From 170292084410fec9c6b75a0d175efb010aba9833 Mon Sep 17 00:00:00 2001 From: Mulham Raee Date: Tue, 4 Feb 2025 17:10:59 +0100 Subject: [PATCH 1/3] Enable EnsureCustomLabels e2e test --- test/e2e/create_cluster_test.go | 18 +++++++++++++----- test/e2e/util/util.go | 2 +- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/test/e2e/create_cluster_test.go b/test/e2e/create_cluster_test.go index d1d954b4de..817454d0fa 100644 --- a/test/e2e/create_cluster_test.go +++ b/test/e2e/create_cluster_test.go @@ -1108,9 +1108,10 @@ func TestCreateCluster(t *testing.T) { } if !e2eutil.IsLessThan(e2eutil.Version418) { clusterOpts.FeatureSet = string(configv1.TechPreviewNoUpgrade) - clusterOpts.PodsLabels = map[string]string{ - "hypershift-e2e-test-label": "test", - } + } + + clusterOpts.PodsLabels = map[string]string{ + "hypershift-e2e-test-label": "test", } e2eutil.NewHypershiftTest(t, ctx, func(t *testing.T, g Gomega, mgtClient crclient.Client, hostedCluster *hyperv1.HostedCluster) { @@ -1138,14 +1139,15 @@ func TestCreateCluster(t *testing.T) { integration.RunTestControlPlanePKIOperatorBreakGlassCredentials(t, testContext, hostedCluster, mgmtClients, guestClients) e2eutil.EnsureAPIUX(t, ctx, mgtClient, hostedCluster) - // TODO: enable when CNO/CSI changes to add the Labels to their 2nd-level operands is added. - // e2eutil.EnsureCustomLabels(t, ctx, mgtClient, hostedCluster) + e2eutil.EnsureCustomLabels(t, ctx, mgtClient, hostedCluster) }). Execute(&clusterOpts, globalOpts.Platform, globalOpts.ArtifactDir, globalOpts.ServiceAccountSigningKey) } // TestCreateClusterV2 tests the new CPO implementation, which is currently hidden behind an annotation. func TestCreateClusterV2(t *testing.T) { + e2eutil.AtLeast(t, e2eutil.Version419) + t.Parallel() ctx, cancel := context.WithCancel(testContext) @@ -1170,6 +1172,11 @@ func TestCreateClusterV2(t *testing.T) { } } + clusterOpts.FeatureSet = string(configv1.TechPreviewNoUpgrade) + clusterOpts.PodsLabels = map[string]string{ + "hypershift-e2e-test-label": "test", + } + e2eutil.NewHypershiftTest(t, ctx, func(t *testing.T, g Gomega, mgtClient crclient.Client, hostedCluster *hyperv1.HostedCluster) { // Sanity check the cluster by waiting for the nodes to report ready _ = e2eutil.WaitForGuestClient(t, ctx, mgtClient, hostedCluster) @@ -1195,6 +1202,7 @@ func TestCreateClusterV2(t *testing.T) { integration.RunTestControlPlanePKIOperatorBreakGlassCredentials(t, testContext, hostedCluster, mgmtClients, guestClients) e2eutil.EnsureAPIUX(t, ctx, mgtClient, hostedCluster) + e2eutil.EnsureCustomLabels(t, ctx, mgtClient, hostedCluster) }).Execute(&clusterOpts, globalOpts.Platform, globalOpts.ArtifactDir, globalOpts.ServiceAccountSigningKey) } diff --git a/test/e2e/util/util.go b/test/e2e/util/util.go index 9ac25a6e59..067dc03762 100644 --- a/test/e2e/util/util.go +++ b/test/e2e/util/util.go @@ -1934,7 +1934,7 @@ func EnsurePayloadArchSetCorrectly(t *testing.T, ctx context.Context, client crc func EnsureCustomLabels(t *testing.T, ctx context.Context, client crclient.Client, hostedCluster *hyperv1.HostedCluster) { t.Run("EnsureCustomLabels", func(t *testing.T) { - AtLeast(t, Version418) + AtLeast(t, Version419) hcpNamespace := manifests.HostedControlPlaneNamespace(hostedCluster.Namespace, hostedCluster.Name) podList := &corev1.PodList{} From 480b3e57366a5f015f427447753307761534ff0d Mon Sep 17 00:00:00 2001 From: Mulham Raee Date: Tue, 4 Feb 2025 17:13:21 +0100 Subject: [PATCH 2/3] Remove HCPPodsLabels featuregate --- .../featureGate-Hypershift-Default.yaml | 3 - ...eGate-Hypershift-TechPreviewNoUpgrade.yaml | 3 - .../featureGate-SelfManagedHA-Default.yaml | 3 - ...te-SelfManagedHA-TechPreviewNoUpgrade.yaml | 3 - api/hypershift/v1beta1/hostedcluster_types.go | 1 - ..._generated.featuregated-crd-manifests.yaml | 1 - .../AAA_ungated.yaml | 13 + .../AROHCPManagedIdentities.yaml | 13 + .../AutoNodeKarpenter.yaml | 13 + .../DynamicResourceAllocation.yaml | 13 + .../ExternalOIDC.yaml | 13 + .../HCPPodsLabels.yaml | 4622 ----------------- .../ImageStreamImportMode.yaml | 13 + .../NetworkDiagnosticsConfig.yaml | 13 + .../OpenStack.yaml | 13 + .../hostedclusters-Default.crd.yaml | 13 + .../hypershift/v1beta1/hostedcluster_types.go | 1 - ..._generated.featuregated-crd-manifests.yaml | 1 - 18 files changed, 117 insertions(+), 4638 deletions(-) delete mode 100644 api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPPodsLabels.yaml diff --git a/api/hypershift/v1beta1/featuregates/featureGate-Hypershift-Default.yaml b/api/hypershift/v1beta1/featuregates/featureGate-Hypershift-Default.yaml index 1c370c8571..476998c661 100644 --- a/api/hypershift/v1beta1/featuregates/featureGate-Hypershift-Default.yaml +++ b/api/hypershift/v1beta1/featuregates/featureGate-Hypershift-Default.yaml @@ -24,9 +24,6 @@ { "name": "OpenStack" }, - { - "name": "HCPPodsLabels" - } ], "enabled": [ # We enable all OCP feature gates only so the CRD contains the fields. diff --git a/api/hypershift/v1beta1/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml b/api/hypershift/v1beta1/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml index 1e26eceb21..5c6a9cd58c 100644 --- a/api/hypershift/v1beta1/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml +++ b/api/hypershift/v1beta1/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml @@ -34,9 +34,6 @@ { "name": "OpenStack" }, - { - "name": "HCPPodsLabels" - } ], "version": "" } diff --git a/api/hypershift/v1beta1/featuregates/featureGate-SelfManagedHA-Default.yaml b/api/hypershift/v1beta1/featuregates/featureGate-SelfManagedHA-Default.yaml index 1c370c8571..476998c661 100644 --- a/api/hypershift/v1beta1/featuregates/featureGate-SelfManagedHA-Default.yaml +++ b/api/hypershift/v1beta1/featuregates/featureGate-SelfManagedHA-Default.yaml @@ -24,9 +24,6 @@ { "name": "OpenStack" }, - { - "name": "HCPPodsLabels" - } ], "enabled": [ # We enable all OCP feature gates only so the CRD contains the fields. diff --git a/api/hypershift/v1beta1/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml b/api/hypershift/v1beta1/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml index 6b9ca32850..f3d1fa7576 100644 --- a/api/hypershift/v1beta1/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml +++ b/api/hypershift/v1beta1/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml @@ -34,9 +34,6 @@ { "name": "OpenStack" }, - { - "name": "HCPPodsLabels" - } ], "version": "" } diff --git a/api/hypershift/v1beta1/hostedcluster_types.go b/api/hypershift/v1beta1/hostedcluster_types.go index c541d9639b..07cb74271c 100644 --- a/api/hypershift/v1beta1/hostedcluster_types.go +++ b/api/hypershift/v1beta1/hostedcluster_types.go @@ -632,7 +632,6 @@ type HostedClusterSpec struct { // TODO: key/value validations break cost budget for <=4.17. We should figure why and enable it back. // +kubebuilder:validation:MaxProperties=20 // +optional - // +openshift:enable:FeatureGate=HCPPodsLabels Labels map[string]string `json:"labels,omitempty"` } diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml index d7d9b8cdde..2d4e3a6cec 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml @@ -99,7 +99,6 @@ hostedclusters.hypershift.openshift.io: - AutoNodeKarpenter - DynamicResourceAllocation - ExternalOIDC - - HCPPodsLabels - ImageStreamImportMode - NetworkDiagnosticsConfig - OpenStack diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml index 3b1fd0c581..f797ce4f9d 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml @@ -2358,6 +2358,19 @@ spec: rule: self == oldSelf - message: issuerURL must be a valid absolute URL rule: isURL(self) + labels: + additionalProperties: + type: string + description: |- + labels when specified, define what custom labels are added to the hcp pods. + Changing this day 2 will cause a rollout of all hcp pods. + Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. + Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + + -kubebuilder:validation:XValidation:rule=`self.all(key, size(key) <= 317 && key.matches('^(([A-Za-z0-9]+(\\.[A-Za-z0-9]+)?)*[A-Za-z0-9]\\/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'))`, message="label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)" + -kubebuilder:validation:XValidation:rule=`self.all(key, size(self[key]) <= 63 && self[key].matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$'))`, message="label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character" + maxProperties: 20 + type: object networking: default: clusterNetwork: diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AROHCPManagedIdentities.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AROHCPManagedIdentities.yaml index b273a1d55e..87d44e5fd3 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AROHCPManagedIdentities.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AROHCPManagedIdentities.yaml @@ -2354,6 +2354,19 @@ spec: rule: self == oldSelf - message: issuerURL must be a valid absolute URL rule: isURL(self) + labels: + additionalProperties: + type: string + description: |- + labels when specified, define what custom labels are added to the hcp pods. + Changing this day 2 will cause a rollout of all hcp pods. + Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. + Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + + -kubebuilder:validation:XValidation:rule=`self.all(key, size(key) <= 317 && key.matches('^(([A-Za-z0-9]+(\\.[A-Za-z0-9]+)?)