents the type of path referred to by a HTTPIngressPath. +// +enum +#PathType: string // #enumPathType + +#enumPathType: + #PathTypeExact | + #PathTypePrefix | + #PathTypeImplementationSpecific + +// PathTypeExact matches the URL path exactly and with case sensitivity. +#PathTypeExact: #PathType & "Exact" + +// PathTypePrefix matches based on a URL path prefix split by '/'. Matching +// is case sensitive and done on a path element by element basis. A path +// element refers to the list of labels in the path split by the '/' +// separator. A request is a match for path p if every p is an element-wise +// prefix of p of the request path. Note that if the last element of the +// path is a substring of the last element in request path, it is not a +// match (e.g. /foo/bar matches /foo/bar/baz, but does not match +// /foo/barbaz). If multiple matching paths exist in an Ingress spec, the +// longest matching path is given priority. +// Examples: +// - /foo/bar does not match requests to /foo/barbaz +// - /foo/bar matches request to /foo/bar and /foo/bar/baz +// - /foo and /foo/ both match requests to /foo and /foo/. If both paths are +// present in an Ingress spec, the longest matching path (/foo/) is given +// priority. +#PathTypePrefix: #PathType & "Prefix" + +// PathTypeImplementationSpecific matching is up to the IngressClass. +// Implementations can treat this as a separate PathType or treat it +// identically to Prefix or Exact path types. +#PathTypeImplementationSpecific: #PathType & "ImplementationSpecific" + +// HTTPIngressPath associates a path with a backend. Incoming urls matching the +// path are forwarded to the backend. +#HTTPIngressPath: { + // path is matched against the path of an incoming request. Currently it can + // contain characters disallowed from the conventional "path" part of a URL + // as defined by RFC 3986. Paths must begin with a '/' and must be present + // when using PathType with value "Exact" or "Prefix". + // +optional + path?: string @go(Path) @protobuf(1,bytes,opt) + + // pathType determines the interpretation of the path matching. PathType can + // be one of the following values: + // * Exact: Matches the URL path exactly. + // * Prefix: Matches based on a URL path prefix split by '/'. Matching is + // done on a path element by element basis. A path element refers is the + // list of labels in the path split by the '/' separator. A request is a + // match for path p if every p is an element-wise prefix of p of the + // request path. Note that if the last element of the path is a substring + // of the last element in request path, it is not a match (e.g. /foo/bar + // matches /foo/bar/baz, but does not match /foo/barbaz). + // * ImplementationSpecific: Interpretation of the Path matching is up to + // the IngressClass. Implementations can treat this as a separate PathType + // or treat it identically to Prefix or Exact path types. + // Implementations are required to support all path types. + pathType?: null | #PathType @go(PathType,*PathType) @protobuf(3,bytes,opt) + + // backend defines the referenced service endpoint to which the traffic + // will be forwarded to. + backend: #IngressBackend @go(Backend) @protobuf(2,bytes,opt) +} + +// IngressBackend describes all endpoints for a given service and port. +#IngressBackend: { + // service references a service as a backend. + // This is a mutually exclusive setting with "Resource". + // +optional + service?: null | #IngressServiceBackend @go(Service,*IngressServiceBackend) @protobuf(4,bytes,opt) + + // resource is an ObjectRef to another Kubernetes resource in the namespace + // of the Ingress object. If resource is specified, a service.Name and + // service.Port must not be specified. + // This is a mutually exclusive setting with "Service". + // +optional + resource?: null | v1.#TypedLocalObjectReference @go(Resource,*v1.TypedLocalObjectReference) @protobuf(3,bytes,opt) +} + +// IngressServiceBackend references a Kubernetes Service as a Backend. +#IngressServiceBackend: { + // name is the referenced service. The service must exist in + // the same namespace as the Ingress object. + name: string @go(Name) @protobuf(1,bytes,opt) + + // port of the referenced service. A port name or port number + // is required for a IngressServiceBackend. + port?: #ServiceBackendPort @go(Port) @protobuf(2,bytes,opt) +} + +// ServiceBackendPort is the service port being referenced. +#ServiceBackendPort: { + // name is the name of the port on the Service. + // This is a mutually exclusive setting with "Number". + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // number is the numerical port number (e.g. 80) on the Service. + // This is a mutually exclusive setting with "Name". + // +optional + number?: int32 @go(Number) @protobuf(2,bytes,opt) +} + +// IngressClass represents the class of the Ingress, referenced by the Ingress +// Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be +// used to indicate that an IngressClass should be considered default. When a +// single IngressClass resource has this annotation set to true, new Ingress +// resources without a class specified will be assigned this default class. +#IngressClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the desired state of the IngressClass. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + spec?: #IngressClassSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// IngressClassSpec provides information about the class of an Ingress. +#IngressClassSpec: { + // controller refers to the name of the controller that should handle this + // class. This allows for different "flavors" that are controlled by the + // same controller. For example, you may have different parameters for the + // same implementing controller. This should be specified as a + // domain-prefixed path no more than 250 characters in length, e.g. + // "acme.io/ingress-controller". This field is immutable. + controller?: string @go(Controller) @protobuf(1,bytes,opt) + + // parameters is a link to a custom resource containing additional + // configuration for the controller. This is optional if the controller does + // not require extra parameters. + // +optional + parameters?: null | #IngressClassParametersReference @go(Parameters,*IngressClassParametersReference) @protobuf(2,bytes,opt) +} + +// IngressClassParametersReferenceScopeNamespace indicates that the +// referenced Parameters resource is namespace-scoped. +#IngressClassParametersReferenceScopeNamespace: "Namespace" + +// IngressClassParametersReferenceScopeCluster indicates that the +// referenced Parameters resource is cluster-scoped. +#IngressClassParametersReferenceScopeCluster: "Cluster" + +// IngressClassParametersReference identifies an API object. This can be used +// to specify a cluster or namespace-scoped resource. +#IngressClassParametersReference: { + // apiGroup is the group for the resource being referenced. If APIGroup is + // not specified, the specified Kind must be in the core API group. For any + // other third-party types, APIGroup is required. + // +optional + apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt,name=aPIGroup) + + // kind is the type of resource being referenced. + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // name is the name of resource being referenced. + name: string @go(Name) @protobuf(3,bytes,opt) + + // scope represents if this refers to a cluster or namespace scoped resource. + // This may be set to "Cluster" (default) or "Namespace". + // +optional + scope?: null | string @go(Scope,*string) @protobuf(4,bytes,opt) + + // namespace is the namespace of the resource being referenced. This field is + // required when scope is set to "Namespace" and must be unset when scope is set to + // "Cluster". + // +optional + namespace?: null | string @go(Namespace,*string) @protobuf(5,bytes,opt) +} + +// IngressClassList is a collection of IngressClasses. +#IngressClassList: { + metav1.#TypeMeta + + // Standard list metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of IngressClasses. + items: [...#IngressClass] @go(Items,[]IngressClass) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue new file mode 100644 index 000000000..bee74f4b6 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue @@ -0,0 +1,11 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/networking/v1 + +package v1 + +// AnnotationIsDefaultIngressClass can be used to indicate that an +// IngressClass should be considered default. When a single IngressClass +// resource has this annotation set to true, new Ingress resources without a +// class specified will be assigned this default class. +#AnnotationIsDefaultIngressClass: "ingressclass.kubernetes.io/is-default-class" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue new file mode 100644 index 000000000..5969b44fa --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/node/v1 + +package v1 + +#GroupName: "node.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue new file mode 100644 index 000000000..3934557c9 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue @@ -0,0 +1,90 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/node/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" +) + +// RuntimeClass defines a class of container runtime supported in the cluster. +// The RuntimeClass is used to determine which container runtime is used to run +// all containers in a pod. RuntimeClasses are manually defined by a +// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is +// responsible for resolving the RuntimeClassName reference before running the +// pod. For more details, see +// https://kubernetes.io/docs/concepts/containers/runtime-class/ +#RuntimeClass: { + metav1.#TypeMeta + + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // handler specifies the underlying runtime and configuration that the CRI + // implementation will use to handle pods of this class. The possible values + // are specific to the node & CRI configuration. It is assumed that all + // handlers are available on every node, and handlers of the same name are + // equivalent on every node. + // For example, a handler called "runc" might specify that the runc OCI + // runtime (using native Linux containers) will be used to run the containers + // in a pod. + // The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, + // and is immutable. + handler: string @go(Handler) @protobuf(2,bytes,opt) + + // overhead represents the resource overhead associated with running a pod for a + // given RuntimeClass. For more details, see + // https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/ + // +optional + overhead?: null | #Overhead @go(Overhead,*Overhead) @protobuf(3,bytes,opt) + + // scheduling holds the scheduling constraints to ensure that pods running + // with this RuntimeClass are scheduled to nodes that support it. + // If scheduling is nil, this RuntimeClass is assumed to be supported by all + // nodes. + // +optional + scheduling?: null | #Scheduling @go(Scheduling,*Scheduling) @protobuf(4,bytes,opt) +} + +// Overhead structure represents the resource overhead associated with running a pod. +#Overhead: { + // podFixed represents the fixed resource overhead associated with running a pod. + // +optional + podFixed?: corev1.#ResourceList @go(PodFixed) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.ResourceList,castkey=k8s.io/api/core/v1.ResourceName,castvalue=k8s.io/apimachinery/pkg/api/resource.Quantity) +} + +// Scheduling specifies the scheduling constraints for nodes supporting a +// RuntimeClass. +#Scheduling: { + // nodeSelector lists labels that must be present on nodes that support this + // RuntimeClass. Pods using this RuntimeClass can only be scheduled to a + // node matched by this selector. The RuntimeClass nodeSelector is merged + // with a pod's existing nodeSelector. Any conflicts will cause the pod to + // be rejected in admission. + // +optional + // +mapType=atomic + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(1,bytes,opt) + + // tolerations are appended (excluding duplicates) to pods running with this + // RuntimeClass during admission, effectively unioning the set of nodes + // tolerated by the pod and the RuntimeClass. + // +optional + // +listType=atomic + tolerations?: [...corev1.#Toleration] @go(Tolerations,[]corev1.Toleration) @protobuf(2,bytes,rep) +} + +// RuntimeClassList is a list of RuntimeClass objects. +#RuntimeClassList: { + metav1.#TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is a list of schema objects. + items: [...#RuntimeClass] @go(Items,[]RuntimeClass) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue new file mode 100644 index 000000000..dedcdc34b --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue @@ -0,0 +1,8 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +// Package policy is for any kind of policy object. Suitable examples, even if +// they aren't all here, are PodDisruptionBudget, PodSecurityPolicy, +// NetworkPolicy, etc. +package v1 diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue new file mode 100644 index 000000000..e38fa373b --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +package v1 + +#GroupName: "policy" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue new file mode 100644 index 000000000..5901cc6db --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue @@ -0,0 +1,204 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/policy/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +#DisruptionBudgetCause: metav1.#CauseType & "DisruptionBudget" + +// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget. +#PodDisruptionBudgetSpec: { + // An eviction is allowed if at least "minAvailable" pods selected by + // "selector" will still be available after the eviction, i.e. even in the + // absence of the evicted pod. So for example you can prevent all voluntary + // evictions by specifying "100%". + // +optional + minAvailable?: null | intstr.#IntOrString @go(MinAvailable,*intstr.IntOrString) @protobuf(1,bytes,opt) + + // Label query over pods whose evictions are managed by the disruption + // budget. + // A null selector will match no pods, while an empty ({}) selector will select + // all pods within the namespace. + // +patchStrategy=replace + // +optional + selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // An eviction is allowed if at most "maxUnavailable" pods selected by + // "selector" are unavailable after the eviction, i.e. even in absence of + // the evicted pod. For example, one can prevent all voluntary evictions + // by specifying 0. This is a mutually exclusive setting with "minAvailable". + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(3,bytes,opt) + + // UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods + // should be considered for eviction. Current implementation considers healthy pods, + // as pods that have status.conditions item with type="Ready",status="True". + // + // Valid policies are IfHealthyBudget and AlwaysAllow. + // If no policy is specified, the default behavior will be used, + // which corresponds to the IfHealthyBudget policy. + // + // IfHealthyBudget policy means that running pods (status.phase="Running"), + // but not yet healthy can be evicted only if the guarded application is not + // disrupted (status.currentHealthy is at least equal to status.desiredHealthy). + // Healthy pods will be subject to the PDB for eviction. + // + // AlwaysAllow policy means that all running pods (status.phase="Running"), + // but not yet healthy are considered disrupted and can be evicted regardless + // of whether the criteria in a PDB is met. This means perspective running + // pods of a disrupted application might not get a chance to become healthy. + // Healthy pods will be subject to the PDB for eviction. + // + // Additional policies may be added in the future. + // Clients making eviction decisions should disallow eviction of unhealthy pods + // if they encounter an unrecognized policy in this field. + // + // This field is beta-level. The eviction API uses this field when + // the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default). + // +optional + unhealthyPodEvictionPolicy?: null | #UnhealthyPodEvictionPolicyType @go(UnhealthyPodEvictionPolicy,*UnhealthyPodEvictionPolicyType) @protobuf(4,bytes,opt) +} + +// UnhealthyPodEvictionPolicyType defines the criteria for when unhealthy pods +// should be considered for eviction. +// +enum +#UnhealthyPodEvictionPolicyType: string // #enumUnhealthyPodEvictionPolicyType + +#enumUnhealthyPodEvictionPolicyType: + #IfHealthyBudget | + #AlwaysAllow + +// IfHealthyBudget policy means that running pods (status.phase="Running"), +// but not yet healthy can be evicted only if the guarded application is not +// disrupted (status.currentHealthy is at least equal to status.desiredHealthy). +// Healthy pods will be subject to the PDB for eviction. +#IfHealthyBudget: #UnhealthyPodEvictionPolicyType & "IfHealthyBudget" + +// AlwaysAllow policy means that all running pods (status.phase="Running"), +// but not yet healthy are considered disrupted and can be evicted regardless +// of whether the criteria in a PDB is met. This means perspective running +// pods of a disrupted application might not get a chance to become healthy. +// Healthy pods will be subject to the PDB for eviction. +#AlwaysAllow: #UnhealthyPodEvictionPolicyType & "AlwaysAllow" + +// PodDisruptionBudgetStatus represents information about the status of a +// PodDisruptionBudget. Status may trail the actual state of a system. +#PodDisruptionBudgetStatus: { + // Most recent generation observed when updating this PDB status. DisruptionsAllowed and other + // status information is valid only if observedGeneration equals to PDB's object generation. + // +optional + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt) + + // DisruptedPods contains information about pods whose eviction was + // processed by the API server eviction subresource handler but has not + // yet been observed by the PodDisruptionBudget controller. + // A pod will be in this map from the time when the API server processed the + // eviction request to the time when the pod is seen by PDB controller + // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod + // and the value is the time when the API server processed the eviction request. If + // the deletion didn't occur and a pod is still there it will be removed from + // the list automatically by PodDisruptionBudget controller after some time. + // If everything goes smooth this map should be empty for the most of the time. + // Large number of entries in the map may indicate problems with pod deletions. + // +optional + disruptedPods?: {[string]: metav1.#Time} @go(DisruptedPods,map[string]metav1.Time) @protobuf(2,bytes,rep) + + // Number of pod disruptions that are currently allowed. + disruptionsAllowed: int32 @go(DisruptionsAllowed) @protobuf(3,varint,opt) + + // current number of healthy pods + currentHealthy: int32 @go(CurrentHealthy) @protobuf(4,varint,opt) + + // minimum desired number of healthy pods + desiredHealthy: int32 @go(DesiredHealthy) @protobuf(5,varint,opt) + + // total number of pods counted by this disruption budget + expectedPods: int32 @go(ExpectedPods) @protobuf(6,varint,opt) + + // Conditions contain conditions for PDB. The disruption controller sets the + // DisruptionAllowed condition. The following are known values for the reason field + // (additional reasons could be added in the future): + // - SyncFailed: The controller encountered an error and wasn't able to compute + // the number of allowed disruptions. Therefore no disruptions are + // allowed and the status of the condition will be False. + // - InsufficientPods: The number of pods are either at or below the number + // required by the PodDisruptionBudget. No disruptions are + // allowed and the status of the condition will be False. + // - SufficientPods: There are more pods than required by the PodDisruptionBudget. + // The condition will be True, and the number of allowed + // disruptions are provided by the disruptionsAllowed property. + // + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(7,bytes,rep) +} + +// DisruptionAllowedCondition is a condition set by the disruption controller +// that signal whether any of the pods covered by the PDB can be disrupted. +#DisruptionAllowedCondition: "DisruptionAllowed" + +// SyncFailedReason is set on the DisruptionAllowed condition if reconcile +// of the PDB failed and therefore disruption of pods are not allowed. +#SyncFailedReason: "SyncFailed" + +// SufficientPodsReason is set on the DisruptionAllowed condition if there are +// more pods covered by the PDB than required and at least one can be disrupted. +#SufficientPodsReason: "SufficientPods" + +// InsufficientPodsReason is set on the DisruptionAllowed condition if the number +// of pods are equal to or fewer than required by the PDB. +#InsufficientPodsReason: "InsufficientPods" + +// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods +#PodDisruptionBudget: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Specification of the desired behavior of the PodDisruptionBudget. + // +optional + spec?: #PodDisruptionBudgetSpec @go(Spec) @protobuf(2,bytes,opt) + + // Most recently observed status of the PodDisruptionBudget. + // +optional + status?: #PodDisruptionBudgetStatus @go(Status) @protobuf(3,bytes,opt) +} + +// PodDisruptionBudgetList is a collection of PodDisruptionBudgets. +#PodDisruptionBudgetList: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of PodDisruptionBudgets + items: [...#PodDisruptionBudget] @go(Items,[]PodDisruptionBudget) @protobuf(2,bytes,rep) +} + +// Eviction evicts a pod from its node subject to certain policies and safety constraints. +// This is a subresource of Pod. A request to cause such an eviction is +// created by POSTing to .../pods//evictions. +#Eviction: { + metav1.#TypeMeta + + // ObjectMeta describes the pod that is being evicted. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // DeleteOptions may be provided + // +optional + deleteOptions?: null | metav1.#DeleteOptions @go(DeleteOptions,*metav1.DeleteOptions) @protobuf(2,bytes,opt) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue new file mode 100644 index 000000000..1c83e8b4f --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/rbac/v1 + +package v1 + +#GroupName: "rbac.authorization.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue new file mode 100644 index 000000000..521e355e9 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue @@ -0,0 +1,207 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/rbac/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +#APIGroupAll: "*" +#ResourceAll: "*" +#VerbAll: "*" +#NonResourceAll: "*" +#GroupKind: "Group" +#ServiceAccountKind: "ServiceAccount" +#UserKind: "User" + +// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false" +#AutoUpdateAnnotationKey: "rbac.authorization.kubernetes.io/autoupdate" + +// PolicyRule holds information that describes a policy rule, but does not contain information +// about who the rule applies to or which namespace the rule applies to. +#PolicyRule: { + // Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep) + + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of + // the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. + // +optional + apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep) + + // Resources is a list of resources this rule applies to. '*' represents all resources. + // +optional + resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep) + + // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. + // +optional + resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep) + + // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path + // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. + // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. + // +optional + nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(5,bytes,rep) +} + +// Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, +// or a value for non-objects such as user and group names. +// +structType=atomic +#Subject: { + // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + // If the Authorizer does not recognized the kind value, the Authorizer should report an error. + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // APIGroup holds the API group of the referenced subject. + // Defaults to "" for ServiceAccount subjects. + // Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + // +optional + apiGroup?: string @go(APIGroup) @protobuf(2,bytes,opt.name=apiGroup) + + // Name of the object being referenced. + name: string @go(Name) @protobuf(3,bytes,opt) + + // Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + // the Authorizer should report an error. + // +optional + namespace?: string @go(Namespace) @protobuf(4,bytes,opt) +} + +// RoleRef contains information that points to the role being used +// +structType=atomic +#RoleRef: { + // APIGroup is the group for the resource being referenced + apiGroup: string @go(APIGroup) @protobuf(1,bytes,opt) + + // Kind is the type of resource being referenced + kind: string @go(Kind) @protobuf(2,bytes,opt) + + // Name is the name of resource being referenced + name: string @go(Name) @protobuf(3,bytes,opt) +} + +// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. +#Role: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Rules holds all the PolicyRules for this Role + // +optional + rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep) +} + +// RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. +// It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given +// namespace only have effect in that namespace. +#RoleBinding: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Subjects holds references to the objects the role applies to. + // +optional + subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep) + + // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. + // If the RoleRef cannot be resolved, the Authorizer must return an error. + // This field is immutable. + roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt) +} + +// RoleBindingList is a collection of RoleBindings +#RoleBindingList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of RoleBindings + items: [...#RoleBinding] @go(Items,[]RoleBinding) @protobuf(2,bytes,rep) +} + +// RoleList is a collection of Roles +#RoleList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of Roles + items: [...#Role] @go(Items,[]Role) @protobuf(2,bytes,rep) +} + +// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding. +#ClusterRole: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Rules holds all the PolicyRules for this ClusterRole + // +optional + rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep) + + // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. + // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be + // stomped by the controller. + // +optional + aggregationRule?: null | #AggregationRule @go(AggregationRule,*AggregationRule) @protobuf(3,bytes,opt) +} + +// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole +#AggregationRule: { + // ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. + // If any of the selectors match, then the ClusterRole's permissions will be added + // +optional + clusterRoleSelectors?: [...metav1.#LabelSelector] @go(ClusterRoleSelectors,[]metav1.LabelSelector) @protobuf(1,bytes,rep) +} + +// ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, +// and adds who information via Subject. +#ClusterRoleBinding: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // Subjects holds references to the objects the role applies to. + // +optional + subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep) + + // RoleRef can only reference a ClusterRole in the global namespace. + // If the RoleRef cannot be resolved, the Authorizer must return an error. + // This field is immutable. + roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt) +} + +// ClusterRoleBindingList is a collection of ClusterRoleBindings +#ClusterRoleBindingList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ClusterRoleBindings + items: [...#ClusterRoleBinding] @go(Items,[]ClusterRoleBinding) @protobuf(2,bytes,rep) +} + +// ClusterRoleList is a collection of ClusterRoles +#ClusterRoleList: { + metav1.#TypeMeta + + // Standard object's metadata. + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Items is a list of ClusterRoles + items: [...#ClusterRole] @go(Items,[]ClusterRole) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue new file mode 100644 index 000000000..8cc2b5f28 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/scheduling/v1 + +package v1 + +#GroupName: "scheduling.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue new file mode 100644 index 000000000..1d8f95746 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue @@ -0,0 +1,57 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/scheduling/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + apiv1 "k8s.io/api/core/v1" +) + +// PriorityClass defines mapping from a priority class name to the priority +// integer value. The value can be any valid integer. +#PriorityClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // value represents the integer value of this priority class. This is the actual priority that pods + // receive when they have the name of this class in their pod spec. + value: int32 @go(Value) @protobuf(2,bytes,opt) + + // globalDefault specifies whether this PriorityClass should be considered as + // the default priority for pods that do not have any priority class. + // Only one PriorityClass can be marked as `globalDefault`. However, if more than + // one PriorityClasses exists with their `globalDefault` field set to true, + // the smallest value of such global default PriorityClasses will be used as the default priority. + // +optional + globalDefault?: bool @go(GlobalDefault) @protobuf(3,bytes,opt) + + // description is an arbitrary string that usually provides guidelines on + // when this priority class should be used. + // +optional + description?: string @go(Description) @protobuf(4,bytes,opt) + + // preemptionPolicy is the Policy for preempting pods with lower priority. + // One of Never, PreemptLowerPriority. + // Defaults to PreemptLowerPriority if unset. + // +optional + preemptionPolicy?: null | apiv1.#PreemptionPolicy @go(PreemptionPolicy,*apiv1.PreemptionPolicy) @protobuf(5,bytes,opt) +} + +// PriorityClassList is a collection of priority classes. +#PriorityClassList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of PriorityClasses + items: [...#PriorityClass] @go(Items,[]PriorityClass) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue new file mode 100644 index 000000000..641ce60cc --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/storage/v1 + +package v1 + +#GroupName: "storage.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue new file mode 100644 index 000000000..b5158650b --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue @@ -0,0 +1,652 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/api/storage/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" +) + +// StorageClass describes the parameters for a class of storage for +// which PersistentVolumes can be dynamically provisioned. +// +// StorageClasses are non-namespaced; the name of the storage class +// according to etcd is in ObjectMeta.Name. +#StorageClass: { + metav1.#TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // provisioner indicates the type of the provisioner. + provisioner: string @go(Provisioner) @protobuf(2,bytes,opt) + + // parameters holds the parameters for the provisioner that should + // create volumes of this storage class. + // +optional + parameters?: {[string]: string} @go(Parameters,map[string]string) @protobuf(3,bytes,rep) + + // reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class. + // Defaults to Delete. + // +optional + reclaimPolicy?: null | v1.#PersistentVolumeReclaimPolicy @go(ReclaimPolicy,*v1.PersistentVolumeReclaimPolicy) @protobuf(4,bytes,opt,casttype=k8s.io/api/core/v1.PersistentVolumeReclaimPolicy) + + // mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class. + // e.g. ["ro", "soft"]. Not validated - + // mount of the PVs will simply fail if one is invalid. + // +optional + mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(5,bytes,opt) + + // allowVolumeExpansion shows whether the storage class allow volume expand. + // +optional + allowVolumeExpansion?: null | bool @go(AllowVolumeExpansion,*bool) @protobuf(6,varint,opt) + + // volumeBindingMode indicates how PersistentVolumeClaims should be + // provisioned and bound. When unset, VolumeBindingImmediate is used. + // This field is only honored by servers that enable the VolumeScheduling feature. + // +optional + volumeBindingMode?: null | #VolumeBindingMode @go(VolumeBindingMode,*VolumeBindingMode) @protobuf(7,bytes,opt) + + // allowedTopologies restrict the node topologies where volumes can be dynamically provisioned. + // Each volume plugin defines its own supported topology specifications. + // An empty TopologySelectorTerm list means there is no topology restriction. + // This field is only honored by servers that enable the VolumeScheduling feature. + // +optional + // +listType=atomic + allowedTopologies?: [...v1.#TopologySelectorTerm] @go(AllowedTopologies,[]v1.TopologySelectorTerm) @protobuf(8,bytes,rep) +} + +// StorageClassList is a collection of storage classes. +#StorageClassList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of StorageClasses + items: [...#StorageClass] @go(Items,[]StorageClass) @protobuf(2,bytes,rep) +} + +// VolumeBindingMode indicates how PersistentVolumeClaims should be bound. +// +enum +#VolumeBindingMode: string // #enumVolumeBindingMode + +#enumVolumeBindingMode: + #VolumeBindingImmediate | + #VolumeBindingWaitForFirstConsumer + +// VolumeBindingImmediate indicates that PersistentVolumeClaims should be +// immediately provisioned and bound. This is the default mode. +#VolumeBindingImmediate: #VolumeBindingMode & "Immediate" + +// VolumeBindingWaitForFirstConsumer indicates that PersistentVolumeClaims +// should not be provisioned and bound until the first Pod is created that +// references the PeristentVolumeClaim. The volume provisioning and +// binding will occur during Pod scheduing. +#VolumeBindingWaitForFirstConsumer: #VolumeBindingMode & "WaitForFirstConsumer" + +// VolumeAttachment captures the intent to attach or detach the specified volume +// to/from the specified node. +// +// VolumeAttachment objects are non-namespaced. +#VolumeAttachment: { + metav1.#TypeMeta + + // Standard object metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents specification of the desired attach/detach volume behavior. + // Populated by the Kubernetes system. + spec: #VolumeAttachmentSpec @go(Spec) @protobuf(2,bytes,opt) + + // status represents status of the VolumeAttachment request. + // Populated by the entity completing the attach or detach + // operation, i.e. the external-attacher. + // +optional + status?: #VolumeAttachmentStatus @go(Status) @protobuf(3,bytes,opt) +} + +// VolumeAttachmentList is a collection of VolumeAttachment objects. +#VolumeAttachmentList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of VolumeAttachments + items: [...#VolumeAttachment] @go(Items,[]VolumeAttachment) @protobuf(2,bytes,rep) +} + +// VolumeAttachmentSpec is the specification of a VolumeAttachment request. +#VolumeAttachmentSpec: { + // attacher indicates the name of the volume driver that MUST handle this + // request. This is the name returned by GetPluginName(). + attacher: string @go(Attacher) @protobuf(1,bytes,opt) + + // source represents the volume that should be attached. + source: #VolumeAttachmentSource @go(Source) @protobuf(2,bytes,opt) + + // nodeName represents the node that the volume should be attached to. + nodeName: string @go(NodeName) @protobuf(3,bytes,opt) +} + +// VolumeAttachmentSource represents a volume that should be attached. +// Right now only PersistenVolumes can be attached via external attacher, +// in future we may allow also inline volumes in pods. +// Exactly one member can be set. +#VolumeAttachmentSource: { + // persistentVolumeName represents the name of the persistent volume to attach. + // +optional + persistentVolumeName?: null | string @go(PersistentVolumeName,*string) @protobuf(1,bytes,opt) + + // inlineVolumeSpec contains all the information necessary to attach + // a persistent volume defined by a pod's inline VolumeSource. This field + // is populated only for the CSIMigration feature. It contains + // translated fields from a pod's inline VolumeSource to a + // PersistentVolumeSpec. This field is beta-level and is only + // honored by servers that enabled the CSIMigration feature. + // +optional + inlineVolumeSpec?: null | v1.#PersistentVolumeSpec @go(InlineVolumeSpec,*v1.PersistentVolumeSpec) @protobuf(2,bytes,opt) +} + +// VolumeAttachmentStatus is the status of a VolumeAttachment request. +#VolumeAttachmentStatus: { + // attached indicates the volume is successfully attached. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + attached: bool @go(Attached) @protobuf(1,varint,opt) + + // attachmentMetadata is populated with any + // information returned by the attach operation, upon successful attach, that must be passed + // into subsequent WaitForAttach or Mount calls. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + // +optional + attachmentMetadata?: {[string]: string} @go(AttachmentMetadata,map[string]string) @protobuf(2,bytes,rep) + + // attachError represents the last error encountered during attach operation, if any. + // This field must only be set by the entity completing the attach + // operation, i.e. the external-attacher. + // +optional + attachError?: null | #VolumeError @go(AttachError,*VolumeError) @protobuf(3,bytes,opt,casttype=VolumeError) + + // detachError represents the last error encountered during detach operation, if any. + // This field must only be set by the entity completing the detach + // operation, i.e. the external-attacher. + // +optional + detachError?: null | #VolumeError @go(DetachError,*VolumeError) @protobuf(4,bytes,opt,casttype=VolumeError) +} + +// VolumeError captures an error encountered during a volume operation. +#VolumeError: { + // time represents the time the error was encountered. + // +optional + time?: metav1.#Time @go(Time) @protobuf(1,bytes,opt) + + // message represents the error encountered during Attach or Detach operation. + // This string may be logged, so it should not contain sensitive + // information. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) +} + +// CSIDriver captures information about a Container Storage Interface (CSI) +// volume driver deployed on the cluster. +// Kubernetes attach detach controller uses this object to determine whether attach is required. +// Kubelet uses this object to determine whether pod information needs to be passed on mount. +// CSIDriver objects are non-namespaced. +#CSIDriver: { + metav1.#TypeMeta + + // Standard object metadata. + // metadata.Name indicates the name of the CSI driver that this object + // refers to; it MUST be the same name returned by the CSI GetPluginName() + // call for that driver. + // The driver name must be 63 characters or less, beginning and ending with + // an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and + // alphanumerics between. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec represents the specification of the CSI Driver. + spec: #CSIDriverSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CSIDriverList is a collection of CSIDriver objects. +#CSIDriverList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSIDriver + items: [...#CSIDriver] @go(Items,[]CSIDriver) @protobuf(2,bytes,rep) +} + +// CSIDriverSpec is the specification of a CSIDriver. +#CSIDriverSpec: { + // attachRequired indicates this CSI volume driver requires an attach + // operation (because it implements the CSI ControllerPublishVolume() + // method), and that the Kubernetes attach detach controller should call + // the attach volume interface which checks the volumeattachment status + // and waits until the volume is attached before proceeding to mounting. + // The CSI external-attacher coordinates with CSI volume driver and updates + // the volumeattachment status when the attach operation is complete. + // If the CSIDriverRegistry feature gate is enabled and the value is + // specified to false, the attach operation will be skipped. + // Otherwise the attach operation will be called. + // + // This field is immutable. + // + // +optional + attachRequired?: null | bool @go(AttachRequired,*bool) @protobuf(1,varint,opt) + + // podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) + // during mount operations, if set to true. + // If set to false, pod information will not be passed on mount. + // Default is false. + // + // The CSI driver specifies podInfoOnMount as part of driver deployment. + // If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. + // The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. + // + // The following VolumeConext will be passed if podInfoOnMount is set to true. + // This list might grow, but the prefix will be used. + // "csi.storage.k8s.io/pod.name": pod.Name + // "csi.storage.k8s.io/pod.namespace": pod.Namespace + // "csi.storage.k8s.io/pod.uid": string(pod.UID) + // "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume + // defined by a CSIVolumeSource, otherwise "false" + // + // "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only + // required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode. + // Other drivers can leave pod info disabled and/or ignore this field. + // As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when + // deployed on such a cluster and the deployment determines which mode that is, for example + // via a command line parameter of the driver. + // + // This field is immutable. + // + // +optional + podInfoOnMount?: null | bool @go(PodInfoOnMount,*bool) @protobuf(2,bytes,opt) + + // volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. + // The default if the list is empty is "Persistent", which is the usage defined by the + // CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. + // + // The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec + // with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. + // A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. + // + // For more information about implementing this mode, see + // https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html + // A driver can support one or more of these modes and more modes may be added in the future. + // + // This field is beta. + // This field is immutable. + // + // +optional + // +listType=set + volumeLifecycleModes?: [...#VolumeLifecycleMode] @go(VolumeLifecycleModes,[]VolumeLifecycleMode) @protobuf(3,bytes,opt) + + // storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage + // capacity that the driver deployment will report by creating + // CSIStorageCapacity objects with capacity information, if set to true. + // + // The check can be enabled immediately when deploying a driver. + // In that case, provisioning new volumes with late binding + // will pause until the driver deployment has published + // some suitable CSIStorageCapacity object. + // + // Alternatively, the driver can be deployed with the field + // unset or false and it can be flipped later when storage + // capacity information has been published. + // + // This field was immutable in Kubernetes <= 1.22 and now is mutable. + // + // +optional + // +featureGate=CSIStorageCapacity + storageCapacity?: null | bool @go(StorageCapacity,*bool) @protobuf(4,bytes,opt) + + // fsGroupPolicy defines if the underlying volume supports changing ownership and + // permission of the volume before being mounted. + // Refer to the specific FSGroupPolicy values for additional details. + // + // This field is immutable. + // + // Defaults to ReadWriteOnceWithFSType, which will examine each volume + // to determine if Kubernetes should modify ownership and permissions of the volume. + // With the default policy the defined fsGroup will only be applied + // if a fstype is defined and the volume's access mode contains ReadWriteOnce. + // + // +optional + fsGroupPolicy?: null | #FSGroupPolicy @go(FSGroupPolicy,*FSGroupPolicy) @protobuf(5,bytes,opt) + + // tokenRequests indicates the CSI driver needs pods' service account + // tokens it is mounting volume for to do necessary authentication. Kubelet + // will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. + // The CSI driver should parse and validate the following VolumeContext: + // "csi.storage.k8s.io/serviceAccount.tokens": { + // "": { + // "token": , + // "expirationTimestamp": , + // }, + // ... + // } + // + // Note: Audience in each TokenRequest should be different and at + // most one token is empty string. To receive a new token after expiry, + // RequiresRepublish can be used to trigger NodePublishVolume periodically. + // + // +optional + // +listType=atomic + tokenRequests?: [...#TokenRequest] @go(TokenRequests,[]TokenRequest) @protobuf(6,bytes,opt) + + // requiresRepublish indicates the CSI driver wants `NodePublishVolume` + // being periodically called to reflect any possible change in the mounted + // volume. This field defaults to false. + // + // Note: After a successful initial NodePublishVolume call, subsequent calls + // to NodePublishVolume should only update the contents of the volume. New + // mount points will not be seen by a running container. + // + // +optional + requiresRepublish?: null | bool @go(RequiresRepublish,*bool) @protobuf(7,varint,opt) + + // seLinuxMount specifies if the CSI driver supports "-o context" + // mount option. + // + // When "true", the CSI driver must ensure that all volumes provided by this CSI + // driver can be mounted separately with different `-o context` options. This is + // typical for storage backends that provide volumes as filesystems on block + // devices or as independent shared volumes. + // Kubernetes will call NodeStage / NodePublish with "-o context=xyz" mount + // option when mounting a ReadWriteOncePod volume used in Pod that has + // explicitly set SELinux context. In the future, it may be expanded to other + // volume AccessModes. In any case, Kubernetes will ensure that the volume is + // mounted only with a single SELinux context. + // + // When "false", Kubernetes won't pass any special SELinux mount options to the driver. + // This is typical for volumes that represent subdirectories of a bigger shared filesystem. + // + // Default is "false". + // + // +featureGate=SELinuxMountReadWriteOncePod + // +optional + seLinuxMount?: null | bool @go(SELinuxMount,*bool) @protobuf(8,varint,opt) +} + +// FSGroupPolicy specifies if a CSI Driver supports modifying +// volume ownership and permissions of the volume to be mounted. +// More modes may be added in the future. +#FSGroupPolicy: string // #enumFSGroupPolicy + +#enumFSGroupPolicy: + #ReadWriteOnceWithFSTypeFSGroupPolicy | + #FileFSGroupPolicy | + #NoneFSGroupPolicy + +// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined +// to determine if the volume ownership and permissions +// should be modified. If a fstype is defined and the volume's access mode +// contains ReadWriteOnce, then the defined fsGroup will be applied. +// This mode should be defined if it's expected that the +// fsGroup may need to be modified depending on the pod's SecurityPolicy. +// This is the default behavior if no other FSGroupPolicy is defined. +#ReadWriteOnceWithFSTypeFSGroupPolicy: #FSGroupPolicy & "ReadWriteOnceWithFSType" + +// FileFSGroupPolicy indicates that CSI driver supports volume ownership +// and permission change via fsGroup, and Kubernetes will change the permissions +// and ownership of every file in the volume to match the user requested fsGroup in +// the pod's SecurityPolicy regardless of fstype or access mode. +// Use this mode if Kubernetes should modify the permissions and ownership +// of the volume. +#FileFSGroupPolicy: #FSGroupPolicy & "File" + +// NoneFSGroupPolicy indicates that volumes will be mounted without performing +// any ownership or permission modifications, as the CSIDriver does not support +// these operations. +// This mode should be selected if the CSIDriver does not support fsGroup modifications, +// for example when Kubernetes cannot change ownership and permissions on a volume due +// to root-squash settings on a NFS volume. +#NoneFSGroupPolicy: #FSGroupPolicy & "None" + +// VolumeLifecycleMode is an enumeration of possible usage modes for a volume +// provided by a CSI driver. More modes may be added in the future. +#VolumeLifecycleMode: string // #enumVolumeLifecycleMode + +#enumVolumeLifecycleMode: + #VolumeLifecyclePersistent | + #VolumeLifecycleEphemeral + +// TokenRequest contains parameters of a service account token. +#TokenRequest: { + // audience is the intended audience of the token in "TokenRequestSpec". + // It will default to the audiences of kube apiserver. + audience: string @go(Audience) @protobuf(1,bytes,opt) + + // expirationSeconds is the duration of validity of the token in "TokenRequestSpec". + // It has the same default value of "ExpirationSeconds" in "TokenRequestSpec". + // + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt) +} + +// VolumeLifecyclePersistent explicitly confirms that the driver implements +// the full CSI spec. It is the default when CSIDriverSpec.VolumeLifecycleModes is not +// set. Such volumes are managed in Kubernetes via the persistent volume +// claim mechanism and have a lifecycle that is independent of the pods which +// use them. +#VolumeLifecyclePersistent: #VolumeLifecycleMode & "Persistent" + +// VolumeLifecycleEphemeral indicates that the driver can be used for +// ephemeral inline volumes. Such volumes are specified inside the pod +// spec with a CSIVolumeSource and, as far as Kubernetes is concerned, have +// a lifecycle that is tied to the lifecycle of the pod. For example, such +// a volume might contain data that gets created specifically for that pod, +// like secrets. +// But how the volume actually gets created and managed is entirely up to +// the driver. It might also use reference counting to share the same volume +// instance among different pods if the CSIVolumeSource of those pods is +// identical. +#VolumeLifecycleEphemeral: #VolumeLifecycleMode & "Ephemeral" + +// CSINode holds information about all CSI drivers installed on a node. +// CSI drivers do not need to create the CSINode object directly. As long as +// they use the node-driver-registrar sidecar container, the kubelet will +// automatically populate the CSINode object for the CSI driver as part of +// kubelet plugin registration. +// CSINode has the same name as a node. If the object is missing, it means either +// there are no CSI Drivers available on the node, or the Kubelet version is low +// enough that it doesn't create this object. +// CSINode has an OwnerReference that points to the corresponding node object. +#CSINode: { + metav1.#TypeMeta + + // Standard object's metadata. + // metadata.name must be the Kubernetes node name. + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec is the specification of CSINode + spec: #CSINodeSpec @go(Spec) @protobuf(2,bytes,opt) +} + +// CSINodeSpec holds information about the specification of all CSI drivers installed on a node +#CSINodeSpec: { + // drivers is a list of information of all CSI Drivers existing on a node. + // If all drivers in the list are uninstalled, this can become empty. + // +patchMergeKey=name + // +patchStrategy=merge + drivers: [...#CSINodeDriver] @go(Drivers,[]CSINodeDriver) @protobuf(1,bytes,rep) +} + +// CSINodeDriver holds information about the specification of one CSI driver installed on a node +#CSINodeDriver: { + // name represents the name of the CSI driver that this object refers to. + // This MUST be the same name returned by the CSI GetPluginName() call for + // that driver. + name: string @go(Name) @protobuf(1,bytes,opt) + + // nodeID of the node from the driver point of view. + // This field enables Kubernetes to communicate with storage systems that do + // not share the same nomenclature for nodes. For example, Kubernetes may + // refer to a given node as "node1", but the storage system may refer to + // the same node as "nodeA". When Kubernetes issues a command to the storage + // system to attach a volume to a specific node, it can use this field to + // refer to the node name using the ID that the storage system will + // understand, e.g. "nodeA" instead of "node1". This field is required. + nodeID: string @go(NodeID) @protobuf(2,bytes,opt) + + // topologyKeys is the list of keys supported by the driver. + // When a driver is initialized on a cluster, it provides a set of topology + // keys that it understands (e.g. "company.com/zone", "company.com/region"). + // When a driver is initialized on a node, it provides the same topology keys + // along with values. Kubelet will expose these topology keys as labels + // on its own node object. + // When Kubernetes does topology aware provisioning, it can use this list to + // determine which labels it should retrieve from the node object and pass + // back to the driver. + // It is possible for different nodes to use different topology keys. + // This can be empty if driver does not support topology. + // +optional + topologyKeys: [...string] @go(TopologyKeys,[]string) @protobuf(3,bytes,rep) + + // allocatable represents the volume resources of a node that are available for scheduling. + // This field is beta. + // +optional + allocatable?: null | #VolumeNodeResources @go(Allocatable,*VolumeNodeResources) @protobuf(4,bytes,opt) +} + +// VolumeNodeResources is a set of resource limits for scheduling of volumes. +#VolumeNodeResources: { + // count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node. + // A volume that is both attached and mounted on a node is considered to be used once, not twice. + // The same rule applies for a unique volume that is shared among multiple pods on the same node. + // If this field is not specified, then the supported number of volumes on this node is unbounded. + // +optional + count?: null | int32 @go(Count,*int32) @protobuf(1,varint,opt) +} + +// CSINodeList is a collection of CSINode objects. +#CSINodeList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSINode + items: [...