*[A-Za-z0-9]\\/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'))`, message="label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)" + -kubebuilder:validation:XValidation:rule=`self.all(key, size(self[key]) <= 63 && self[key].matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$'))`, message="label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character" + maxProperties: 20 + type: object networking: default: clusterNetwork: diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml index 44d75b541f..cbaaccfe1b 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml @@ -2399,6 +2399,19 @@ spec: rule: self == oldSelf - message: issuerURL must be a valid absolute URL rule: isURL(self) + labels: + additionalProperties: + type: string + description: |- + labels when specified, define what custom labels are added to the hcp pods. + Changing this day 2 will cause a rollout of all hcp pods. + Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. + Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + + -kubebuilder:validation:XValidation:rule=`self.all(key, size(key) <= 317 && key.matches('^(([A-Za-z0-9]+(\\.[A-Za-z0-9]+)?)*[A-Za-z0-9]\\/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'))`, message="label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)" + -kubebuilder:validation:XValidation:rule=`self.all(key, size(self[key]) <= 63 && self[key].matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$'))`, message="label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character" + maxProperties: 20 + type: object networking: default: clusterNetwork: diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml index 4e08d9393c..f940dd1377 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml @@ -2375,6 +2375,19 @@ spec: rule: self == oldSelf - message: issuerURL must be a valid absolute URL rule: isURL(self) + labels: + additionalProperties: + type: string + description: |- + labels when specified, define what custom labels are added to the hcp pods. + Changing this day 2 will cause a rollout of all hcp pods. + Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. + Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + + -kubebuilder:validation:XValidation:rule=`self.all(key, size(key) <= 317 && key.matches('^(([A-Za-z0-9]+(\\.[A-Za-z0-9]+)?)*[A-Za-z0-9]\\/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'))`, message="label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)" + -kubebuilder:validation:XValidation:rule=`self.all(key, size(self[key]) <= 63 && self[key].matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$'))`, message="label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character" + maxProperties: 20 + type: object networking: default: clusterNetwork: diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml index a4d1b26346..d2fb55e6d9 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml @@ -2596,6 +2596,19 @@ spec: rule: self == oldSelf - message: issuerURL must be a valid absolute URL rule: isURL(self) + labels: + additionalProperties: + type: string + description: |- + labels when specified, define what custom labels are added to the hcp pods. + Changing this day 2 will cause a rollout of all hcp pods. + Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. + Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + + -kubebuilder:validation:XValidation:rule=`self.all(key, size(key) <= 317 && key.matches('^(([A-Za-z0-9]+(\\.[A-Za-z0-9]+)?)*[A-Za-z0-9]\\/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'))`, message="label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)" + -kubebuilder:validation:XValidation:rule=`self.all(key, size(self[key]) <= 63 && self[key].matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$'))`, message="label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character" + maxProperties: 20 + type: object networking: default: clusterNetwork: diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPPodsLabels.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPPodsLabels.yaml deleted file mode 100644 index 547c4460d4..0000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPPodsLabels.yaml +++ /dev/null @@ -1,4622 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/HCPPodsLabels: "true" - name: hostedclusters.