#CSINode] @go(Items,[]CSINode) @protobuf(2,bytes,rep) +} + +// CSIStorageCapacity stores the result of one CSI GetCapacity call. +// For a given StorageClass, this describes the available capacity in a +// particular topology segment. This can be used when considering where to +// instantiate new PersistentVolumes. +// +// For example this can express things like: +// - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1" +// - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123" +// +// The following three cases all imply that no capacity is available for +// a certain combination: +// - no object exists with suitable topology and storage class name +// - such an object exists, but the capacity is unset +// - such an object exists, but the capacity is zero +// +// The producer of these objects can decide which approach is more suitable. +// +// They are consumed by the kube-scheduler when a CSI driver opts into +// capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler +// compares the MaximumVolumeSize against the requested size of pending volumes +// to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back +// to a comparison against the less precise Capacity. If that is also unset, +// the scheduler assumes that capacity is insufficient and tries some other +// node. +#CSIStorageCapacity: { + metav1.#TypeMeta + + // Standard object's metadata. + // The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters). + // To ensure that there are no conflicts with other CSI drivers on the cluster, + // the recommendation is to use csisc-, a generated name, or a reverse-domain name + // which ends with the unique CSI driver name. + // + // Objects are namespaced. + // + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // nodeTopology defines which nodes have access to the storage + // for which capacity was reported. If not set, the storage is + // not accessible from any node in the cluster. If empty, the + // storage is accessible from all nodes. This field is + // immutable. + // + // +optional + nodeTopology?: null | metav1.#LabelSelector @go(NodeTopology,*metav1.LabelSelector) @protobuf(2,bytes,opt) + + // storageClassName represents the name of the StorageClass that the reported capacity applies to. + // It must meet the same requirements as the name of a StorageClass + // object (non-empty, DNS subdomain). If that object no longer exists, + // the CSIStorageCapacity object is obsolete and should be removed by its + // creator. + // This field is immutable. + storageClassName: string @go(StorageClassName) @protobuf(3,bytes) + + // capacity is the value reported by the CSI driver in its GetCapacityResponse + // for a GetCapacityRequest with topology and parameters that match the + // previous fields. + // + // The semantic is currently (CSI spec 1.2) defined as: + // The available capacity, in bytes, of the storage that can be used + // to provision volumes. If not set, that information is currently + // unavailable. + // + // +optional + capacity?: null | resource.#Quantity @go(Capacity,*resource.Quantity) @protobuf(4,bytes,opt) + + // maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse + // for a GetCapacityRequest with topology and parameters that match the + // previous fields. + // + // This is defined since CSI spec 1.4.0 as the largest size + // that may be used in a + // CreateVolumeRequest.capacity_range.required_bytes field to + // create a volume with the same parameters as those in + // GetCapacityRequest. The corresponding value in the Kubernetes + // API is ResourceRequirements.Requests in a volume claim. + // + // +optional + maximumVolumeSize?: null | resource.#Quantity @go(MaximumVolumeSize,*resource.Quantity) @protobuf(5,bytes,opt) +} + +// CSIStorageCapacityList is a collection of CSIStorageCapacity objects. +#CSIStorageCapacityList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items is the list of CSIStorageCapacity objects. + // +listType=map + // +listMapKey=name + items: [...#CSIStorageCapacity] @go(Items,[]CSIStorageCapacity) @protobuf(2,bytes,rep) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue new file mode 100644 index 000000000..083aa825b --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +// Package v1 is the v1 version of the API. +package v1 diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue new file mode 100644 index 000000000..c4ce800f4 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +#GroupName: "apiextensions.k8s.io" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue new file mode 100644 index 000000000..b938c8ba0 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue @@ -0,0 +1,513 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/runtime" +) + +// ConversionStrategyType describes different conversion types. +#ConversionStrategyType: string // #enumConversionStrategyType + +#enumConversionStrategyType: + #NoneConverter | + #WebhookConverter + +// KubeAPIApprovedAnnotation is an annotation that must be set to create a CRD for the k8s.io, *.k8s.io, kubernetes.io, or *.kubernetes.io namespaces. +// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL. +// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`. For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`. This is discouraged. +#KubeAPIApprovedAnnotation: "api-approved.kubernetes.io" + +// NoneConverter is a converter that only sets apiversion of the CR and leave everything else unchanged. +#NoneConverter: #ConversionStrategyType & "None" + +// WebhookConverter is a converter that calls to an external webhook to convert the CR. +#WebhookConverter: #ConversionStrategyType & "Webhook" + +// CustomResourceDefinitionSpec describes how a user wants their resource to appear +#CustomResourceDefinitionSpec: { + // group is the API group of the defined custom resource. + // The custom resources are served under `/apis//...`. + // Must match the name of the CustomResourceDefinition (in the form `.`). + group: string @go(Group) @protobuf(1,bytes,opt) + + // names specify the resource and kind names for the custom resource. + names: #CustomResourceDefinitionNames @go(Names) @protobuf(3,bytes,opt) + + // scope indicates whether the defined custom resource is cluster- or namespace-scoped. + // Allowed values are `Cluster` and `Namespaced`. + scope: #ResourceScope @go(Scope) @protobuf(4,bytes,opt,casttype=ResourceScope) + + // versions is the list of all API versions of the defined custom resource. + // Version names are used to compute the order in which served versions are listed in API discovery. + // If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered + // lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), + // then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first + // by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing + // major version, then minor version. An example sorted list of versions: + // v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10. + versions: [...#CustomResourceDefinitionVersion] @go(Versions,[]CustomResourceDefinitionVersion) @protobuf(7,bytes,rep) + + // conversion defines conversion settings for the CRD. + // +optional + conversion?: null | #CustomResourceConversion @go(Conversion,*CustomResourceConversion) @protobuf(9,bytes,opt) + + // preserveUnknownFields indicates that object fields which are not specified + // in the OpenAPI schema should be preserved when persisting to storage. + // apiVersion, kind, metadata and known fields inside metadata are always preserved. + // This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`. + // See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details. + // +optional + preserveUnknownFields?: bool @go(PreserveUnknownFields) @protobuf(10,varint,opt) +} + +// CustomResourceConversion describes how to convert different versions of a CR. +#CustomResourceConversion: { + // strategy specifies how custom resources are converted between versions. Allowed values are: + // - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource. + // - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information + // is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set. + strategy: #ConversionStrategyType @go(Strategy) @protobuf(1,bytes) + + // webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`. + // +optional + webhook?: null | #WebhookConversion @go(Webhook,*WebhookConversion) @protobuf(2,bytes,opt) +} + +// WebhookConversion describes how to call a conversion webhook +#WebhookConversion: { + // clientConfig is the instructions for how to call the webhook if strategy is `Webhook`. + // +optional + clientConfig?: null | #WebhookClientConfig @go(ClientConfig,*WebhookClientConfig) @protobuf(2,bytes) + + // conversionReviewVersions is an ordered list of preferred `ConversionReview` + // versions the Webhook expects. The API server will use the first version in + // the list which it supports. If none of the versions specified in this list + // are supported by API server, conversion will fail for the custom resource. + // If a persisted Webhook configuration specifies allowed versions and does not + // include any versions known to the API Server, calls to the webhook will fail. + conversionReviewVersions: [...string] @go(ConversionReviewVersions,[]string) @protobuf(3,bytes,rep) +} + +// WebhookClientConfig contains the information to make a TLS connection with the webhook. +#WebhookClientConfig: { + // url gives the location of the webhook, in standard URL form + // (`scheme://host:port/path`). Exactly one of `url` or `service` + // must be specified. + // + // The `host` should not refer to a service running in the cluster; use + // the `service` field instead. The host might be resolved via external + // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve + // in-cluster DNS as that would be a layering violation). `host` may + // also be an IP address. + // + // Please note that using `localhost` or `127.0.0.1` as a `host` is + // risky unless you take great care to run this webhook on all hosts + // which run an apiserver which might need to make calls to this + // webhook. Such installs are likely to be non-portable, i.e., not easy + // to turn up in a new cluster. + // + // The scheme must be "https"; the URL must begin with "https://". + // + // A path is optional, and if present may be any string permissible in + // a URL. You may use the path to pass an arbitrary string to the + // webhook, for example, a cluster identifier. + // + // Attempting to use a user or basic auth e.g. "user:password@" is not + // allowed. Fragments ("#...") and query parameters ("?...") are not + // allowed, either. + // + // +optional + url?: null | string @go(URL,*string) @protobuf(3,bytes,opt) + + // service is a reference to the service for this webhook. Either + // service or url must be specified. + // + // If the webhook is running within the cluster, then you should use `service`. + // + // +optional + service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt) + + // caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. + // If unspecified, system trust roots on the apiserver are used. + // +optional + caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt) +} + +// ServiceReference holds a reference to Service.legacy.k8s.io +#ServiceReference: { + // namespace is the namespace of the service. + // Required + namespace: string @go(Namespace) @protobuf(1,bytes,opt) + + // name is the name of the service. + // Required + name: string @go(Name) @protobuf(2,bytes,opt) + + // path is an optional URL path at which the webhook will be contacted. + // +optional + path?: null | string @go(Path,*string) @protobuf(3,bytes,opt) + + // port is an optional service port at which the webhook will be contacted. + // `port` should be a valid port number (1-65535, inclusive). + // Defaults to 443 for backward compatibility. + // +optional + port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt) +} + +// CustomResourceDefinitionVersion describes a version for CRD. +#CustomResourceDefinitionVersion: { + // name is the version name, e.g. “v1”, “v2beta1”, etc. + // The custom resources are served under this version at `/apis///...` if `served` is true. + name: string @go(Name) @protobuf(1,bytes,opt) + + // served is a flag enabling/disabling this version from being served via REST APIs + served: bool @go(Served) @protobuf(2,varint,opt) + + // storage indicates this version should be used when persisting custom resources to storage. + // There must be exactly one version with storage=true. + storage: bool @go(Storage) @protobuf(3,varint,opt) + + // deprecated indicates this version of the custom resource API is deprecated. + // When set to true, API requests to this version receive a warning header in the server response. + // Defaults to false. + // +optional + deprecated?: bool @go(Deprecated) @protobuf(7,varint,opt) + + // deprecationWarning overrides the default warning returned to API clients. + // May only be set when `deprecated` is true. + // The default warning indicates this version is deprecated and recommends use + // of the newest served version of equal or greater stability, if one exists. + // +optional + deprecationWarning?: null | string @go(DeprecationWarning,*string) @protobuf(8,bytes,opt) + + // schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource. + // +optional + schema?: null | #CustomResourceValidation @go(Schema,*CustomResourceValidation) @protobuf(4,bytes,opt) + + // subresources specify what subresources this version of the defined custom resource have. + // +optional + subresources?: null | #CustomResourceSubresources @go(Subresources,*CustomResourceSubresources) @protobuf(5,bytes,opt) + + // additionalPrinterColumns specifies additional columns returned in Table output. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. + // If no columns are specified, a single column displaying the age of the custom resource is used. + // +optional + additionalPrinterColumns?: [...#CustomResourceColumnDefinition] @go(AdditionalPrinterColumns,[]CustomResourceColumnDefinition) @protobuf(6,bytes,rep) +} + +// CustomResourceColumnDefinition specifies a column for server side printing. +#CustomResourceColumnDefinition: { + // name is a human readable name for the column. + name: string @go(Name) @protobuf(1,bytes,opt) + + // type is an OpenAPI type definition for this column. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details. + type: string @go(Type) @protobuf(2,bytes,opt) + + // format is an optional OpenAPI type definition for this column. The 'name' format is applied + // to the primary identifier column to assist in clients identifying column is the resource name. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details. + // +optional + format?: string @go(Format) @protobuf(3,bytes,opt) + + // description is a human readable description of this column. + // +optional + description?: string @go(Description) @protobuf(4,bytes,opt) + + // priority is an integer defining the relative importance of this column compared to others. Lower + // numbers are considered higher priority. Columns that may be omitted in limited space scenarios + // should be given a priority greater than 0. + // +optional + priority?: int32 @go(Priority) @protobuf(5,bytes,opt) + + // jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against + // each custom resource to produce the value for this column. + jsonPath: string @go(JSONPath) @protobuf(6,bytes,opt) +} + +// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition +#CustomResourceDefinitionNames: { + // plural is the plural name of the resource to serve. + // The custom resources are served under `/apis///.../`. + // Must match the name of the CustomResourceDefinition (in the form `.`). + // Must be all lowercase. + plural: string @go(Plural) @protobuf(1,bytes,opt) + + // singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`. + // +optional + singular?: string @go(Singular) @protobuf(2,bytes,opt) + + // shortNames are short names for the resource, exposed in API discovery documents, + // and used by clients to support invocations like `kubectl get `. + // It must be all lowercase. + // +optional + shortNames?: [...string] @go(ShortNames,[]string) @protobuf(3,bytes,opt) + + // kind is the serialized kind of the resource. It is normally CamelCase and singular. + // Custom resource instances will use this value as the `kind` attribute in API calls. + kind: string @go(Kind) @protobuf(4,bytes,opt) + + // listKind is the serialized kind of the list for this resource. Defaults to "`kind`List". + // +optional + listKind?: string @go(ListKind) @protobuf(5,bytes,opt) + + // categories is a list of grouped resources this custom resource belongs to (e.g. 'all'). + // This is published in API discovery documents, and used by clients to support invocations like + // `kubectl get all`. + // +optional + categories?: [...string] @go(Categories,[]string) @protobuf(6,bytes,rep) +} + +// ResourceScope is an enum defining the different scopes available to a custom resource +#ResourceScope: string // #enumResourceScope + +#enumResourceScope: + #ClusterScoped | + #NamespaceScoped + +#ClusterScoped: #ResourceScope & "Cluster" +#NamespaceScoped: #ResourceScope & "Namespaced" + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// CustomResourceDefinitionConditionType is a valid value for CustomResourceDefinitionCondition.Type +#CustomResourceDefinitionConditionType: string // #enumCustomResourceDefinitionConditionType + +#enumCustomResourceDefinitionConditionType: + #Established | + #NamesAccepted | + #NonStructuralSchema | + #Terminating | + #KubernetesAPIApprovalPolicyConformant + +// Established means that the resource has become active. A resource is established when all names are +// accepted without a conflict for the first time. A resource stays established until deleted, even during +// a later NamesAccepted due to changed names. Note that not all names can be changed. +#Established: #CustomResourceDefinitionConditionType & "Established" + +// NamesAccepted means the names chosen for this CustomResourceDefinition do not conflict with others in +// the group and are therefore accepted. +#NamesAccepted: #CustomResourceDefinitionConditionType & "NamesAccepted" + +// NonStructuralSchema means that one or more OpenAPI schema is not structural. +// +// A schema is structural if it specifies types for all values, with the only exceptions of those with +// - x-kubernetes-int-or-string: true — for fields which can be integer or string +// - x-kubernetes-preserve-unknown-fields: true — for raw, unspecified JSON values +// and there is no type, additionalProperties, default, nullable or x-kubernetes-* vendor extenions +// specified under allOf, anyOf, oneOf or not. +// +// Non-structural schemas will not be allowed anymore in v1 API groups. Moreover, new features will not be +// available for non-structural CRDs: +// - pruning +// - defaulting +// - read-only +// - OpenAPI publishing +// - webhook conversion +#NonStructuralSchema: #CustomResourceDefinitionConditionType & "NonStructuralSchema" + +// Terminating means that the CustomResourceDefinition has been deleted and is cleaning up. +#Terminating: #CustomResourceDefinitionConditionType & "Terminating" + +// KubernetesAPIApprovalPolicyConformant indicates that an API in *.k8s.io or *.kubernetes.io is or is not approved. For CRDs +// outside those groups, this condition will not be set. For CRDs inside those groups, the condition will +// be true if .metadata.annotations["api-approved.kubernetes.io"] is set to a URL, otherwise it will be false. +// See https://github.com/kubernetes/enhancements/pull/1111 for more details. +#KubernetesAPIApprovalPolicyConformant: #CustomResourceDefinitionConditionType & "KubernetesAPIApprovalPolicyConformant" + +// CustomResourceDefinitionCondition contains details for the current condition of this pod. +#CustomResourceDefinitionCondition: { + // type is the type of the condition. Types include Established, NamesAccepted and Terminating. + type: #CustomResourceDefinitionConditionType @go(Type) @protobuf(1,bytes,opt,casttype=CustomResourceDefinitionConditionType) + + // status is the status of the condition. + // Can be True, False, Unknown. + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus) + + // lastTransitionTime last time the condition transitioned from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt) + + // reason is a unique, one-word, CamelCase reason for the condition's last transition. + // +optional + reason?: string @go(Reason) @protobuf(4,bytes,opt) + + // message is a human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) @protobuf(5,bytes,opt) +} + +// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition +#CustomResourceDefinitionStatus: { + // conditions indicate state for particular aspects of a CustomResourceDefinition + // +optional + // +listType=map + // +listMapKey=type + conditions: [...#CustomResourceDefinitionCondition] @go(Conditions,[]CustomResourceDefinitionCondition) @protobuf(1,bytes,opt) + + // acceptedNames are the names that are actually being used to serve discovery. + // They may be different than the names in spec. + // +optional + acceptedNames: #CustomResourceDefinitionNames @go(AcceptedNames) @protobuf(2,bytes,opt) + + // storedVersions lists all versions of CustomResources that were ever persisted. Tracking these + // versions allows a migration path for stored versions in etcd. The field is mutable + // so a migration controller can finish a migration to another version (ensuring + // no old objects are left in storage), and then remove the rest of the + // versions from this list. + // Versions may not be removed from `spec.versions` while they exist in this list. + // +optional + storedVersions: [...string] @go(StoredVersions,[]string) @protobuf(3,bytes,rep) +} + +#CustomResourceCleanupFinalizer: "customresourcecleanup.apiextensions.k8s.io" + +// CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format +// <.spec.name>.<.spec.group>. +#CustomResourceDefinition: { + metav1.#TypeMeta + + // Standard object's metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) + + // spec describes how the user wants the resources to appear + spec: #CustomResourceDefinitionSpec @go(Spec) @protobuf(2,bytes,opt) + + // status indicates the actual state of the CustomResourceDefinition + // +optional + status?: #CustomResourceDefinitionStatus @go(Status) @protobuf(3,bytes,opt) +} + +// CustomResourceDefinitionList is a list of CustomResourceDefinition objects. +#CustomResourceDefinitionList: { + metav1.#TypeMeta + + // Standard object's metadata + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items list individual CustomResourceDefinition objects + items: [...#CustomResourceDefinition] @go(Items,[]CustomResourceDefinition) @protobuf(2,bytes,rep) +} + +// CustomResourceValidation is a list of validation methods for CustomResources. +#CustomResourceValidation: { + // openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning. + // +optional + openAPIV3Schema?: null | #JSONSchemaProps @go(OpenAPIV3Schema,*JSONSchemaProps) @protobuf(1,bytes,opt) +} + +// CustomResourceSubresources defines the status and scale subresources for CustomResources. +#CustomResourceSubresources: { + // status indicates the custom resource should serve a `/status` subresource. + // When enabled: + // 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. + // 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object. + // +optional + status?: null | #CustomResourceSubresourceStatus @go(Status,*CustomResourceSubresourceStatus) @protobuf(1,bytes,opt) + + // scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object. + // +optional + scale?: null | #CustomResourceSubresourceScale @go(Scale,*CustomResourceSubresourceScale) @protobuf(2,bytes,opt) +} + +// CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. +// Status is represented by the `.status` JSON path inside of a CustomResource. When set, +// * exposes a /status subresource for the custom resource +// * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza +// * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza +#CustomResourceSubresourceStatus: { +} + +// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources. +#CustomResourceSubresourceScale: { + // specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.spec`. + // If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET. + specReplicasPath: string @go(SpecReplicasPath) @protobuf(1,bytes) + + // statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.status`. + // If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource + // will default to 0. + statusReplicasPath: string @go(StatusReplicasPath) @protobuf(2,bytes,opt) + + // labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`. + // Only JSON paths without the array notation are allowed. + // Must be a JSON Path under `.status` or `.spec`. + // Must be set to work with HorizontalPodAutoscaler. + // The field pointed by this JSON path must be a string field (not a complex selector struct) + // which contains a serialized label selector in string form. + // More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource + // If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale` + // subresource will default to the empty string. + // +optional + labelSelectorPath?: null | string @go(LabelSelectorPath,*string) @protobuf(3,bytes,opt) +} + +// ConversionReview describes a conversion request/response. +#ConversionReview: { + metav1.#TypeMeta + + // request describes the attributes for the conversion request. + // +optional + request?: null | #ConversionRequest @go(Request,*ConversionRequest) @protobuf(1,bytes,opt) + + // response describes the attributes for the conversion response. + // +optional + response?: null | #ConversionResponse @go(Response,*ConversionResponse) @protobuf(2,bytes,opt) +} + +// ConversionRequest describes the conversion request parameters. +#ConversionRequest: { + // uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are + // otherwise identical (parallel requests, etc). + // The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request. + // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + uid: types.#UID @go(UID) @protobuf(1,bytes) + + // desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1" + desiredAPIVersion: string @go(DesiredAPIVersion) @protobuf(2,bytes) + + // objects is the list of custom resource objects to be converted. + objects: [...runtime.#RawExtension] @go(Objects,[]runtime.RawExtension) @protobuf(3,bytes,rep) +} + +// ConversionResponse describes a conversion response. +#ConversionResponse: { + // uid is an identifier for the individual request/response. + // This should be copied over from the corresponding `request.uid`. + uid: types.#UID @go(UID) @protobuf(1,bytes) + + // convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty. + // The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list + // must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace). + // The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored. + convertedObjects: [...runtime.#RawExtension] @go(ConvertedObjects,[]runtime.RawExtension) @protobuf(2,bytes,rep) + + // result contains the result of conversion with extra details if the conversion failed. `result.status` determines if + // the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the + // conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set + // `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message` + // will be used to construct an error message for the end user. + result: metav1.#Status @go(Result) @protobuf(3,bytes) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue new file mode 100644 index 000000000..19f42c1ff --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue @@ -0,0 +1,317 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + +package v1 + +// FieldValueErrorReason is a machine-readable value providing more detail about why a field failed the validation. +// +enum +#FieldValueErrorReason: string // #enumFieldValueErrorReason + +#enumFieldValueErrorReason: + #FieldValueRequired | + #FieldValueDuplicate | + #FieldValueInvalid | + #FieldValueForbidden + +// FieldValueRequired is used to report required values that are not +// provided (e.g. empty strings, null values, or empty arrays). +#FieldValueRequired: #FieldValueErrorReason & "FieldValueRequired" + +// FieldValueDuplicate is used to report collisions of values that must be +// unique (e.g. unique IDs). +#FieldValueDuplicate: #FieldValueErrorReason & "FieldValueDuplicate" + +// FieldValueInvalid is used to report malformed values (e.g. failed regex +// match, too long, out of bounds). +#FieldValueInvalid: #FieldValueErrorReason & "FieldValueInvalid" + +// FieldValueForbidden is used to report valid (as per formatting rules) +// values which would be accepted under some conditions, but which are not +// permitted by the current conditions (such as security policy). +#FieldValueForbidden: #FieldValueErrorReason & "FieldValueForbidden" + +// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/). +#JSONSchemaProps: { + id?: string @go(ID) @protobuf(1,bytes,opt) + $schema?: #JSONSchemaURL @go(Schema) @protobuf(2,bytes,opt,name=schema) + $ref?: null | string @go(Ref,*string) @protobuf(3,bytes,opt,name=ref) + description?: string @go(Description) @protobuf(4,bytes,opt) + type?: string @go(Type) @protobuf(5,bytes,opt) + + // format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated: + // + // - bsonobjectid: a bson object ID, i.e. a 24 characters hex string + // - uri: an URI as parsed by Golang net/url.ParseRequestURI + // - email: an email address as parsed by Golang net/mail.ParseAddress + // - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034]. + // - ipv4: an IPv4 IP as parsed by Golang net.ParseIP + // - ipv6: an IPv6 IP as parsed by Golang net.ParseIP + // - cidr: a CIDR as parsed by Golang net.ParseCIDR + // - mac: a MAC address as parsed by Golang net.ParseMAC + // - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$ + // - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$ + // - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ + // - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ + // - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041" + // - isbn10: an ISBN10 number string like "0321751043" + // - isbn13: an ISBN13 number string like "978-0321751041" + // - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in + // - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$ + // - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$ + // - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559" + // - byte: base64 encoded binary data + // - password: any kind of string + // - date: a date string like "2006-01-02" as defined by full-date in RFC3339 + // - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format + // - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339. + format?: string @go(Format) @protobuf(6,bytes,opt) + title?: string @go(Title) @protobuf(7,bytes,opt) + + // default is a default value for undefined object fields. + // Defaulting is a beta feature under the CustomResourceDefaulting feature gate. + // Defaulting requires spec.preserveUnknownFields to be false. + default?: null | #JSON @go(Default,*JSON) @protobuf(8,bytes,opt) + maximum?: null | float64 @go(Maximum,*float64) @protobuf(9,bytes,opt) + exclusiveMaximum?: bool @go(ExclusiveMaximum) @protobuf(10,bytes,opt) + minimum?: null | float64 @go(Minimum,*float64) @protobuf(11,bytes,opt) + exclusiveMinimum?: bool @go(ExclusiveMinimum) @protobuf(12,bytes,opt) + maxLength?: null | int64 @go(MaxLength,*int64) @protobuf(13,bytes,opt) + minLength?: null | int64 @go(MinLength,*int64) @protobuf(14,bytes,opt) + pattern?: string @go(Pattern) @protobuf(15,bytes,opt) + maxItems?: null | int64 @go(MaxItems,*int64) @protobuf(16,bytes,opt) + minItems?: null | int64 @go(MinItems,*int64) @protobuf(17,bytes,opt) + uniqueItems?: bool @go(UniqueItems) @protobuf(18,bytes,opt) + multipleOf?: null | float64 @go(MultipleOf,*float64) @protobuf(19,bytes,opt) + enum?: [...#JSON] @go(Enum,[]JSON) @protobuf(20,bytes,rep) + maxProperties?: null | int64 @go(MaxProperties,*int64) @protobuf(21,bytes,opt) + minProperties?: null | int64 @go(MinProperties,*int64) @protobuf(22,bytes,opt) + required?: [...string] @go(Required,[]string) @protobuf(23,bytes,rep) + items?: null | #JSONSchemaPropsOrArray @go(Items,*JSONSchemaPropsOrArray) @protobuf(24,bytes,opt) + allOf?: [...#JSONSchemaProps] @go(AllOf,[]JSONSchemaProps) @protobuf(25,bytes,rep) + oneOf?: [...#JSONSchemaProps] @go(OneOf,[]JSONSchemaProps) @protobuf(26,bytes,rep) + anyOf?: [...#JSONSchemaProps] @go(AnyOf,[]JSONSchemaProps) @protobuf(27,bytes,rep) + not?: null | #JSONSchemaProps @go(Not,*JSONSchemaProps) @protobuf(28,bytes,opt) + properties?: {[string]: #JSONSchemaProps} @go(Properties,map[string]JSONSchemaProps) @protobuf(29,bytes,rep) + additionalProperties?: null | #JSONSchemaPropsOrBool @go(AdditionalProperties,*JSONSchemaPropsOrBool) @protobuf(30,bytes,opt) + patternProperties?: {[string]: #JSONSchemaProps} @go(PatternProperties,map[string]JSONSchemaProps) @protobuf(31,bytes,rep) + dependencies?: #JSONSchemaDependencies @go(Dependencies) @protobuf(32,bytes,opt) + additionalItems?: null | #JSONSchemaPropsOrBool @go(AdditionalItems,*JSONSchemaPropsOrBool) @protobuf(33,bytes,opt) + definitions?: #JSONSchemaDefinitions @go(Definitions) @protobuf(34,bytes,opt) + externalDocs?: null | #ExternalDocumentation @go(ExternalDocs,*ExternalDocumentation) @protobuf(35,bytes,opt) + example?: null | #JSON @go(Example,*JSON) @protobuf(36,bytes,opt) + nullable?: bool @go(Nullable) @protobuf(37,bytes,opt) + + // x-kubernetes-preserve-unknown-fields stops the API server + // decoding step from pruning fields which are not specified + // in the validation schema. This affects fields recursively, + // but switches back to normal pruning behaviour if nested + // properties or additionalProperties are specified in the schema. + // This can either be true or undefined. False is forbidden. + "x-kubernetes-preserve-unknown-fields"?: null | bool @go(XPreserveUnknownFields,*bool) @protobuf(38,bytes,opt,name=xKubernetesPreserveUnknownFields) + + // x-kubernetes-embedded-resource defines that the value is an + // embedded Kubernetes runtime.Object, with TypeMeta and + // ObjectMeta. The type must be object. It is allowed to further + // restrict the embedded object. kind, apiVersion and metadata + // are validated automatically. x-kubernetes-preserve-unknown-fields + // is allowed to be true, but does not have to be if the object + // is fully specified (up to kind, apiVersion, metadata). + "x-kubernetes-embedded-resource"?: bool @go(XEmbeddedResource) @protobuf(39,bytes,opt,name=xKubernetesEmbeddedResource) + + // x-kubernetes-int-or-string specifies that this value is + // either an integer or a string. If this is true, an empty + // type is allowed and type as child of anyOf is permitted + // if following one of the following patterns: + // + // 1) anyOf: + // - type: integer + // - type: string + // 2) allOf: + // - anyOf: + // - type: integer + // - type: string + // - ... zero or more + "x-kubernetes-int-or-string"?: bool @go(XIntOrString) @protobuf(40,bytes,opt,name=xKubernetesIntOrString) + + // x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used + // as the index of the map. + // + // This tag MUST only be used on lists that have the "x-kubernetes-list-type" + // extension set to "map". Also, the values specified for this attribute must + // be a scalar typed field of the child structure (no nesting is supported). + // + // The properties specified must either be required or have a default value, + // to ensure those properties are present for all list items. + // + // +optional + "x-kubernetes-list-map-keys"?: [...string] @go(XListMapKeys,[]string) @protobuf(41,bytes,rep,name=xKubernetesListMapKeys) + + // x-kubernetes-list-type annotates an array to further describe its topology. + // This extension must only be used on lists and may have 3 possible values: + // + // 1) `atomic`: the list is treated as a single entity, like a scalar. + // Atomic lists will be entirely replaced when updated. This extension + // may be used on any type of list (struct, scalar, ...). + // 2) `set`: + // Sets are lists that must not have multiple items with the same value. Each + // value must be a scalar, an object with x-kubernetes-map-type `atomic` or an + // array with x-kubernetes-list-type `atomic`. + // 3) `map`: + // These lists are like maps in that their elements have a non-index key + // used to identify them. Order is preserved upon merge. The map tag + // must only be used on a list with elements of type object. + // Defaults to atomic for arrays. + // +optional + "x-kubernetes-list-type"?: null | string @go(XListType,*string) @protobuf(42,bytes,opt,name=xKubernetesListType) + + // x-kubernetes-map-type annotates an object to further describe its topology. + // This extension must only be used when type is object and may have 2 possible values: + // + // 1) `granular`: + // These maps are actual maps (key-value pairs) and each fields are independent + // from each other (they can each be manipulated by separate actors). This is + // the default behaviour for all maps. + // 2) `atomic`: the list is treated as a single entity, like a scalar. + // Atomic maps will be entirely replaced when updated. + // +optional + "x-kubernetes-map-type"?: null | string @go(XMapType,*string) @protobuf(43,bytes,opt,name=xKubernetesMapType) + + // x-kubernetes-validations describes a list of validation rules written in the CEL expression language. + // This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled. + // +patchMergeKey=rule + // +patchStrategy=merge + // +listType=map + // +listMapKey=rule + "x-kubernetes-validations"?: #ValidationRules @go(XValidations) @protobuf(44,bytes,rep,name=xKubernetesValidations) +} + +// ValidationRules describes a list of validation rules written in the CEL expression language. +#ValidationRules: [...#ValidationRule] + +// ValidationRule describes a validation rule written in the CEL expression language. +#ValidationRule: { + // Rule represents the expression which will be evaluated by CEL. + // ref: https://github.com/google/cel-spec + // The Rule is scoped to the location of the x-kubernetes-validations extension in the schema. + // The `self` variable in the CEL expression is bound to the scoped value. + // Example: + // - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"} + // + // If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable + // via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as + // absent fields in CEL expressions. + // If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map + // are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map + // are accessible via CEL macros and functions such as `self.all(...)`. + // If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and + // functions. + // If the Rule is scoped to a scalar, `self` is bound to the scalar value. + // Examples: + // - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"} + // - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"} + // - Rule scoped to a string value: {"rule": "self.startsWith('kube')"} + // + // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the + // object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible. + // + // Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL + // expressions. This includes: + // - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields. + // - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as: + // - A schema with no type and x-kubernetes-preserve-unknown-fields set to true + // - An array where the items schema is of an "unknown type" + // - An object where the additionalProperties schema is of an "unknown type" + // + // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. + // Accessible property names are escaped according to the following rules when accessed in the expression: + // - '__' escapes to '__underscores__' + // - '.' escapes to '__dot__' + // - '-' escapes to '__dash__' + // - '/' escapes to '__slash__' + // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: + // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", + // "import", "let", "loop", "package", "namespace", "return". + // Examples: + // - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"} + // - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"} + // - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"} + // + // Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. + // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type: + // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and + // non-intersecting elements in `Y` are appended, retaining their partial order. + // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values + // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with + // non-intersecting keys are appended, retaining their partial order. + rule: string @go(Rule) @protobuf(1,bytes,opt) + + // Message represents the message displayed when validation fails. The message is required if the Rule contains + // line breaks. The message must not contain line breaks. + // If unset, the message is "failed rule: {Rule}". + // e.g. "must be a URL with the host matching spec.host" + message?: string @go(Message) @protobuf(2,bytes,opt) + + // MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + // Since messageExpression is used as a failure message, it must evaluate to a string. + // If both message and messageExpression are present on a rule, then messageExpression will be used if validation + // fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + // messageExpression has access to all the same variables as the rule; the only difference is the return type. + // Example: + // "x must be less than max ("+string(self.max)+")" + // +optional + messageExpression?: string @go(MessageExpression) @protobuf(3,bytes,opt) + + // reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule. + // The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule. + // The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate". + // If not set, default to use "FieldValueInvalid". + // All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid. + // +optional + reason?: null | #FieldValueErrorReason @go(Reason,*FieldValueErrorReason) @protobuf(4,bytes,opt) + + // fieldPath represents the field path returned when the validation fails. + // It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field. + // e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo` + // If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList` + // It does not support list numeric index. + // It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info. + // Numeric index of array is not supported. + // For field name which contains special characters, use `['specialName']` to refer the field name. + // e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']` + // +optional + fieldPath?: string @go(FieldPath) @protobuf(5,bytes,opt) +} + +// JSON represents any valid JSON value. +// These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil. +#JSON: _ + +// JSONSchemaURL represents a schema url. +#JSONSchemaURL: string + +// JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps +// or an array of JSONSchemaProps. Mainly here for serialization purposes. +#JSONSchemaPropsOrArray: _ + +// JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. +// Defaults to true for the boolean property. +#JSONSchemaPropsOrBool: _ + +// JSONSchemaDependencies represent a dependencies property. +#JSONSchemaDependencies: {[string]: #JSONSchemaPropsOrStringArray} + +// JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array. +#JSONSchemaPropsOrStringArray: _ + +// JSONSchemaDefinitions contains the models explicitly defined in this spec. +#JSONSchemaDefinitions: {[string]: #JSONSchemaProps} + +// ExternalDocumentation allows referencing an external resource for extended documentation. +#ExternalDocumentation: { + description?: string @go(Description) @protobuf(1,bytes,opt) + url?: string @go(URL) @protobuf(2,bytes,opt) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue new file mode 100644 index 000000000..cef44ba5c --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue @@ -0,0 +1,47 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// Scale is used for getting and setting the base-10 scaled value. +// Base-2 scales are omitted for mathematical simplicity. +// See Quantity.ScaledValue for more details. +#Scale: int32 // #enumScale + +#enumScale: + #Nano | + #Micro | + #Milli | + #Kilo | + #Mega | + #Giga | + #Tera | + #Peta | + #Exa + +#values_Scale: { + Nano: #Nano + Micro: #Micro + Milli: #Milli + Kilo: #Kilo + Mega: #Mega + Giga: #Giga + Tera: #Tera + Peta: #Peta + Exa: #Exa +} + +#Nano: #Scale & -9 +#Micro: #Scale & -6 +#Milli: #Scale & -3 +#Kilo: #Scale & 3 +#Mega: #Scale & 6 +#Giga: #Scale & 9 +#Tera: #Scale & 12 +#Peta: #Scale & 15 +#Exa: #Scale & 18 + +// infDecAmount implements common operations over an inf.Dec that are specific to the quantity +// representation. +_#infDecAmount: string diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue new file mode 100644 index 000000000..711f2096f --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue @@ -0,0 +1,13 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64. +// It is also the maximum decimal digits that can be represented with an int64. +_#maxInt64Factors: 18 + +_#mostNegative: -9223372036854775808 + +_#mostPositive: 9223372036854775807 diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue new file mode 100644 index 000000000..9d9713a1b --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue @@ -0,0 +1,107 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +// Quantity is a fixed-point representation of a number. +// It provides convenient marshaling/unmarshaling in JSON and YAML, +// in addition to String() and AsInt64() accessors. +// +// The serialization format is: +// +// ``` +// ::= +// +// (Note that may be empty, from the "" case in .) +// +// ::= 0 | 1 | ... | 9 +// ::= | +// ::= | . | . | . +// ::= "+" | "-" +// ::= | +// ::= | | +// ::= Ki | Mi | Gi | Ti | Pi | Ei +// +// (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html) +// +// ::= m | "" | k | M | G | T | P | E +// +// (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) +// +// ::= "e" | "E" +// ``` +// +// No matter which of the three exponent forms is used, no quantity may represent +// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal +// places. Numbers larger or more precise will be capped or rounded up. +// (E.g.: 0.1m will rounded up to 1m.) +// This may be extended in the future if we require larger or smaller quantities. +// +// When a Quantity is parsed from a string, it will remember the type of suffix +// it had, and will use the same type again when it is serialized. +// +// Before serializing, Quantity will be put in "canonical form". +// This means that Exponent/suffix will be adjusted up or down (with a +// corresponding increase or decrease in Mantissa) such that: +// +// - No precision is lost +// - No fractional digits will be emitted +// - The exponent (or suffix) is as large as possible. +// +// The sign will be omitted unless the number is negative. +// +// Examples: +// +// - 1.5 will be serialized as "1500m" +// - 1.5Gi will be serialized as "1536Mi" +// +// Note that the quantity will NEVER be internally represented by a +// floating point number. That is the whole point of this exercise. +// +// Non-canonical values will still parse as long as they are well formed, +// but will be re-emitted in their canonical form. (So always use canonical +// form, or don't diff.) +// +// This format is intended to make it difficult to use these numbers without +// writing some sort of special handling code in the hopes that that will +// cause implementors to also use a fixed point implementation. +// +// +protobuf=true +// +protobuf.embed=string +// +protobuf.options.marshal=false +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen=true +// +k8s:openapi-gen=true +#Quantity: _ + +// CanonicalValue allows a quantity amount to be converted to a string. +#CanonicalValue: _ + +// Format lists the three possible formattings of a quantity. +#Format: string // #enumFormat + +#enumFormat: + #DecimalExponent | + #BinarySI | + #DecimalSI + +#DecimalExponent: #Format & "DecimalExponent" +#BinarySI: #Format & "BinarySI" +#DecimalSI: #Format & "DecimalSI" + +// splitREString is used to separate a number from its suffix; as such, +// this is overly permissive, but that's OK-- it will be checked later. +_#splitREString: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + +_#int64QuantityExpectedBytes: 18 + +// QuantityValue makes it possible to use a Quantity as value for a command +// line parameter. +// +// +protobuf=true +// +protobuf.embed=string +// +protobuf.options.marshal=false +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen=true +#QuantityValue: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue new file mode 100644 index 000000000..b40d68ec1 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource + +package resource + +_#suffix: string + +// suffixer can interpret and construct suffixes. +_#suffixer: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue new file mode 100644 index 000000000..25ea8ecf1 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Duration is a wrapper around time.Duration which supports correct +// marshaling to YAML and JSON. In particular, it marshals into strings, which +// can be used as map keys in json. +#Duration: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue new file mode 100644 index 000000000..7ff538603 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue @@ -0,0 +1,48 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// GroupResource specifies a Group and a Resource, but does not force a version. This is useful for identifying +// concepts during lookup stages without having partially valid types +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupResource: { + group: string @go(Group) @protobuf(1,bytes,opt) + resource: string @go(Resource) @protobuf(2,bytes,opt) +} + +// GroupVersionResource unambiguously identifies a resource. It doesn't anonymously include GroupVersion +// to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersionResource: { + group: string @go(Group) @protobuf(1,bytes,opt) + version: string @go(Version) @protobuf(2,bytes,opt) + resource: string @go(Resource) @protobuf(3,bytes,opt) +} + +// GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying +// concepts during lookup stages without having partially valid types +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupKind: { + group: string @go(Group) @protobuf(1,bytes,opt) + kind: string @go(Kind) @protobuf(2,bytes,opt) +} + +// GroupVersionKind unambiguously identifies a kind. It doesn't anonymously include GroupVersion +// to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersionKind: { + group: string @go(Group) @protobuf(1,bytes,opt) + version: string @go(Version) @protobuf(2,bytes,opt) + kind: string @go(Kind) @protobuf(3,bytes,opt) +} + +// GroupVersion contains the "group" and the "version", which uniquely identifies the API. +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +#GroupVersion: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue new file mode 100644 index 000000000..f3c39a466 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue @@ -0,0 +1,33 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// TODO: move this, Object, List, and Type to a different package +#ObjectMetaAccessor: _ + +// Object lets you work with object metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field (Name, UID, Namespace on lists) will be a no-op and return +// a default value. +#Object: _ + +// ListMetaAccessor retrieves the list interface from an object +#ListMetaAccessor: _ + +// Common lets you work with core metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field will be a no-op and return a default value. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#Common: _ + +// ListInterface lets you work with list metadata from any of the versioned or +// internal API objects. Attempting to set or retrieve a field on an object that does +// not support that field will be a no-op and return a default value. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#ListInterface: _ + +// Type exposes the type and APIVersion of versioned or internal API objects. +// TODO: move this, and TypeMeta and ListMeta, to a different package +#Type: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue new file mode 100644 index 000000000..3c067bae3 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +#RFC3339Micro: "2006-01-02T15:04:05.000000Z07:00" + +// MicroTime is version of Time with microsecond level precision. +// +// +protobuf.options.marshal=false +// +protobuf.as=Timestamp +// +protobuf.options.(gogoproto.goproto_stringer)=false +#MicroTime: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue new file mode 100644 index 000000000..39d23b288 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +#GroupName: "meta.k8s.io" + +#WatchEventKind: "WatchEvent" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue new file mode 100644 index 000000000..b3c8ec266 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Time is a wrapper around time.Time which supports correct +// marshaling to YAML and JSON. Wrappers are provided for many +// of the factory methods that the time package offers. +// +// +protobuf.options.marshal=false +// +protobuf.as=Timestamp +// +protobuf.options.(gogoproto.goproto_stringer)=false +#Time: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue new file mode 100644 index 000000000..835392730 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue @@ -0,0 +1,21 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +// Timestamp is a struct that is equivalent to Time, but intended for +// protobuf marshalling/unmarshalling. It is generated into a serialization +// that matches Time. Do not use in Go structs. +#Timestamp: { + // Represents seconds of UTC time since Unix epoch + // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + // 9999-12-31T23:59:59Z inclusive. + seconds: int64 @go(Seconds) @protobuf(1,varint,opt) + + // Non-negative fractions of a second at nanosecond resolution. Negative + // second values with fractions must still have non-negative nanos values + // that count forward in time. Must be from 0 to 999,999,999 + // inclusive. This field may be limited in precision depending on context. + nanos: int32 @go(Nanos) @protobuf(2,varint,opt) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue new file mode 100644 index 000000000..a0deb7c90 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue @@ -0,0 +1,1561 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +// Package v1 contains API types that are common to all versions. +// +// The package contains two categories of types: +// - external (serialized) types that lack their own version (e.g TypeMeta) +// - internal (never-serialized) types that are needed by several different +// api groups, and so live here, to avoid duplication and/or import loops +// (e.g. LabelSelector). +// +// In the future, we will probably move these categories of objects into +// separate packages. +package v1 + +import ( + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/runtime" +) + +// TypeMeta describes an individual object in an API response or request +// with strings representing the type of the object and its API schema version. +// Structures that are versioned or persisted should inline TypeMeta. +// +// +k8s:deepcopy-gen=false +#TypeMeta: { + // Kind is a string value representing the REST resource this object represents. + // Servers may infer this from the endpoint the client submits requests to. + // Cannot be updated. + // In CamelCase. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(1,bytes,opt) + + // APIVersion defines the versioned schema of this representation of an object. + // Servers should convert recognized schemas to the latest internal value, and + // may reject unrecognized values. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + // +optional + apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt) +} + +// ListMeta describes metadata that synthetic resources must have, including lists and +// various status objects. A resource may have only one of {ObjectMeta, ListMeta}. +#ListMeta: { + // Deprecated: selfLink is a legacy read-only field that is no longer populated by the system. + // +optional + selfLink?: string @go(SelfLink) @protobuf(1,bytes,opt) + + // String that identifies the server's internal version of this object that + // can be used by clients to determine when objects have changed. + // Value must be treated as opaque by clients and passed unmodified back to the server. + // Populated by the system. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(2,bytes,opt) + + // continue may be set if the user set a limit on the number of items returned, and indicates that + // the server has more data available. The value is opaque and may be used to issue another request + // to the endpoint that served this list to retrieve the next set of available objects. Continuing a + // consistent list may not be possible if the server configuration has changed or more than a few + // minutes have passed. The resourceVersion field returned when using this continue value will be + // identical to the value in the first response, unless you have received this token from an error + // message. + continue?: string @go(Continue) @protobuf(3,bytes,opt) + + // remainingItemCount is the number of subsequent items in the list which are not included in this + // list response. If the list request contained label or field selectors, then the number of + // remaining items is unknown and the field will be left unset and omitted during serialization. + // If the list is complete (either because it is not chunking or because this is the last chunk), + // then there are no more remaining items and this field will be left unset and omitted during + // serialization. + // Servers older than v1.15 do not set this field. + // The intended use of the remainingItemCount is *estimating* the size of a collection. Clients + // should not rely on the remainingItemCount to be set or to be exact. + // +optional + remainingItemCount?: null | int64 @go(RemainingItemCount,*int64) @protobuf(4,bytes,opt) +} + +#ObjectNameField: "metadata.name" + +#FinalizerOrphanDependents: "orphan" +#FinalizerDeleteDependents: "foregroundDeletion" + +// ObjectMeta is metadata that all persisted resources must have, which includes all objects +// users must create. +#ObjectMeta: { + // Name must be unique within a namespace. Is required when creating resources, although + // some resources may allow a client to request the generation of an appropriate name + // automatically. Name is primarily intended for creation idempotence and configuration + // definition. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // GenerateName is an optional prefix, used by the server, to generate a unique + // name ONLY IF the Name field has not been provided. + // If this field is used, the name returned to the client will be different + // than the name passed. This value will also be combined with a unique suffix. + // The provided value has the same validation rules as the Name field, + // and may be truncated by the length of the suffix required to make the value + // unique on the server. + // + // If this field is specified and the generated name exists, the server will return a 409. + // + // Applied only if Name is not specified. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency + // +optional + generateName?: string @go(GenerateName) @protobuf(2,bytes,opt) + + // Namespace defines the space within which each name must be unique. An empty namespace is + // equivalent to the "default" namespace, but "default" is the canonical representation. + // Not all objects are required to be scoped to a namespace - the value of this field for + // those objects will be empty. + // + // Must be a DNS_LABEL. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces + // +optional + namespace?: string @go(Namespace) @protobuf(3,bytes,opt) + + // Deprecated: selfLink is a legacy read-only field that is no longer populated by the system. + // +optional + selfLink?: string @go(SelfLink) @protobuf(4,bytes,opt) + + // UID is the unique in time and space value for this object. It is typically generated by + // the server on successful creation of a resource and is not allowed to change on PUT + // operations. + // + // Populated by the system. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(5,bytes,opt,casttype=k8s.io/kubernetes/pkg/types.UID) + + // An opaque value that represents the internal version of this object that can + // be used by clients to determine when objects have changed. May be used for optimistic + // concurrency, change detection, and the watch operation on a resource or set of resources. + // Clients must treat these values as opaque and passed unmodified back to the server. + // They may only be valid for a particular resource or set of resources. + // + // Populated by the system. + // Read-only. + // Value must be treated as opaque by clients and . + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(6,bytes,opt) + + // A sequence number representing a specific generation of the desired state. + // Populated by the system. Read-only. + // +optional + generation?: int64 @go(Generation) @protobuf(7,varint,opt) + + // CreationTimestamp is a timestamp representing the server time when this object was + // created. It is not guaranteed to be set in happens-before order across separate operations. + // Clients may not set this value. It is represented in RFC3339 form and is in UTC. + // + // Populated by the system. + // Read-only. + // Null for lists. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + creationTimestamp?: #Time @go(CreationTimestamp) @protobuf(8,bytes,opt) + + // DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This + // field is set by the server when a graceful deletion is requested by the user, and is not + // directly settable by a client. The resource is expected to be deleted (no longer visible + // from resource lists, and not reachable by name) after the time in this field, once the + // finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. + // Once the deletionTimestamp is set, this value may not be unset or be set further into the + // future, although it may be shortened or the resource may be deleted prior to this time. + // For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react + // by sending a graceful termination signal to the containers in the pod. After that 30 seconds, + // the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, + // remove the pod from the API. In the presence of network partitions, this object may still + // exist after this timestamp, until an administrator or automated process can determine the + // resource is fully terminated. + // If not set, graceful deletion of the object has not been requested. + // + // Populated by the system when a graceful deletion is requested. + // Read-only. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + deletionTimestamp?: null | #Time @go(DeletionTimestamp,*Time) @protobuf(9,bytes,opt) + + // Number of seconds allowed for this object to gracefully terminate before + // it will be removed from the system. Only set when deletionTimestamp is also set. + // May only be shortened. + // Read-only. + // +optional + deletionGracePeriodSeconds?: null | int64 @go(DeletionGracePeriodSeconds,*int64) @protobuf(10,varint,opt) + + // Map of string keys and values that can be used to organize and categorize + // (scope and select) objects. May match selectors of replication controllers + // and services. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + // +optional + labels?: {[string]: string} @go(Labels,map[string]string) @protobuf(11,bytes,rep) + + // Annotations is an unstructured key value map stored with a resource that may be + // set by external tools to store and retrieve arbitrary metadata. They are not + // queryable and should be preserved when modifying objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + // +optional + annotations?: {[string]: string} @go(Annotations,map[string]string) @protobuf(12,bytes,rep) + + // List of objects depended by this object. If ALL objects in the list have + // been deleted, this object will be garbage collected. If this object is managed by a controller, + // then an entry in this list will point to this controller, with the controller field set to true. + // There cannot be more than one managing controller. + // +optional + // +patchMergeKey=uid + // +patchStrategy=merge + ownerReferences?: [...#OwnerReference] @go(OwnerReferences,[]OwnerReference) @protobuf(13,bytes,rep) + + // Must be empty before the object is deleted from the registry. Each entry + // is an identifier for the responsible component that will remove the entry + // from the list. If the deletionTimestamp of the object is non-nil, entries + // in this list can only be removed. + // Finalizers may be processed and removed in any order. Order is NOT enforced + // because it introduces significant risk of stuck finalizers. + // finalizers is a shared field, any actor with permission can reorder it. + // If the finalizer list is processed in order, then this can lead to a situation + // in which the component responsible for the first finalizer in the list is + // waiting for a signal (field value, external system, or other) produced by a + // component responsible for a finalizer later in the list, resulting in a deadlock. + // Without enforced ordering finalizers are free to order amongst themselves and + // are not vulnerable to ordering changes in the list. + // +optional + // +patchStrategy=merge + finalizers?: [...string] @go(Finalizers,[]string) @protobuf(14,bytes,rep) + + // ManagedFields maps workflow-id and version to the set of fields + // that are managed by that workflow. This is mostly for internal + // housekeeping, and users typically shouldn't need to set or + // understand this field. A workflow can be the user's name, a + // controller's name, or the name of a specific apply path like + // "ci-cd". The set of fields is always in the version that the + // workflow used when modifying the object. + // + // +optional + managedFields?: [...#ManagedFieldsEntry] @go(ManagedFields,[]ManagedFieldsEntry) @protobuf(17,bytes,rep) +} + +// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients +#NamespaceDefault: "default" + +// NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces +#NamespaceAll: "" + +// NamespaceNone is the argument for a context when there is no namespace. +#NamespaceNone: "" + +// NamespaceSystem is the system namespace where we place system components. +#NamespaceSystem: "kube-system" + +// NamespacePublic is the namespace where we place public info (ConfigMaps) +#NamespacePublic: "kube-public" + +// OwnerReference contains enough information to let you identify an owning +// object. An owning object must be in the same namespace as the dependent, or +// be cluster-scoped, so there is no namespace field. +// +structType=atomic +#OwnerReference: { + // API version of the referent. + apiVersion: string @go(APIVersion) @protobuf(5,bytes,opt) + + // Kind of the referent. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: string @go(Kind) @protobuf(1,bytes,opt) + + // Name of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + name: string @go(Name) @protobuf(3,bytes,opt) + + // UID of the referent. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + uid: types.#UID @go(UID) @protobuf(4,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // If true, this reference points to the managing controller. + // +optional + controller?: null | bool @go(Controller,*bool) @protobuf(6,varint,opt) + + // If true, AND if the owner has the "foregroundDeletion" finalizer, then + // the owner cannot be deleted from the key-value store until this + // reference is removed. + // See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + // for how the garbage collector interacts with this field and enforces the foreground deletion. + // Defaults to false. + // To set this field, a user needs "delete" permission of the owner, + // otherwise 422 (Unprocessable Entity) will be returned. + // +optional + blockOwnerDeletion?: null | bool @go(BlockOwnerDeletion,*bool) @protobuf(7,varint,opt) +} + +// ListOptions is the query options to a standard REST list call. +#ListOptions: { + #TypeMeta + + // A selector to restrict the list of returned objects by their labels. + // Defaults to everything. + // +optional + labelSelector?: string @go(LabelSelector) @protobuf(1,bytes,opt) + + // A selector to restrict the list of returned objects by their fields. + // Defaults to everything. + // +optional + fieldSelector?: string @go(FieldSelector) @protobuf(2,bytes,opt) + + // Watch for changes to the described resources and return them as a stream of + // add, update, and remove notifications. Specify resourceVersion. + // +optional + watch?: bool @go(Watch) @protobuf(3,varint,opt) + + // allowWatchBookmarks requests watch events with type "BOOKMARK". + // Servers that do not implement bookmarks may ignore this flag and + // bookmarks are sent at the server's discretion. Clients should not + // assume bookmarks are returned at any specific interval, nor may they + // assume the server will send any BOOKMARK event during a session. + // If this is not a watch, this field is ignored. + // +optional + allowWatchBookmarks?: bool @go(AllowWatchBookmarks) @protobuf(9,varint,opt) + + // resourceVersion sets a constraint on what resource versions a request may be served from. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(4,bytes,opt) + + // resourceVersionMatch determines how resourceVersion is applied to list calls. + // It is highly recommended that resourceVersionMatch be set for list calls where + // resourceVersion is set + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersionMatch?: #ResourceVersionMatch @go(ResourceVersionMatch) @protobuf(10,bytes,opt,casttype=ResourceVersionMatch) + + // Timeout for the list/watch call. + // This limits the duration of the call, regardless of any activity or inactivity. + // +optional + timeoutSeconds?: null | int64 @go(TimeoutSeconds,*int64) @protobuf(5,varint,opt) + + // limit is a maximum number of responses to return for a list call. If more items exist, the + // server will set the `continue` field on the list metadata to a value that can be used with the + // same initial query to retrieve the next set of results. Setting a limit may return fewer than + // the requested amount of items (up to zero items) in the event all requested objects are + // filtered out and clients should only use the presence of the continue field to determine whether + // more results are available. Servers may choose not to support the limit argument and will return + // all of the available results. If limit is specified and the continue field is empty, clients may + // assume that no more results are available. This field is not supported if watch is true. + // + // The server guarantees that the objects returned when using continue will be identical to issuing + // a single list call without a limit - that is, no objects created, modified, or deleted after the + // first request is issued will be included in any subsequent continued requests. This is sometimes + // referred to as a consistent snapshot, and ensures that a client that is using limit to receive + // smaller chunks of a very large result can ensure they see all possible objects. If objects are + // updated during a chunked list the version of the object that was present at the time the first list + // result was calculated is returned. + limit?: int64 @go(Limit) @protobuf(7,varint,opt) + + // The continue option should be set when retrieving more results from the server. Since this value is + // server defined, clients may only use the continue value from a previous query result with identical + // query parameters (except for the value of continue) and the server may reject a continue value it + // does not recognize. If the specified continue value is no longer valid whether due to expiration + // (generally five to fifteen minutes) or a configuration change on the server, the server will + // respond with a 410 ResourceExpired error together with a continue token. If the client needs a + // consistent list, it must restart their list without the continue field. Otherwise, the client may + // send another list request with the token received with the 410 error, the server will respond with + // a list starting from the next key, but from the latest snapshot, which is inconsistent from the + // previous list results - objects that are created, modified, or deleted after the first list request + // will be included in the response, as long as their keys are after the "next key". + // + // This field is not supported when watch is true. Clients may start a watch from the last + // resourceVersion value returned by the server and not miss any modifications. + continue?: string @go(Continue) @protobuf(8,bytes,opt) + + // `sendInitialEvents=true` may be set together with `watch=true`. + // In that case, the watch stream will begin with synthetic events to + // produce the current state of objects in the collection. Once all such + // events have been sent, a synthetic "Bookmark" event will be sent. + // The bookmark will report the ResourceVersion (RV) corresponding to the + // set of objects, and be marked with `"k8s.io/initial-events-end": "true"` annotation. + // Afterwards, the watch stream will proceed as usual, sending watch events + // corresponding to changes (subsequent to the RV) to objects watched. + // + // When `sendInitialEvents` option is set, we require `resourceVersionMatch` + // option to also be set. The semantic of the watch request is as following: + // - `resourceVersionMatch` = NotOlderThan + // is interpreted as "data at least as new as the provided `resourceVersion`" + // and the bookmark event is send when the state is synced + // to a `resourceVersion` at least as fresh as the one provided by the ListOptions. + // If `resourceVersion` is unset, this is interpreted as "consistent read" and the + // bookmark event is send when the state is synced at least to the moment + // when request started being processed. + // - `resourceVersionMatch` set to any other value or unset + // Invalid error is returned. + // + // Defaults to true if `resourceVersion=""` or `resourceVersion="0"` (for backward + // compatibility reasons) and to false otherwise. + // +optional + sendInitialEvents?: null | bool @go(SendInitialEvents,*bool) @protobuf(11,varint,opt) +} + +// resourceVersionMatch specifies how the resourceVersion parameter is applied. resourceVersionMatch +// may only be set if resourceVersion is also set. +// +// "NotOlderThan" matches data at least as new as the provided resourceVersion. +// "Exact" matches data at the exact resourceVersion provided. +// +// See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for +// details. +#ResourceVersionMatch: string // #enumResourceVersionMatch + +#enumResourceVersionMatch: + #ResourceVersionMatchNotOlderThan | + #ResourceVersionMatchExact + +// ResourceVersionMatchNotOlderThan matches data at least as new as the provided +// resourceVersion. +#ResourceVersionMatchNotOlderThan: #ResourceVersionMatch & "NotOlderThan" + +// ResourceVersionMatchExact matches data at the exact resourceVersion +// provided. +#ResourceVersionMatchExact: #ResourceVersionMatch & "Exact" + +// GetOptions is the standard query options to the standard REST get call. +#GetOptions: { + #TypeMeta + + // resourceVersion sets a constraint on what resource versions a request may be served from. + // See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for + // details. + // + // Defaults to unset + // +optional + resourceVersion?: string @go(ResourceVersion) @protobuf(1,bytes,opt) +} + +// DeletionPropagation decides if a deletion will propagate to the dependents of +// the object, and how the garbage collector will handle the propagation. +#DeletionPropagation: string // #enumDeletionPropagation + +#enumDeletionPropagation: + #DeletePropagationOrphan | + #DeletePropagationBackground | + #DeletePropagationForeground + +// Orphans the dependents. +#DeletePropagationOrphan: #DeletionPropagation & "Orphan" + +// Deletes the object from the key-value store, the garbage collector will +// delete the dependents in the background. +#DeletePropagationBackground: #DeletionPropagation & "Background" + +// The object exists in the key-value store until the garbage collector +// deletes all the dependents whose ownerReference.blockOwnerDeletion=true +// from the key-value store. API sever will put the "foregroundDeletion" +// finalizer on the object, and sets its deletionTimestamp. This policy is +// cascading, i.e., the dependents will be deleted with Foreground. +#DeletePropagationForeground: #DeletionPropagation & "Foreground" + +// DryRunAll means to complete all processing stages, but don't +// persist changes to storage. +#DryRunAll: "All" + +// DeleteOptions may be provided when deleting an API object. +#DeleteOptions: { + #TypeMeta + + // The duration in seconds before the object should be deleted. Value must be non-negative integer. + // The value zero indicates delete immediately. If this value is nil, the default grace period for the + // specified type will be used. + // Defaults to a per object value if not specified. zero means delete immediately. + // +optional + gracePeriodSeconds?: null | int64 @go(GracePeriodSeconds,*int64) @protobuf(1,varint,opt) + + // Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be + // returned. + // +k8s:conversion-gen=false + // +optional + preconditions?: null | #Preconditions @go(Preconditions,*Preconditions) @protobuf(2,bytes,opt) + + // Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. + // Should the dependent objects be orphaned. If true/false, the "orphan" + // finalizer will be added to/removed from the object's finalizers list. + // Either this field or PropagationPolicy may be set, but not both. + // +optional + orphanDependents?: null | bool @go(OrphanDependents,*bool) @protobuf(3,varint,opt) + + // Whether and how garbage collection will be performed. + // Either this field or OrphanDependents may be set, but not both. + // The default policy is decided by the existing finalizer set in the + // metadata.finalizers and the resource-specific default policy. + // Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - + // allow the garbage collector to delete the dependents in the background; + // 'Foreground' - a cascading policy that deletes all dependents in the + // foreground. + // +optional + propagationPolicy?: null | #DeletionPropagation @go(PropagationPolicy,*DeletionPropagation) @protobuf(4,varint,opt) + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(5,bytes,rep) +} + +// FieldValidationIgnore ignores unknown/duplicate fields +#FieldValidationIgnore: "Ignore" + +// FieldValidationWarn responds with a warning, but successfully serve the request +#FieldValidationWarn: "Warn" + +// FieldValidationStrict fails the request on unknown/duplicate fields +#FieldValidationStrict: "Strict" + +// CreateOptions may be provided when creating an API object. +#CreateOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. + // +optional + fieldManager?: string @go(FieldManager) @protobuf(3,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(4,bytes) +} + +// PatchOptions may be provided when patching an API object. +// PatchOptions is meant to be a superset of UpdateOptions. +#PatchOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // Force is going to "force" Apply requests. It means user will + // re-acquire conflicting fields owned by other people. Force + // flag must be unset for non-apply patch requests. + // +optional + force?: null | bool @go(Force,*bool) @protobuf(2,varint,opt) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. This + // field is required for apply requests + // (application/apply-patch) but optional for non-apply patch + // types (JsonPatch, MergePatch, StrategicMergePatch). + // +optional + fieldManager?: string @go(FieldManager) @protobuf(3,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(4,bytes) +} + +// ApplyOptions may be provided when applying an API object. +// FieldManager is required for apply requests. +// ApplyOptions is equivalent to PatchOptions. It is provided as a convenience with documentation +// that speaks specifically to how the options fields relate to apply. +#ApplyOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // Force is going to "force" Apply requests. It means user will + // re-acquire conflicting fields owned by other people. + force: bool @go(Force) @protobuf(2,varint,opt) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. This + // field is required. + fieldManager: string @go(FieldManager) @protobuf(3,bytes) +} + +// UpdateOptions may be provided when updating an API object. +// All fields in UpdateOptions should also be present in PatchOptions. +#UpdateOptions: { + #TypeMeta + + // When present, indicates that modifications should not be + // persisted. An invalid or unrecognized dryRun directive will + // result in an error response and no further processing of the + // request. Valid values are: + // - All: all dry run stages will be processed + // +optional + dryRun?: [...string] @go(DryRun,[]string) @protobuf(1,bytes,rep) + + // fieldManager is a name associated with the actor or entity + // that is making these changes. The value must be less than or + // 128 characters long, and only contain printable characters, + // as defined by https://golang.org/pkg/unicode/#IsPrint. + // +optional + fieldManager?: string @go(FieldManager) @protobuf(2,bytes) + + // fieldValidation instructs the server on how to handle + // objects in the request (POST/PUT/PATCH) containing unknown + // or duplicate fields. Valid values are: + // - Ignore: This will ignore any unknown fields that are silently + // dropped from the object, and will ignore all but the last duplicate + // field that the decoder encounters. This is the default behavior + // prior to v1.23. + // - Warn: This will send a warning via the standard warning response + // header for each unknown field that is dropped from the object, and + // for each duplicate field that is encountered. The request will + // still succeed if there are no other errors, and will only persist + // the last of any duplicate fields. This is the default in v1.23+ + // - Strict: This will fail the request with a BadRequest error if + // any unknown fields would be dropped from the object, or if any + // duplicate fields are present. The error returned from the server + // will contain all unknown and duplicate fields encountered. + // +optional + fieldValidation?: string @go(FieldValidation) @protobuf(3,bytes) +} + +// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out. +#Preconditions: { + // Specifies the target UID. + // +optional + uid?: null | types.#UID @go(UID,*types.UID) @protobuf(1,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // Specifies the target ResourceVersion + // +optional + resourceVersion?: null | string @go(ResourceVersion,*string) @protobuf(2,bytes,opt) +} + +// Status is a return value for calls that don't return other objects. +#Status: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // Status of the operation. + // One of: "Success" or "Failure". + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + // +optional + status?: string @go(Status) @protobuf(2,bytes,opt) + + // A human-readable description of the status of this operation. + // +optional + message?: string @go(Message) @protobuf(3,bytes,opt) + + // A machine-readable description of why this operation is in the + // "Failure" status. If this value is empty there + // is no information available. A Reason clarifies an HTTP status + // code but does not override it. + // +optional + reason?: #StatusReason @go(Reason) @protobuf(4,bytes,opt,casttype=StatusReason) + + // Extended data associated with the reason. Each reason may define its + // own extended details. This field is optional and the data returned + // is not guaranteed to conform to any schema except that defined by + // the reason type. + // +optional + details?: null | #StatusDetails @go(Details,*StatusDetails) @protobuf(5,bytes,opt) + + // Suggested HTTP return code for this status, 0 if not set. + // +optional + code?: int32 @go(Code) @protobuf(6,varint,opt) +} + +// StatusDetails is a set of additional properties that MAY be set by the +// server to provide additional information about a response. The Reason +// field of a Status object defines what attributes will be set. Clients +// must ignore fields that do not match the defined type of each attribute, +// and should assume that any attribute may be empty, invalid, or under +// defined. +#StatusDetails: { + // The name attribute of the resource associated with the status StatusReason + // (when there is a single name which can be described). + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // The group attribute of the resource associated with the status StatusReason. + // +optional + group?: string @go(Group) @protobuf(2,bytes,opt) + + // The kind attribute of the resource associated with the status StatusReason. + // On some operations may differ from the requested resource Kind. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + kind?: string @go(Kind) @protobuf(3,bytes,opt) + + // UID of the resource. + // (when there is a single resource which can be described). + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids + // +optional + uid?: types.#UID @go(UID) @protobuf(6,bytes,opt,casttype=k8s.io/apimachinery/pkg/types.UID) + + // The Causes array includes more details associated with the StatusReason + // failure. Not all StatusReasons may provide detailed causes. + // +optional + causes?: [...#StatusCause] @go(Causes,[]StatusCause) @protobuf(4,bytes,rep) + + // If specified, the time in seconds before the operation should be retried. Some errors may indicate + // the client must take an alternate action - for those errors this field may indicate how long to wait + // before taking the alternate action. + // +optional + retryAfterSeconds?: int32 @go(RetryAfterSeconds) @protobuf(5,varint,opt) +} + +#StatusSuccess: "Success" +#StatusFailure: "Failure" + +// StatusReason is an enumeration of possible failure causes. Each StatusReason +// must map to a single HTTP status code, but multiple reasons may map +// to the same HTTP status code. +// TODO: move to apiserver +#StatusReason: string // #enumStatusReason + +#enumStatusReason: + #StatusReasonUnknown | + #StatusReasonUnauthorized | + #StatusReasonForbidden | + #StatusReasonNotFound | + #StatusReasonAlreadyExists | + #StatusReasonConflict | + #StatusReasonGone | + #StatusReasonInvalid | + #StatusReasonServerTimeout | + #StatusReasonTimeout | + #StatusReasonTooManyRequests | + #StatusReasonBadRequest | + #StatusReasonMethodNotAllowed | + #StatusReasonNotAcceptable | + #StatusReasonRequestEntityTooLarge | + #StatusReasonUnsupportedMediaType | + #StatusReasonInternalError | + #StatusReasonExpired | + #StatusReasonServiceUnavailable + +// StatusReasonUnknown means the server has declined to indicate a specific reason. +// The details field may contain other information about this error. +// Status code 500. +#StatusReasonUnknown: #StatusReason & "" + +// StatusReasonUnauthorized means the server can be reached and understood the request, but requires +// the user to present appropriate authorization credentials (identified by the WWW-Authenticate header) +// in order for the action to be completed. If the user has specified credentials on the request, the +// server considers them insufficient. +// Status code 401 +#StatusReasonUnauthorized: #StatusReason & "Unauthorized" + +// StatusReasonForbidden means the server can be reached and understood the request, but refuses +// to take any further action. It is the result of the server being configured to deny access for some reason +// to the requested resource by the client. +// Details (optional): +// "kind" string - the kind attribute of the forbidden resource +// on some operations may differ from the requested +// resource. +// "id" string - the identifier of the forbidden resource +// Status code 403 +#StatusReasonForbidden: #StatusReason & "Forbidden" + +// StatusReasonNotFound means one or more resources required for this operation +// could not be found. +// Details (optional): +// "kind" string - the kind attribute of the missing resource +// on some operations may differ from the requested +// resource. +// "id" string - the identifier of the missing resource +// Status code 404 +#StatusReasonNotFound: #StatusReason & "NotFound" + +// StatusReasonAlreadyExists means the resource you are creating already exists. +// Details (optional): +// "kind" string - the kind attribute of the conflicting resource +// "id" string - the identifier of the conflicting resource +// Status code 409 +#StatusReasonAlreadyExists: #StatusReason & "AlreadyExists" + +// StatusReasonConflict means the requested operation cannot be completed +// due to a conflict in the operation. The client may need to alter the +// request. Each resource may define custom details that indicate the +// nature of the conflict. +// Status code 409 +#StatusReasonConflict: #StatusReason & "Conflict" + +// StatusReasonGone means the item is no longer available at the server and no +// forwarding address is known. +// Status code 410 +#StatusReasonGone: #StatusReason & "Gone" + +// StatusReasonInvalid means the requested create or update operation cannot be +// completed due to invalid data provided as part of the request. The client may +// need to alter the request. When set, the client may use the StatusDetails +// message field as a summary of the issues encountered. +// Details (optional): +// "kind" string - the kind attribute of the invalid resource +// "id" string - the identifier of the invalid resource +// "causes" - one or more StatusCause entries indicating the data in the +// provided resource that was invalid. The code, message, and +// field attributes will be set. +// Status code 422 +#StatusReasonInvalid: #StatusReason & "Invalid" + +// StatusReasonServerTimeout means the server can be reached and understood the request, +// but cannot complete the action in a reasonable time. The client should retry the request. +// This is may be due to temporary server load or a transient communication issue with +// another server. Status code 500 is used because the HTTP spec provides no suitable +// server-requested client retry and the 5xx class represents actionable errors. +// Details (optional): +// "kind" string - the kind attribute of the resource being acted on. +// "id" string - the operation that is being attempted. +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 500 +#StatusReasonServerTimeout: #StatusReason & "ServerTimeout" + +// StatusReasonTimeout means that the request could not be completed within the given time. +// Clients can get this response only when they specified a timeout param in the request, +// or if the server cannot complete the operation within a reasonable amount of time. +// The request might succeed with an increased value of timeout param. The client *should* +// wait at least the number of seconds specified by the retryAfterSeconds field. +// Details (optional): +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 504 +#StatusReasonTimeout: #StatusReason & "Timeout" + +// StatusReasonTooManyRequests means the server experienced too many requests within a +// given window and that the client must wait to perform the action again. A client may +// always retry the request that led to this error, although the client should wait at least +// the number of seconds specified by the retryAfterSeconds field. +// Details (optional): +// "retryAfterSeconds" int32 - the number of seconds before the operation should be retried +// Status code 429 +#StatusReasonTooManyRequests: #StatusReason & "TooManyRequests" + +// StatusReasonBadRequest means that the request itself was invalid, because the request +// doesn't make any sense, for example deleting a read-only object. This is different than +// StatusReasonInvalid above which indicates that the API call could possibly succeed, but the +// data was invalid. API calls that return BadRequest can never succeed. +// Status code 400 +#StatusReasonBadRequest: #StatusReason & "BadRequest" + +// StatusReasonMethodNotAllowed means that the action the client attempted to perform on the +// resource was not supported by the code - for instance, attempting to delete a resource that +// can only be created. API calls that return MethodNotAllowed can never succeed. +// Status code 405 +#StatusReasonMethodNotAllowed: #StatusReason & "MethodNotAllowed" + +// StatusReasonNotAcceptable means that the accept types indicated by the client were not acceptable +// to the server - for instance, attempting to receive protobuf for a resource that supports only json and yaml. +// API calls that return NotAcceptable can never succeed. +// Status code 406 +#StatusReasonNotAcceptable: #StatusReason & "NotAcceptable" + +// StatusReasonRequestEntityTooLarge means that the request entity is too large. +// Status code 413 +#StatusReasonRequestEntityTooLarge: #StatusReason & "RequestEntityTooLarge" + +// StatusReasonUnsupportedMediaType means that the content type sent by the client is not acceptable +// to the server - for instance, attempting to send protobuf for a resource that supports only json and yaml. +// API calls that return UnsupportedMediaType can never succeed. +// Status code 415 +#StatusReasonUnsupportedMediaType: #StatusReason & "UnsupportedMediaType" + +// StatusReasonInternalError indicates that an internal error occurred, it is unexpected +// and the outcome of the call is unknown. +// Details (optional): +// "causes" - The original error +// Status code 500 +#StatusReasonInternalError: #StatusReason & "InternalError" + +// StatusReasonExpired indicates that the request is invalid because the content you are requesting +// has expired and is no longer available. It is typically associated with watches that can't be +// serviced. +// Status code 410 (gone) +#StatusReasonExpired: #StatusReason & "Expired" + +// StatusReasonServiceUnavailable means that the request itself was valid, +// but the requested service is unavailable at this time. +// Retrying the request after some time might succeed. +// Status code 503 +#StatusReasonServiceUnavailable: #StatusReason & "ServiceUnavailable" + +// StatusCause provides more information about an api.Status failure, including +// cases when multiple errors are encountered. +#StatusCause: { + // A machine-readable description of the cause of the error. If this value is + // empty there is no information available. + // +optional + reason?: #CauseType @go(Type) @protobuf(1,bytes,opt,casttype=CauseType) + + // A human-readable description of the cause of the error. This field may be + // presented as-is to a reader. + // +optional + message?: string @go(Message) @protobuf(2,bytes,opt) + + // The field of the resource that has caused this error, as named by its JSON + // serialization. May include dot and postfix notation for nested attributes. + // Arrays are zero-indexed. Fields may appear more than once in an array of + // causes due to fields having multiple errors. + // Optional. + // + // Examples: + // "name" - the field "name" on the current resource + // "items[0].name" - the field "name" on the first array entry in "items" + // +optional + field?: string @go(Field) @protobuf(3,bytes,opt) +} + +// CauseType is a machine readable value providing more detail about what +// occurred in a status response. An operation may have multiple causes for a +// status (whether Failure or Success). +#CauseType: string // #enumCauseType + +#enumCauseType: + #CauseTypeFieldValueNotFound | + #CauseTypeFieldValueRequired | + #CauseTypeFieldValueDuplicate | + #CauseTypeFieldValueInvalid | + #CauseTypeFieldValueNotSupported | + #CauseTypeForbidden | + #CauseTypeTooLong | + #CauseTypeTooMany | + #CauseTypeInternal | + #CauseTypeTypeInvalid | + #CauseTypeUnexpectedServerResponse | + #CauseTypeFieldManagerConflict | + #CauseTypeResourceVersionTooLarge + +// CauseTypeFieldValueNotFound is used to report failure to find a requested value +// (e.g. looking up an ID). +#CauseTypeFieldValueNotFound: #CauseType & "FieldValueNotFound" + +// CauseTypeFieldValueRequired is used to report required values that are not +// provided (e.g. empty strings, null values, or empty arrays). +#CauseTypeFieldValueRequired: #CauseType & "FieldValueRequired" + +// CauseTypeFieldValueDuplicate is used to report collisions of values that must be +// unique (e.g. unique IDs). +#CauseTypeFieldValueDuplicate: #CauseType & "FieldValueDuplicate" + +// CauseTypeFieldValueInvalid is used to report malformed values (e.g. failed regex +// match). +#CauseTypeFieldValueInvalid: #CauseType & "FieldValueInvalid" + +// CauseTypeFieldValueNotSupported is used to report valid (as per formatting rules) +// values that can not be handled (e.g. an enumerated string). +#CauseTypeFieldValueNotSupported: #CauseType & "FieldValueNotSupported" + +// CauseTypeForbidden is used to report valid (as per formatting rules) +// values which would be accepted under some conditions, but which are not +// permitted by the current conditions (such as security policy). See +// Forbidden(). +#CauseTypeForbidden: #CauseType & "FieldValueForbidden" + +// CauseTypeTooLong is used to report that the given value is too long. +// This is similar to ErrorTypeInvalid, but the error will not include the +// too-long value. See TooLong(). +#CauseTypeTooLong: #CauseType & "FieldValueTooLong" + +// CauseTypeTooMany is used to report "too many". This is used to +// report that a given list has too many items. This is similar to FieldValueTooLong, +// but the error indicates quantity instead of length. +#CauseTypeTooMany: #CauseType & "FieldValueTooMany" + +// CauseTypeInternal is used to report other errors that are not related +// to user input. See InternalError(). +#CauseTypeInternal: #CauseType & "InternalError" + +// CauseTypeTypeInvalid is for the value did not match the schema type for that field +#CauseTypeTypeInvalid: #CauseType & "FieldValueTypeInvalid" + +// CauseTypeUnexpectedServerResponse is used to report when the server responded to the client +// without the expected return type. The presence of this cause indicates the error may be +// due to an intervening proxy or the server software malfunctioning. +#CauseTypeUnexpectedServerResponse: #CauseType & "UnexpectedServerResponse" + +// FieldManagerConflict is used to report when another client claims to manage this field, +// It should only be returned for a request using server-side apply. +#CauseTypeFieldManagerConflict: #CauseType & "FieldManagerConflict" + +// CauseTypeResourceVersionTooLarge is used to report that the requested resource version +// is newer than the data observed by the API server, so the request cannot be served. +#CauseTypeResourceVersionTooLarge: #CauseType & "ResourceVersionTooLarge" + +// List holds a list of objects, which may not be known by the server. +#List: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // List of objects + items: [...runtime.#RawExtension] @go(Items,[]runtime.RawExtension) @protobuf(2,bytes,rep) +} + +// APIVersions lists the versions that are available, to allow clients to +// discover the API at /api, which is the root path of the legacy v1 API. +// +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#APIVersions: { + #TypeMeta + + // versions are the api versions that are available. + versions: [...string] @go(Versions,[]string) @protobuf(1,bytes,rep) + + // a map of client CIDR to server address that is serving this group. + // This is to help clients reach servers in the most network-efficient way possible. + // Clients can use the appropriate server address as per the CIDR that they match. + // In case of multiple matches, clients should use the longest matching CIDR. + // The server returns only those CIDRs that it thinks that the client can match. + // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. + // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP. + serverAddressByClientCIDRs: [...#ServerAddressByClientCIDR] @go(ServerAddressByClientCIDRs,[]ServerAddressByClientCIDR) @protobuf(2,bytes,rep) +} + +// APIGroupList is a list of APIGroup, to allow clients to discover the API at +// /apis. +#APIGroupList: { + #TypeMeta + + // groups is a list of APIGroup. + groups: [...#APIGroup] @go(Groups,[]APIGroup) @protobuf(1,bytes,rep) +} + +// APIGroup contains the name, the supported versions, and the preferred version +// of a group. +#APIGroup: { + #TypeMeta + + // name is the name of the group. + name: string @go(Name) @protobuf(1,bytes,opt) + + // versions are the versions supported in this group. + versions: [...#GroupVersionForDiscovery] @go(Versions,[]GroupVersionForDiscovery) @protobuf(2,bytes,rep) + + // preferredVersion is the version preferred by the API server, which + // probably is the storage version. + // +optional + preferredVersion?: #GroupVersionForDiscovery @go(PreferredVersion) @protobuf(3,bytes,opt) + + // a map of client CIDR to server address that is serving this group. + // This is to help clients reach servers in the most network-efficient way possible. + // Clients can use the appropriate server address as per the CIDR that they match. + // In case of multiple matches, clients should use the longest matching CIDR. + // The server returns only those CIDRs that it thinks that the client can match. + // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. + // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP. + // +optional + serverAddressByClientCIDRs?: [...#ServerAddressByClientCIDR] @go(ServerAddressByClientCIDRs,[]ServerAddressByClientCIDR) @protobuf(4,bytes,rep) +} + +// ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match. +#ServerAddressByClientCIDR: { + // The CIDR with which clients can match their IP to figure out the server address that they should use. + clientCIDR: string @go(ClientCIDR) @protobuf(1,bytes,opt) + + // Address of this server, suitable for a client that matches the above CIDR. + // This can be a hostname, hostname:port, IP or IP:port. + serverAddress: string @go(ServerAddress) @protobuf(2,bytes,opt) +} + +// GroupVersion contains the "group/version" and "version" string of a version. +// It is made a struct to keep extensibility. +#GroupVersionForDiscovery: { + // groupVersion specifies the API group and version in the form "group/version" + groupVersion: string @go(GroupVersion) @protobuf(1,bytes,opt) + + // version specifies the version in the form of "version". This is to save + // the clients the trouble of splitting the GroupVersion. + version: string @go(Version) @protobuf(2,bytes,opt) +} + +// APIResource specifies the name of a resource and whether it is namespaced. +#APIResource: { + // name is the plural name of the resource. + name: string @go(Name) @protobuf(1,bytes,opt) + + // singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely. + // The singularName is more correct for reporting status on a single item and both singular and plural are allowed + // from the kubectl CLI interface. + singularName: string @go(SingularName) @protobuf(6,bytes,opt) + + // namespaced indicates if a resource is namespaced or not. + namespaced: bool @go(Namespaced) @protobuf(2,varint,opt) + + // group is the preferred group of the resource. Empty implies the group of the containing resource list. + // For subresources, this may have a different value, for example: Scale". + group?: string @go(Group) @protobuf(8,bytes,opt) + + // version is the preferred version of the resource. Empty implies the version of the containing resource list + // For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)". + version?: string @go(Version) @protobuf(9,bytes,opt) + + // kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo') + kind: string @go(Kind) @protobuf(3,bytes,opt) + + // verbs is a list of supported kube verbs (this includes get, list, watch, create, + // update, patch, delete, deletecollection, and proxy) + verbs: #Verbs @go(Verbs) @protobuf(4,bytes,opt) + + // shortNames is a list of suggested short names of the resource. + shortNames?: [...string] @go(ShortNames,[]string) @protobuf(5,bytes,rep) + + // categories is a list of the grouped resources this resource belongs to (e.g. 'all') + categories?: [...string] @go(Categories,[]string) @protobuf(7,bytes,rep) + + // The hash value of the storage version, the version this resource is + // converted to when written to the data store. Value must be treated + // as opaque by clients. Only equality comparison on the value is valid. + // This is an alpha feature and may change or be removed in the future. + // The field is populated by the apiserver only if the + // StorageVersionHash feature gate is enabled. + // This field will remain optional even if it graduates. + // +optional + storageVersionHash?: string @go(StorageVersionHash) @protobuf(10,bytes,opt) +} + +// Verbs masks the value so protobuf can generate +// +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +#Verbs: [...string] + +// APIResourceList is a list of APIResource, it is used to expose the name of the +// resources supported in a specific group and version, and if the resource +// is namespaced. +#APIResourceList: { + #TypeMeta + + // groupVersion is the group and version this APIResourceList is for. + groupVersion: string @go(GroupVersion) @protobuf(1,bytes,opt) + + // resources contains the name of the resources and if they are namespaced. + resources: [...#APIResource] @go(APIResources,[]APIResource) @protobuf(2,bytes,rep) +} + +// RootPaths lists the paths available at root. +// For example: "/healthz", "/apis". +#RootPaths: { + // paths are the paths available at root. + paths: [...string] @go(Paths,[]string) @protobuf(1,bytes,rep) +} + +// Patch is provided to give a concrete name and type to the Kubernetes PATCH request body. +#Patch: { +} + +// A label selector is a label query over a set of resources. The result of matchLabels and +// matchExpressions are ANDed. An empty label selector matches all objects. A null +// label selector matches no objects. +// +structType=atomic +#LabelSelector: { + // matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + // map is equivalent to an element of matchExpressions, whose key field is "key", the + // operator is "In", and the values array contains only "value". The requirements are ANDed. + // +optional + matchLabels?: {[string]: string} @go(MatchLabels,map[string]string) @protobuf(1,bytes,rep) + + // matchExpressions is a list of label selector requirements. The requirements are ANDed. + // +optional + matchExpressions?: [...#LabelSelectorRequirement] @go(MatchExpressions,[]LabelSelectorRequirement) @protobuf(2,bytes,rep) +} + +// A label selector requirement is a selector that contains values, a key, and an operator that +// relates the key and values. +#LabelSelectorRequirement: { + // key is the label key that the selector applies to. + key: string @go(Key) @protobuf(1,bytes,opt) + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator: #LabelSelectorOperator @go(Operator) @protobuf(2,bytes,opt,casttype=LabelSelectorOperator) + + // values is an array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists or DoesNotExist, + // the values array must be empty. This array is replaced during a strategic + // merge patch. + // +optional + values?: [...string] @go(Values,[]string) @protobuf(3,bytes,rep) +} + +// A label selector operator is the set of operators that can be used in a selector requirement. +#LabelSelectorOperator: string // #enumLabelSelectorOperator + +#enumLabelSelectorOperator: + #LabelSelectorOpIn | + #LabelSelectorOpNotIn | + #LabelSelectorOpExists | + #LabelSelectorOpDoesNotExist + +#LabelSelectorOpIn: #LabelSelectorOperator & "In" +#LabelSelectorOpNotIn: #LabelSelectorOperator & "NotIn" +#LabelSelectorOpExists: #LabelSelectorOperator & "Exists" +#LabelSelectorOpDoesNotExist: #LabelSelectorOperator & "DoesNotExist" + +// ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource +// that the fieldset applies to. +#ManagedFieldsEntry: { + // Manager is an identifier of the workflow managing these fields. + manager?: string @go(Manager) @protobuf(1,bytes,opt) + + // Operation is the type of operation which lead to this ManagedFieldsEntry being created. + // The only valid values for this field are 'Apply' and 'Update'. + operation?: #ManagedFieldsOperationType @go(Operation) @protobuf(2,bytes,opt,casttype=ManagedFieldsOperationType) + + // APIVersion defines the version of this resource that this field set + // applies to. The format is "group/version" just like the top-level + // APIVersion field. It is necessary to track the version of a field + // set because it cannot be automatically converted. + apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt) + + // Time is the timestamp of when the ManagedFields entry was added. The + // timestamp will also be updated if a field is added, the manager + // changes any of the owned fields value or removes a field. The + // timestamp does not update when a field is removed from the entry + // because another manager took it over. + // +optional + time?: null | #Time @go(Time,*Time) @protobuf(4,bytes,opt) + + // FieldsType is the discriminator for the different fields format and version. + // There is currently only one possible value: "FieldsV1" + fieldsType?: string @go(FieldsType) @protobuf(6,bytes,opt) + + // FieldsV1 holds the first JSON version format as described in the "FieldsV1" type. + // +optional + fieldsV1?: null | #FieldsV1 @go(FieldsV1,*FieldsV1) @protobuf(7,bytes,opt) + + // Subresource is the name of the subresource used to update that object, or + // empty string if the object was updated through the main resource. The + // value of this field is used to distinguish between managers, even if they + // share the same name. For example, a status update will be distinct from a + // regular update using the same manager name. + // Note that the APIVersion field is not related to the Subresource field and + // it always corresponds to the version of the main resource. + subresource?: string @go(Subresource) @protobuf(8,bytes,opt) +} + +// ManagedFieldsOperationType is the type of operation which lead to a ManagedFieldsEntry being created. +#ManagedFieldsOperationType: string // #enumManagedFieldsOperationType + +#enumManagedFieldsOperationType: + #ManagedFieldsOperationApply | + #ManagedFieldsOperationUpdate + +#ManagedFieldsOperationApply: #ManagedFieldsOperationType & "Apply" +#ManagedFieldsOperationUpdate: #ManagedFieldsOperationType & "Update" + +// FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format. +// +// Each key is either a '.' representing the field itself, and will always map to an empty set, +// or a string representing a sub-field or item. The string will follow one of these four formats: +// 'f:', where is the name of a field in a struct, or key in a map +// 'v:', where is the exact json formatted value of a list item +// 'i:', where is position of a item in a list +// 'k:', where is a map of a list item's key fields to their unique values +// If a key maps to an empty Fields value, the field that key represents is part of the set. +// +// The exact format is defined in sigs.k8s.io/structured-merge-diff +// +protobuf.options.(gogoproto.goproto_stringer)=false +#FieldsV1: _ + +// Table is a tabular representation of a set of API resources. The server transforms the +// object into a set of preferred columns for quickly reviewing the objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +protobuf=false +#Table: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) + + // columnDefinitions describes each column in the returned items array. The number of cells per row + // will always match the number of column definitions. + columnDefinitions: [...#TableColumnDefinition] @go(ColumnDefinitions,[]TableColumnDefinition) + + // rows is the list of items in the table. + rows: [...#TableRow] @go(Rows,[]TableRow) +} + +// TableColumnDefinition contains information about a column returned in the Table. +// +protobuf=false +#TableColumnDefinition: { + // name is a human readable name for the column. + name: string @go(Name) + + // type is an OpenAPI type definition for this column, such as number, integer, string, or + // array. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more. + type: string @go(Type) + + // format is an optional OpenAPI type modifier for this column. A format modifies the type and + // imposes additional rules, like date or time formatting for a string. The 'name' format is applied + // to the primary identifier column which has type 'string' to assist in clients identifying column + // is the resource name. + // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more. + format: string @go(Format) + + // description is a human readable description of this column. + description: string @go(Description) + + // priority is an integer defining the relative importance of this column compared to others. Lower + // numbers are considered higher priority. Columns that may be omitted in limited space scenarios + // should be given a higher priority. + priority: int32 @go(Priority) +} + +// TableRow is an individual row in a table. +// +protobuf=false +#TableRow: { + // cells will be as wide as the column definitions array and may contain strings, numbers (float64 or + // int64), booleans, simple maps, lists, or null. See the type field of the column definition for a + // more detailed description. + cells: [...] @go(Cells,[]interface{}) + + // conditions describe additional status of a row that are relevant for a human user. These conditions + // apply to the row, not to the object, and will be specific to table output. The only defined + // condition type is 'Completed', for a row that indicates a resource that has run to completion and + // can be given less visual priority. + // +optional + conditions?: [...#TableRowCondition] @go(Conditions,[]TableRowCondition) + + // This field contains the requested additional information about each object based on the includeObject + // policy when requesting the Table. If "None", this field is empty, if "Object" this will be the + // default serialization of the object for the current API version, and if "Metadata" (the default) will + // contain the object metadata. Check the returned kind and apiVersion of the object before parsing. + // The media type of the object will always match the enclosing list - if this as a JSON table, these + // will be JSON encoded objects. + // +optional + object?: runtime.#RawExtension @go(Object) +} + +// TableRowCondition allows a row to be marked with additional information. +// +protobuf=false +#TableRowCondition: { + // Type of row condition. The only defined value is 'Completed' indicating that the + // object this row represents has reached a completed state and may be given less visual + // priority than other rows. Clients are not required to honor any conditions but should + // be consistent where possible about handling the conditions. + type: #RowConditionType @go(Type) + + // Status of the condition, one of True, False, Unknown. + status: #ConditionStatus @go(Status) + + // (brief) machine readable reason for the condition's last transition. + // +optional + reason?: string @go(Reason) + + // Human readable message indicating details about last transition. + // +optional + message?: string @go(Message) +} + +#RowConditionType: string // #enumRowConditionType + +#enumRowConditionType: + #RowCompleted + +// RowCompleted means the underlying resource has reached completion and may be given less +// visual priority than other resources. +#RowCompleted: #RowConditionType & "Completed" + +#ConditionStatus: string // #enumConditionStatus + +#enumConditionStatus: + #ConditionTrue | + #ConditionFalse | + #ConditionUnknown + +#ConditionTrue: #ConditionStatus & "True" +#ConditionFalse: #ConditionStatus & "False" +#ConditionUnknown: #ConditionStatus & "Unknown" + +// IncludeObjectPolicy controls which portion of the object is returned with a Table. +#IncludeObjectPolicy: string // #enumIncludeObjectPolicy + +#enumIncludeObjectPolicy: + #IncludeNone | + #IncludeMetadata | + #IncludeObject + +// IncludeNone returns no object. +#IncludeNone: #IncludeObjectPolicy & "None" + +// IncludeMetadata serializes the object containing only its metadata field. +#IncludeMetadata: #IncludeObjectPolicy & "Metadata" + +// IncludeObject contains the full object. +#IncludeObject: #IncludeObjectPolicy & "Object" + +// TableOptions are used when a Table is requested by the caller. +// +k8s:conversion-gen:explicit-from=net/url.Values +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#TableOptions: { + #TypeMeta + + // includeObject decides whether to include each object along with its columnar information. + // Specifying "None" will return no object, specifying "Object" will return the full object contents, and + // specifying "Metadata" (the default) will return the object's metadata in the PartialObjectMetadata kind + // in version v1beta1 of the meta.k8s.io API group. + includeObject?: #IncludeObjectPolicy @go(IncludeObject) @protobuf(1,bytes,opt,casttype=IncludeObjectPolicy) +} + +// PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients +// to get access to a particular ObjectMeta schema without knowing the details of the version. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#PartialObjectMetadata: { + #TypeMeta + + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metadata?: #ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) +} + +// PartialObjectMetadataList contains a list of objects containing only their metadata +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#PartialObjectMetadataList: { + #TypeMeta + + // Standard list metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + // +optional + metadata?: #ListMeta @go(ListMeta) @protobuf(1,bytes,opt) + + // items contains each of the included items. + items: [...#PartialObjectMetadata] @go(Items,[]PartialObjectMetadata) @protobuf(2,bytes,rep) +} + +// Condition contains details for one aspect of the current state of this API Resource. +// --- +// This struct is intended for direct use as an array at the field path .status.conditions. For example, +// +// type FooStatus struct{ +// // Represents the observations of a foo's current state. +// // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" +// // +patchMergeKey=type +// // +patchStrategy=merge +// // +listType=map +// // +listMapKey=type +// Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` +// +// // other fields +// } +#Condition: { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + type: string @go(Type) @protobuf(1,bytes,opt) + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt) + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt) + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + lastTransitionTime: #Time @go(LastTransitionTime) @protobuf(4,bytes,opt) + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + reason: string @go(Reason) @protobuf(5,bytes,opt) + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + message: string @go(Message) @protobuf(6,bytes,opt) +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue new file mode 100644 index 000000000..12f5f1b63 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue @@ -0,0 +1,30 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1 + +package v1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/watch" +) + +// Event represents a single event to a watched resource. +// +// +protobuf=true +// +k8s:deepcopy-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#WatchEvent: { + type: string @go(Type) @protobuf(1,bytes,opt) + + // Object is: + // * If Type is Added or Modified: the new state of the object. + // * If Type is Deleted: the state of the object immediately before deletion. + // * If Type is Error: *Status is recommended; other types may make sense + // depending on context. + object: runtime.#RawExtension @go(Object) @protobuf(2,bytes,opt) +} + +// InternalEvent makes watch.Event versioned +// +protobuf=false +#InternalEvent: watch.#Event diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue new file mode 100644 index 000000000..43474c392 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// SimpleAllocator a wrapper around make([]byte) +// conforms to the MemoryAllocator interface +#SimpleAllocator: { +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue new file mode 100644 index 000000000..a05de5d58 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue @@ -0,0 +1,37 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// codec binds an encoder and decoder. +_#codec: { + Encoder: #Encoder + Decoder: #Decoder +} + +// NoopEncoder converts an Decoder to a Serializer or Codec for code that expects them but only uses decoding. +#NoopEncoder: { + Decoder: #Decoder +} + +_#noopEncoderIdentifier: #Identifier & "noop" + +// NoopDecoder converts an Encoder to a Serializer or Codec for code that expects them but only uses encoding. +#NoopDecoder: { + Encoder: #Encoder +} + +_#base64Serializer: { + Encoder: #Encoder + Decoder: #Decoder +} + +_#internalGroupVersionerIdentifier: "internal" +_#disabledGroupVersionerIdentifier: "disabled" + +_#internalGroupVersioner: { +} + +_#disabledGroupVersioner: { +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue new file mode 100644 index 000000000..ce6d644cb --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +// Package runtime defines conversions between generic types and structs to map query strings +// to struct objects. +package runtime diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue new file mode 100644 index 000000000..f49ad1e36 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// UnstructuredConverter is an interface for converting between interface{} +// and map[string]interface representation. +#UnstructuredConverter: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue new file mode 100644 index 000000000..89c5c51b3 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue @@ -0,0 +1,39 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +// Package runtime includes helper functions for working with API objects +// that follow the kubernetes API object conventions, which are: +// +// 0. Your API objects have a common metadata struct member, TypeMeta. +// +// 1. Your code refers to an internal set of API objects. +// +// 2. In a separate package, you have an external set of API objects. +// +// 3. The external set is considered to be versioned, and no breaking +// changes are ever made to it (fields may be added but not changed +// or removed). +// +// 4. As your api evolves, you'll make an additional versioned package +// with every major change. +// +// 5. Versioned packages have conversion functions which convert to +// and from the internal version. +// +// 6. You'll continue to support older versions according to your +// deprecation policy, and you can easily provide a program/library +// to update old versions into new versions because of 5. +// +// 7. All of your serializations and deserializations are handled in a +// centralized place. +// +// Package runtime provides a conversion helper to make 5 easy, and the +// Encode/Decode/DecodeInto trio to accomplish 7. You can also register +// additional "codecs" which use a version of your choice. It's +// recommended that you register your types with runtime in your +// package's init function. +// +// As a bonus, a few common types useful from all api objects and versions +// are provided in types.go. +package runtime diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue new file mode 100644 index 000000000..d43f15f25 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +_#encodable: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue new file mode 100644 index 000000000..ec8f1f070 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue @@ -0,0 +1,23 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// MultiObjectTyper returns the types of objects across multiple schemes in order. +#MultiObjectTyper: [...#ObjectTyper] + +_#defaultFramer: { +} + +// WithVersionEncoder serializes an object and ensures the GVK is set. +#WithVersionEncoder: { + Version: #GroupVersioner + Encoder: #Encoder + ObjectTyper: #ObjectTyper +} + +// WithoutVersionDecoder clears the group version kind of a deserialized object. +#WithoutVersionDecoder: { + Decoder: #Decoder +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue new file mode 100644 index 000000000..22abcb620 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue @@ -0,0 +1,165 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// APIVersionInternal may be used if you are registering a type that should not +// be considered stable or serialized - it is a convention only and has no +// special behavior in this package. +#APIVersionInternal: "__internal" + +// GroupVersioner refines a set of possible conversion targets into a single option. +#GroupVersioner: _ + +// Identifier represents an identifier. +// Identitier of two different objects should be equal if and only if for every +// input the output they produce is exactly the same. +#Identifier: string // #enumIdentifier + +#enumIdentifier: + _#noopEncoderIdentifier + +// Encoder writes objects to a serialized form +#Encoder: _ + +// MemoryAllocator is responsible for allocating memory. +// By encapsulating memory allocation into its own interface, we can reuse the memory +// across many operations in places we know it can significantly improve the performance. +#MemoryAllocator: _ + +// EncoderWithAllocator serializes objects in a way that allows callers to manage any additional memory allocations. +#EncoderWithAllocator: _ + +// Decoder attempts to load an object from data. +#Decoder: _ + +// Serializer is the core interface for transforming objects into a serialized format and back. +// Implementations may choose to perform conversion of the object, but no assumptions should be made. +#Serializer: _ + +// Codec is a Serializer that deals with the details of versioning objects. It offers the same +// interface as Serializer, so this is a marker to consumers that care about the version of the objects +// they receive. +#Codec: #Serializer + +// ParameterCodec defines methods for serializing and deserializing API objects to url.Values and +// performing any necessary conversion. Unlike the normal Codec, query parameters are not self describing +// and the desired version must be specified. +#ParameterCodec: _ + +// Framer is a factory for creating readers and writers that obey a particular framing pattern. +#Framer: _ + +// SerializerInfo contains information about a specific serialization format +#SerializerInfo: { + // MediaType is the value that represents this serializer over the wire. + MediaType: string + + // MediaTypeType is the first part of the MediaType ("application" in "application/json"). + MediaTypeType: string + + // MediaTypeSubType is the second part of the MediaType ("json" in "application/json"). + MediaTypeSubType: string + + // EncodesAsText indicates this serializer can be encoded to UTF-8 safely. + EncodesAsText: bool + + // Serializer is the individual object serializer for this media type. + Serializer: #Serializer + + // PrettySerializer, if set, can serialize this object in a form biased towards + // readability. + PrettySerializer: #Serializer + + // StrictSerializer, if set, deserializes this object strictly, + // erring on unknown fields. + StrictSerializer: #Serializer + + // StreamSerializer, if set, describes the streaming serialization format + // for this media type. + StreamSerializer?: null | #StreamSerializerInfo @go(,*StreamSerializerInfo) +} + +// StreamSerializerInfo contains information about a specific stream serialization format +#StreamSerializerInfo: { + // EncodesAsText indicates this serializer can be encoded to UTF-8 safely. + EncodesAsText: bool + + // Serializer is the top level object serializer for this type when streaming + Serializer: #Serializer + + // Framer is the factory for retrieving streams that separate objects on the wire + Framer: #Framer +} + +// NegotiatedSerializer is an interface used for obtaining encoders, decoders, and serializers +// for multiple supported media types. This would commonly be accepted by a server component +// that performs HTTP content negotiation to accept multiple formats. +#NegotiatedSerializer: _ + +// ClientNegotiator handles turning an HTTP content type into the appropriate encoder. +// Use NewClientNegotiator or NewVersionedClientNegotiator to create this interface from +// a NegotiatedSerializer. +#ClientNegotiator: _ + +// StorageSerializer is an interface used for obtaining encoders, decoders, and serializers +// that can read and write data at rest. This would commonly be used by client tools that must +// read files, or server side storage interfaces that persist restful objects. +#StorageSerializer: _ + +// NestedObjectEncoder is an optional interface that objects may implement to be given +// an opportunity to encode any nested Objects / RawExtensions during serialization. +#NestedObjectEncoder: _ + +// NestedObjectDecoder is an optional interface that objects may implement to be given +// an opportunity to decode any nested Objects / RawExtensions during serialization. +// It is possible for DecodeNestedObjects to return a non-nil error but for the decoding +// to have succeeded in the case of strict decoding errors (e.g. unknown/duplicate fields). +// As such it is important for callers of DecodeNestedObjects to check to confirm whether +// an error is a runtime.StrictDecodingError before short circuiting. +// Similarly, implementations of DecodeNestedObjects should ensure that a runtime.StrictDecodingError +// is only returned when the rest of decoding has succeeded. +#NestedObjectDecoder: _ + +#ObjectDefaulter: _ + +#ObjectVersioner: _ + +// ObjectConvertor converts an object to a different version. +#ObjectConvertor: _ + +// ObjectTyper contains methods for extracting the APIVersion and Kind +// of objects. +#ObjectTyper: _ + +// ObjectCreater contains methods for instantiating an object by kind and version. +#ObjectCreater: _ + +// EquivalentResourceMapper provides information about resources that address the same underlying data as a specified resource +#EquivalentResourceMapper: _ + +// EquivalentResourceRegistry provides an EquivalentResourceMapper interface, +// and allows registering known resource[/subresource] -> kind +#EquivalentResourceRegistry: _ + +// ResourceVersioner provides methods for setting and retrieving +// the resource version from an API object. +#ResourceVersioner: _ + +// Namer provides methods for retrieving name and namespace of an API object. +#Namer: _ + +// Object interface must be supported by all API types registered with Scheme. Since objects in a scheme are +// expected to be serialized to the wire, the interface an Object must provide to the Scheme allows +// serializers to set the kind, version, and group the object is represented as. An Object may choose +// to return a no-op ObjectKindAccessor in cases where it is not expected to be serialized. +#Object: _ + +// CacheableObject allows an object to cache its different serializations +// to avoid performing the same serialization multiple times. +#CacheableObject: _ + +// Unstructured objects store values as map[string]interface{}, with only values that can be serialized +// to JSON allowed. +#Unstructured: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue new file mode 100644 index 000000000..7580f4676 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// NegotiateError is returned when a ClientNegotiator is unable to locate +// a serializer for the requested operation. +#NegotiateError: { + ContentType: string + Stream: bool +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue new file mode 100644 index 000000000..bd9c409a7 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// Splice is the interface that wraps the Splice method. +// +// Splice moves data from given slice without copying the underlying data for +// efficiency purpose. Therefore, the caller should make sure the underlying +// data is not changed later. +#Splice: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue new file mode 100644 index 000000000..9dfc078b4 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue @@ -0,0 +1,14 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// Pair of strings. We keed the name of fields and the doc +#Pair: { + Name: string + Doc: string +} + +// KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself +#KubeTypes: [...#Pair] diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue new file mode 100644 index 000000000..d1ee609a2 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue @@ -0,0 +1,97 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +// TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type, +// like this: +// +// type MyAwesomeAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// ... // other fields +// } +// +// func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind +// +// TypeMeta is provided here for convenience. You may use it directly from this package or define +// your own with the same fields. +// +// +k8s:deepcopy-gen=false +// +protobuf=true +// +k8s:openapi-gen=true +#TypeMeta: { + // +optional + apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt) + + // +optional + kind?: string @go(Kind) @protobuf(2,bytes,opt) +} + +#ContentTypeJSON: "application/json" +#ContentTypeYAML: "application/yaml" +#ContentTypeProtobuf: "application/vnd.kubernetes.protobuf" + +// RawExtension is used to hold extensions in external versions. +// +// To use this, make a field which has RawExtension as its type in your external, versioned +// struct, and Object in your internal struct. You also need to register your +// various plugin types. +// +// // Internal package: +// +// type MyAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// MyPlugin runtime.Object `json:"myPlugin"` +// } +// +// type PluginA struct { +// AOption string `json:"aOption"` +// } +// +// // External package: +// +// type MyAPIObject struct { +// runtime.TypeMeta `json:",inline"` +// MyPlugin runtime.RawExtension `json:"myPlugin"` +// } +// +// type PluginA struct { +// AOption string `json:"aOption"` +// } +// +// // On the wire, the JSON will look something like this: +// +// { +// "kind":"MyAPIObject", +// "apiVersion":"v1", +// "myPlugin": { +// "kind":"PluginA", +// "aOption":"foo", +// }, +// } +// +// So what happens? Decode first uses json or yaml to unmarshal the serialized data into +// your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. +// The next step is to copy (using pkg/conversion) into the internal struct. The runtime +// package's DefaultScheme has conversion functions installed which will unpack the +// JSON stored in RawExtension, turning it into the correct object type, and storing it +// in the Object. (TODO: In the case where the object is of an unknown type, a +// runtime.Unknown object will be created and stored.) +// +// +k8s:deepcopy-gen=true +// +protobuf=true +// +k8s:openapi-gen=true +#RawExtension: _ + +// Unknown allows api objects with unknown types to be passed-through. This can be used +// to deal with the API objects from a plug-in. Unknown objects still have functioning +// TypeMeta features-- kind, version, etc. +// TODO: Make this object have easy access to field based accessors and settors for +// metadata and field mutatation. +// +// +k8s:deepcopy-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +protobuf=true +// +k8s:openapi-gen=true +#Unknown: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue new file mode 100644 index 000000000..8b8ddf891 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/runtime + +package runtime + +#ProtobufMarshaller: _ + +#ProtobufReverseMarshaller: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue new file mode 100644 index 000000000..bfb4bcda3 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue @@ -0,0 +1,6 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +// Package types implements various generic types used throughout kubernetes. +package types diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue new file mode 100644 index 000000000..7cb2745aa --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +#NamespacedName: { + Namespace: string + Name: string +} + +#Separator: 47 // '/' diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue new file mode 100644 index 000000000..8b264b80c --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// NodeName is a type that holds a api.Node's Name identifier. +// Being a type captures intent and helps make sure that the node name +// is not confused with similar concepts (the hostname, the cloud provider id, +// the cloud provider name etc) +// +// To clarify the various types: +// +// - Node.Name is the Name field of the Node in the API. This should be stored in a NodeName. +// Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level. +// +// - Hostname is the hostname of the local machine (from uname -n). +// However, some components allow the user to pass in a --hostname-override flag, +// which will override this in most places. In the absence of anything more meaningful, +// kubelet will use Hostname as the Node.Name when it creates the Node. +// +// * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId. +// +// For GCE, InstanceName is the Name of an Instance object in the GCE API. On GCE, Instance.Name becomes the +// Hostname, and thus it makes sense also to use it as the Node.Name. But that is GCE specific, and it is up +// to the cloudprovider how to do this mapping. +// +// For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the +// PrivateDnsName for the Node.Name. And this is _not_ always the same as the hostname: if +// we are using a custom DHCP domain it won't be. +#NodeName: string diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue new file mode 100644 index 000000000..3de5d80f9 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue @@ -0,0 +1,21 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// Similarly to above, these are constants to support HTTP PATCH utilized by +// both the client and server that didn't make sense for a whole package to be +// dedicated to. +#PatchType: string // #enumPatchType + +#enumPatchType: + #JSONPatchType | + #MergePatchType | + #StrategicMergePatchType | + #ApplyPatchType + +#JSONPatchType: #PatchType & "application/json-patch+json" +#MergePatchType: #PatchType & "application/merge-patch+json" +#StrategicMergePatchType: #PatchType & "application/strategic-merge-patch+json" +#ApplyPatchType: #PatchType & "application/apply-patch+yaml" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue new file mode 100644 index 000000000..40bdd8285 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/types + +package types + +// UID is a type that holds unique ID values, including UUIDs. Because we +// don't ONLY use UUIDs, this is an alias to string. Being a type captures +// intent and helps make sure that UIDs and names do not get conflated. +#UID: string diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue new file mode 100644 index 000000000..2c8cc3651 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/util/intstr + +package intstr + +// IntOrString is a type that can hold an int32 or a string. When used in +// JSON or YAML marshalling and unmarshalling, it produces or consumes the +// inner type. This allows you to have, for example, a JSON field that can +// accept a name or number. +// TODO: Rename to Int32OrString +// +// +protobuf=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +// +k8s:openapi-gen=true +#IntOrString: _ + +// Type represents the stored type of IntOrString. +#Type: int64 // #enumType + +#enumType: + #Int | + #String + +#values_Type: { + Int: #Int + String: #String +} + +#Int: #Type & 0 +#String: #Type & 1 diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue new file mode 100644 index 000000000..bc1b91894 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +// Package watch contains a generic watchable interface, and a fake for +// testing code that uses the watch interface. +package watch diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue new file mode 100644 index 000000000..045e8ec85 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// Recorder records all events that are sent from the watch until it is closed. +#Recorder: { + Interface: #Interface +} diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue new file mode 100644 index 000000000..dcf72d5b0 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue @@ -0,0 +1,25 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// FullChannelBehavior controls how the Broadcaster reacts if a watcher's watch +// channel is full. +#FullChannelBehavior: int // #enumFullChannelBehavior + +#enumFullChannelBehavior: + #WaitIfChannelFull | + #DropIfChannelFull + +#values_FullChannelBehavior: { + WaitIfChannelFull: #WaitIfChannelFull + DropIfChannelFull: #DropIfChannelFull +} + +#WaitIfChannelFull: #FullChannelBehavior & 0 +#DropIfChannelFull: #FullChannelBehavior & 1 + +_#incomingQueueLength: 25 + +_#internalRunFunctionMarker: "internal-do-function" diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue new file mode 100644 index 000000000..f0805cfb2 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue @@ -0,0 +1,12 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +// Decoder allows StreamWatcher to watch any stream for which a Decoder can be written. +#Decoder: _ + +// Reporter hides the details of how an error is turned into a runtime.Object for +// reporting on a watch stream since this package may not import a higher level report. +#Reporter: _ diff --git a/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue new file mode 100644 index 000000000..0db2e6be1 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue @@ -0,0 +1,48 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go k8s.io/apimachinery/pkg/watch + +package watch + +import "k8s.io/apimachinery/pkg/runtime" + +// Interface can be implemented by anything that knows how to watch and report changes. +#Interface: _ + +// EventType defines the possible types of events. +#EventType: string // #enumEventType + +#enumEventType: + #Added | + #Modified | + #Deleted | + #Bookmark | + #Error + +#Added: #EventType & "ADDED" +#Modified: #EventType & "MODIFIED" +#Deleted: #EventType & "DELETED" +#Bookmark: #EventType & "BOOKMARK" +#Error: #EventType & "ERROR" + +// Event represents a single event to a watched resource. +// +k8s:deepcopy-gen=true +#Event: { + Type: #EventType + + // Object is: + // * If Type is Added or Modified: the new state of the object. + // * If Type is Deleted: the state of the object immediately before deletion. + // * If Type is Bookmark: the object (instance of a type being watched) where + // only ResourceVersion field is set. On successful restart of watch from a + // bookmark resourceVersion, client is guaranteed to not get repeat event + // nor miss any events. + // * If Type is Error: *api.Status is recommended; other types may make sense + // depending on context. + Object: runtime.#Object +} + +// RaceFreeFakeWatcher lets you test anything that consumes a watch.Interface; threadsafe. +#RaceFreeFakeWatcher: { + Stopped: bool +} diff --git a/k8s/timoni/runner/cue.mod/module.cue b/k8s/timoni/runner/cue.mod/module.cue new file mode 100644 index 000000000..72e7d281d --- /dev/null +++ b/k8s/timoni/runner/cue.mod/module.cue @@ -0,0 +1,2 @@ +module: "timoni.sh/runner" +language: version: "v0.9.0" diff --git a/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue new file mode 100644 index 000000000..2c579e99d --- /dev/null +++ b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/action.cue @@ -0,0 +1,26 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Action holds the list of annotations for controlling +// Timoni's apply behaviour of Kubernetes resources. +Action: { + // Force annotation for recreating immutable resources such as Kubernetes Jobs. + Force: { + "action.timoni.sh/force": ActionStatus.Enabled + } + // One-off annotation for appling resources only if they don't exist on the cluster. + Oneoff: { + "action.timoni.sh/one-off": ActionStatus.Enabled + } + // Keep annotation for preventing Timoni's garbage collector from deleting resources. + Keep: { + "action.timoni.sh/prune": ActionStatus.Disabled + } +} + +ActionStatus: { + Enabled: "enabled" + Disabled: "disabled" +} diff --git a/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue new file mode 100644 index 000000000..1535ea43f --- /dev/null +++ b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/image.cue @@ -0,0 +1,50 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strings" +) + +// Image defines the schema for OCI image reference used in Kubernetes PodSpec container image. +#Image: { + + // Repository is the address of a container registry repository. + // An image repository is made up of slash-separated name components, optionally + // prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. + repository!: string + + // Tag identifies an image in the repository. + // A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. + // A tag name may not start with a period or a dash and may contain a maximum of 128 characters. + tag!: string & strings.MaxRunes(128) + + // Digest uniquely and immutably identifies an image in the repository. + // Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. + digest!: string + + // PullPolicy defines the pull policy for the image. + // By default, it is set to IfNotPresent. + pullPolicy: *"IfNotPresent" | "Always" | "Never" + + // Reference is the image address computed from repository, tag and digest + // in the format [REPOSITORY]:[TAG]@[DIGEST]. + reference: string + + if digest != "" && tag != "" { + reference: "\(repository):\(tag)@\(digest)" + } + + if digest != "" && tag == "" { + reference: "\(repository)@\(digest)" + } + + if digest == "" && tag != "" { + reference: "\(repository):\(tag)" + } + + if digest == "" && tag == "" { + reference: "\(repository):latest" + } +} diff --git a/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue new file mode 100644 index 000000000..19f098967 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/imagepullsecret.cue @@ -0,0 +1,47 @@ +// Copyright 2024 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "encoding/base64" + "strings" +) + +// ImagePullSecret is a generator for Kubernetes Secrets of type kubernetes.io/dockerconfigjson. +// Spec: https://kubernetes.io/docs/concepts/configuration/secret/#docker-config-secrets. +#ImagePullSecret: { + // Metadata is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Registry is the hostname of the container registry in the format [HOST[:PORT_NUMBER]]. + #Registry!: string + + // Username is the username used to authenticate to the container registry. + #Username!: string + + // Password is the password used to authenticate to the container registry. + #Password!: string + + // Optional suffix used to generate the Secret name. + #Suffix: *"" | string & strings.MaxRunes(30) + + let auth = base64.Encode(null, #Username+":"+#Password) + + apiVersion: "v1" + kind: "Secret" + type: "kubernetes.io/dockerconfigjson" + metadata: { + name: #Meta.name + #Suffix + namespace: #Meta.namespace + labels: #Meta.labels + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + } + stringData: { + ".dockerconfigjson": """ + {"auths": {"\(#Registry)": {"username": "\(#Username)","password": "\(#Password)","auth": "\(auth)"}}} + """ + } +} diff --git a/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue new file mode 100644 index 000000000..7b31c23e4 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/immutable.cue @@ -0,0 +1,49 @@ +// Copyright 2024 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "encoding/json" + "strings" + "uuid" +) + +#ConfigMapKind: "ConfigMap" +#SecretKind: "Secret" + +// ImmutableConfig is a generator for immutable Kubernetes ConfigMaps and Secrets. +// The metadata.name of the generated object is suffixed with the hash of the input data. +#ImmutableConfig: { + // Kind of the generated object. + #Kind: *#ConfigMapKind | #SecretKind + + // Metadata of the generated object. + #Meta: #Metadata + + // Optional suffix appended to the generate name. + #Suffix: *"" | string + + // Data of the generated object. + #Data: {[string]: string} + + let hash = strings.Split(uuid.SHA1(uuid.ns.DNS, json.Marshal(#Data)), "-")[0] + + apiVersion: "v1" + kind: #Kind + metadata: { + name: #Meta.name + #Suffix + "-" + hash + namespace: #Meta.namespace + labels: #Meta.labels + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + } + immutable: true + if kind == #ConfigMapKind { + data: #Data + } + if kind == #SecretKind { + stringData: #Data + } +} diff --git a/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue new file mode 100644 index 000000000..ad96b0621 --- /dev/null +++ b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/instance.cue @@ -0,0 +1,27 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// InstanceName defines the schema for the name of a Timoni instance. +// The instance name is used as a Kubernetes label value and must be 63 characters or less. +#InstanceName: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MinRunes(1) & strings.MaxRunes(63) + +// InstanceNamespace defines the schema for the namespace of a Timoni instance. +// The instance namespace is used as a Kubernetes label value and must be 63 characters or less. +#InstanceNamespace: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MinRunes(1) & strings.MaxRunes(63) + +// InstanceOwnerReference defines the schema for Kubernetes labels used to denote ownership. +#InstanceOwnerReference: { + #Name: "instance.timoni.sh/name" + #Namespace: "instance.timoni.sh/namespace" +} + +// InstanceModule defines the schema for the Module of a Timoni instance. +#InstanceModule: { + url: string & =~"^((oci|file)://.*)$" + version: *"latest" | string + digest?: string +} diff --git a/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue new file mode 100644 index 000000000..188ff505d --- /dev/null +++ b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/metadata.cue @@ -0,0 +1,120 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// Annotations defines the schema for Kubernetes object metadata annotations. +#Annotations: {[string & strings.MaxRunes(253)]: string} + +// Labels defines the schema for Kubernetes object metadata labels. +#Labels: {[string & strings.MaxRunes(253)]: string & =~"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" & strings.MaxRunes(63)} + +#StdLabelName: "app.kubernetes.io/name" +#StdLabelVersion: "app.kubernetes.io/version" +#StdLabelPartOf: "app.kubernetes.io/part-of" +#StdLabelManagedBy: "app.kubernetes.io/managed-by" +#StdLabelComponent: "app.kubernetes.io/component" +#StdLabelInstance: "app.kubernetes.io/instance" + +// Metadata defines the schema for Kubernetes object metadata. +#Metadata: { + // Version should be in the strict semver format. Is required when creating resources. + #Version!: string & strings.MaxRunes(63) + + // Name must be unique within a namespace. Is required when creating resources. + // Name is primarily intended for creation idempotence and configuration definition. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + name!: #InstanceName + + // Namespace defines the space within which each name must be unique. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces + namespace!: #InstanceNamespace + + // Annotations is an unstructured key value map stored with a resource that may be + // set to store and retrieve arbitrary metadata. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + annotations?: #Annotations + + // Map of string keys and values that can be used to organize and categorize (scope and select) objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + labels: #Labels + + // Standard Kubernetes labels: app name, version and managed-by. + labels: { + (#StdLabelName): name + (#StdLabelVersion): #Version + (#StdLabelManagedBy): "timoni" + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name label. + #LabelSelector: #Labels & { + (#StdLabelName): name + } + + // Finalizers are namespaced keys that tell Kubernetes to wait until specific conditions + // are met before it fully deletes resources marked for deletion. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/ + finalizers?: [...string] +} + +// MetaComponent generates the Kubernetes object metadata for a module namespaced component. +// The metadata.name is composed of the instance name and the component name. +// The metadata.labels contain the app.kubernetes.io/component label. +#MetaComponent: { + // Meta is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Component is the name of the component used + // as a suffix for the generate object name. + #Component!: string & strings.MaxRunes(30) + + name: #Meta.name + "-" + #Component + namespace: #Meta.namespace + + labels: #Meta.labels + labels: (#StdLabelComponent): #Component + + annotations?: #Annotations + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name + // and app.kubernetes.io/component labels. + #LabelSelector: #Labels & { + (#StdLabelComponent): #Component + (#StdLabelName): #Meta.name + } +} + +// MetaClusterComponent generates the Kubernetes object metadata for a module non-namespaced component. +// The metadata.name is composed of the instance name and the component name. +// The metadata.namespace is unset. +// The metadata.labels contain the app.kubernetes.io/component label. +#MetaClusterComponent: { + // Meta is the Kubernetes object's metadata generated by Timoni. + #Meta!: #Metadata + + // Component is the name of the component used + // as a suffix for the generate object name. + #Component!: string & strings.MaxRunes(30) + + name: #Meta.name + "-" + #Component + + labels: #Meta.labels + labels: (#StdLabelComponent): #Component + + annotations?: #Annotations + if #Meta.annotations != _|_ { + annotations: #Meta.annotations + } + + // LabelSelector selects Pods based on the app.kubernetes.io/name + // and app.kubernetes.io/component labels. + #LabelSelector: #Labels & { + (#StdLabelComponent): #Component + (#StdLabelName): #Meta.name + } +} diff --git a/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue new file mode 100644 index 000000000..1dcdb699e --- /dev/null +++ b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/object.cue @@ -0,0 +1,21 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "strings" + +// ObjectReference is a reference to a Kubernetes object. +#ObjectReference: { + // Name of the referent. + name!: string & strings.MaxRunes(256) + + // Namespace of the referent. + namespace?: string & strings.MaxRunes(256) + + // API version of the referent. + apiVersion?: string & strings.MaxRunes(256) + + // Kind of the referent. + kind?: string & strings.MaxRunes(256) +} diff --git a/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue new file mode 100644 index 000000000..d3b5573ae --- /dev/null +++ b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/requirements.cue @@ -0,0 +1,40 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strconv" + "strings" +) + +// CPUQuantity is a string that is validated as a quantity of CPU, such as 100m or 2000m. +#CPUQuantity: string & =~"^[1-9]\\d*m$" + +// MemoryQuantity is a string that is validated as a quantity of memory, such as 128Mi or 2Gi. +#MemoryQuantity: string & =~"^[1-9]\\d*(Mi|Gi)$" + +// ResourceRequirement defines the schema for the CPU and Memory resource requirements. +#ResourceRequirement: { + cpu?: #CPUQuantity + memory?: #MemoryQuantity +} + +// ResourceRequirements defines the schema for the compute resource requirements of a container. +// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/. +#ResourceRequirements: { + // Limits describes the maximum amount of compute resources allowed. + limits?: #ResourceRequirement + + // Requests describes the minimum amount of compute resources required. + // Requests cannot exceed Limits. + requests?: #ResourceRequirement & { + if limits != _|_ { + if limits.cpu != _|_ { + _lc: strconv.Atoi(strings.Split(limits.cpu, "m")[0]) + _rc: strconv.Atoi(strings.Split(requests.cpu, "m")[0]) + #cpu: int & >=_rc & _lc + } + } + } +} diff --git a/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue new file mode 100644 index 000000000..9c4f2384b --- /dev/null +++ b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/selector.cue @@ -0,0 +1,19 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Selector defines the schema for Kubernetes Pod label selector used in Deployments, Services, Jobs, etc. +#Selector: { + // Name must be unique within a namespace. Is required when creating resources. + // Name is primarily intended for creation idempotence and configuration definition. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + #Name!: #InstanceName + + // Map of string keys and values that can be used to organize and categorize (scope and select) objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + labels: #Labels + + // Standard Kubernetes label: app name. + labels: (#StdLabelName): #Name +} diff --git a/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue new file mode 100644 index 000000000..ecd1e397f --- /dev/null +++ b/k8s/timoni/runner/cue.mod/pkg/timoni.sh/core/v1alpha1/semver.cue @@ -0,0 +1,29 @@ +// Copyright 2023 Stefan Prodan +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "strconv" + "strings" +) + +// SemVer validates the input version string and extracts the major and minor version numbers. +// When Minimum is set, the major and minor parts must be greater or equal to the minimum +// or a validation error is returned. +#SemVer: { + // Input version string in strict semver format. + #Version!: string & =~"^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?$" + + // Minimum is the minimum allowed MAJOR.MINOR version. + #Minimum: *"0.0.0" | string & =~"^\\d+\\.\\d+\\.\\d+(-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?$" + + let minMajor = strconv.Atoi(strings.Split(#Minimum, ".")[0]) + let minMinor = strconv.Atoi(strings.Split(#Minimum, ".")[1]) + + major: int & >=minMajor + major: strconv.Atoi(strings.Split(#Version, ".")[0]) + + minor: int & >=minMinor + minor: strconv.Atoi(strings.Split(#Version, ".")[1]) +} diff --git a/k8s/timoni/runner/templates/config.cue b/k8s/timoni/runner/templates/config.cue new file mode 100644 index 000000000..b7eda96e7 --- /dev/null +++ b/k8s/timoni/runner/templates/config.cue @@ -0,0 +1,61 @@ +package templates + +import ( + corev1 "k8s.io/api/core/v1" + timoniv1 "timoni.sh/core/v1alpha1" +) + +#Config: { + kubeVersion!: string + moduleVersion!: string + + metadata: timoniv1.#Metadata & {#Version: moduleVersion} + metadata: labels: timoniv1.#Labels + metadata: annotations?: timoniv1.#Annotations + + selector: timoniv1.#Selector & {#Name: metadata.name} + + registry: string + image!: timoniv1.#Image & {digest: ""} + + replicas: *0 | int & >0 + + resources: timoniv1.#ResourceRequirements & { + requests: { + cpu: *"150m" | timoniv1.#CPUQuantity + memory: *"128Mi" | timoniv1.#MemoryQuantity + } + limits: { + cpu: *"1000m" | timoniv1.#CPUQuantity + memory: *"2Gi" | timoniv1.#MemoryQuantity + } + } + + securityContext: corev1.#SecurityContext & { + allowPrivilegeEscalation: *false | true + privileged: *false | true + capabilities: + { + drop: *["ALL"] | [string] + add: *["CHOWN", "NET_BIND_SERVICE", "SETGID", "SETUID"] | [string] + } + } + + service: { + annotations?: timoniv1.#Annotations + port: *8000 | int & >0 & <=65535 + } + + podSecurityContext?: corev1.#PodSecurityContext + imagePullSecrets?: [...timoniv1.#ObjectReference] + tolerations?: [...corev1.#Toleration] +} + +#Instance: { + config: #Config + + objects: { + svc: #Service & {#config: config} + deploy: #Deployment & {#config: config} + } +} diff --git a/k8s/timoni/runner/templates/deployment.cue b/k8s/timoni/runner/templates/deployment.cue new file mode 100644 index 000000000..97868f1d1 --- /dev/null +++ b/k8s/timoni/runner/templates/deployment.cue @@ -0,0 +1,53 @@ +package templates + +import ( + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" +) + +#Deployment: appsv1.#Deployment & { + #config: #Config + apiVersion: "apps/v1" + kind: "Deployment" + metadata: #config.metadata + spec: appsv1.#DeploymentSpec & { + replicas: #config.replicas + selector: matchLabels: #config.selector.labels + template: { + metadata: labels: #config.selector.labels + spec: corev1.#PodSpec & { + topologySpreadConstraints: [{ + maxSkew: 3 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "ScheduleAnyway" + labelSelector: matchLabels: app: #config.metadata.name + }] + affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: [{ + labelSelector: matchLabels: app: "codebattle" + topologyKey: "kubernetes.io/hostname" + }] + containers: [{ + name: "runner" + image: #config.image.reference + imagePullPolicy: #config.image.pullPolicy + command: ["/runner/codebattle_runner"] + ports: [{ + name: "http" + containerPort: 8000 + protocol: "TCP" + }] + readinessProbe: { + httpGet: { + path: "/health" + port: "http" + } + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + } + resources: #config.resources + }] + } + } + } +} diff --git a/k8s/timoni/runner/templates/service.cue b/k8s/timoni/runner/templates/service.cue new file mode 100644 index 000000000..5547d9f76 --- /dev/null +++ b/k8s/timoni/runner/templates/service.cue @@ -0,0 +1,22 @@ +package templates + +import ( + corev1 "k8s.io/api/core/v1" +) + +#Service: corev1.#Service & { + #config: #Config + apiVersion: "v1" + kind: "Service" + metadata: #config.metadata + spec: corev1.#ServiceSpec & { + type: corev1.#ServiceTypeClusterIP + selector: #config.selector.labels + ports: [{ + port: #config.service.port + protocol: "TCP" + name: "http" + targetPort: name + }] + } +} diff --git a/k8s/timoni/runner/timoni.cue b/k8s/timoni/runner/timoni.cue new file mode 100644 index 000000000..d29df0bbf --- /dev/null +++ b/k8s/timoni/runner/timoni.cue @@ -0,0 +1,25 @@ +package main + +import ( + templates "timoni.sh/runner/templates" +) + +values: templates.#Config + +timoni: { + apiVersion: "v1alpha1" + + instance: templates.#Instance & { + config: values + config: { + metadata: { + name: string & =~"^runner-.+" @tag(name) + namespace: string @tag(namespace) + } + moduleVersion: string @tag(mv, var=moduleVersion) + kubeVersion: string @tag(kv, var=kubeVersion) + } + } + + apply: app: [for obj in instance.objects {obj}] +} diff --git a/k8s/timoni/runner/values.cue b/k8s/timoni/runner/values.cue new file mode 100644 index 000000000..17bc0aff9 --- /dev/null +++ b/k8s/timoni/runner/values.cue @@ -0,0 +1,3 @@ +package main + +values: {} diff --git a/k8s/timoni/runners.cue b/k8s/timoni/runners.cue new file mode 100644 index 000000000..bea22cfad --- /dev/null +++ b/k8s/timoni/runners.cue @@ -0,0 +1,6 @@ +runners: "python": { + image: "codebattle/python" + version: "3.12.2" + lang: "python" + replicas: 1 +} diff --git a/k8s/timoni/values.cue b/k8s/timoni/values.cue new file mode 100644 index 000000000..26914b03c --- /dev/null +++ b/k8s/timoni/values.cue @@ -0,0 +1,6 @@ +codebattleValues: { + gateway: { + enable: true + gatewayName: "gateway" + } +}