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: HostedCluster - listKind: HostedClusterList - plural: hostedclusters - shortNames: - - hc - - hcs - singular: hostedcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HostedCluster is the primary representation of a HyperShift cluster and encapsulates - the control plane and common data plane configuration. Creating a HostedCluster - results in a fully functional OpenShift control plane with no attached nodes. - To support workloads (e.g. pods), a HostedCluster may have one or more associated - NodePool resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the HostedCluster. - properties: - additionalTrustBundle: - description: |- - additionalTrustBundle is a local reference to a ConfigMap that must have a "ca-bundle.crt" key - whose content must be a PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes - If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. - This will be part of every payload generated by the controllers for any NodePool of the HostedCluster. - Changing this value will trigger a rollout for all existing NodePools in the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook endpoint - for a cluster to process cluster audit events. It references a secret that - contains the webhook information for the audit webhook endpoint. It is a - secret because if the endpoint has mTLS the kubeconfig will contain client - keys. The kubeconfig needs to be stored in the secret with a secret key - name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with this HostedCluster. - properties: - maxNodeProvisionTime: - description: |- - maxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - maxNodesTotal is the maximum allowable number of nodes for the Autoscaler scale out to be operational. - The autoscaler will not grow the cluster beyond this number. - If omitted, the autoscaler will not have a maximum limit. - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - maxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - podPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. - If omitted no particular upgrades are suggested. - maxLength: 100 - minLength: 1 - type: string - clusterID: - description: |- - clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal digits). - As with a Kubernetes metadata.uid, this ID uniquely identifies this cluster in space and time. - This value identifies the cluster in metrics pushed to telemetry and metrics produced by the control plane operators. - If a value is not specified, a random clusterID will be generated and set by the controller. - Once set, this value is immutable. - maxLength: 36 - minLength: 36 - type: string - x-kubernetes-validations: - - message: clusterID must be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - in hexadecimal digits) - rule: self.matches('[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}') - - message: clusterID is immutable - rule: oldSelf == "" || self == oldSelf - configuration: - description: |- - Configuration specifies configuration for individual OCP components in the - cluster, represented as embedded resources that correspond to the openshift - configuration API. - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - x-kubernetes-list-type: atomic - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - enum: - - CustomNoUpgrade - - DevPreviewNoUpgrade - - TechPreviewNoUpgrade - - "" - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - Changing this value will trigger a rollout for all existing NodePools in the cluster. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - x-kubernetes-list-type: atomic - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - x-kubernetes-list-type: atomic - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OVNKubernetes). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OVNKubernetes - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: ProxySpec contains cluster proxy creation configuration. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneRelease: - description: |- - controlPlaneRelease is like spec.release but only for the components running on the management cluster. - This excludes any operand which will land in the hosted cluster data plane. - It is useful when you need to apply patch management side like a CVE, transparently for the hosted cluster. - Version input for this field is free, no validation is performed against spec.release or maximum and minimum is performed. - If defined, it will dicate the version of the components running management side, while spec.release will dictate the version of the components landing in the hosted cluster data plane. - If not defined, spec.release is used for both. - Changing this field will trigger a rollout of the control plane. - The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - controllerAvailabilityPolicy: - default: HighlyAvailable - description: |- - controllerAvailabilityPolicy specifies the availability policy applied to critical control plane components like the Kube API Server. - Possible values are HighlyAvailable and SingleReplica. The default value is HighlyAvailable. - enum: - - HighlyAvailable - - SingleReplica - type: string - dns: - description: dns specifies the DNS configuration for the hosted cluster - ingress. - properties: - baseDomain: - description: |- - baseDomain is the base domain of the hosted cluster. - It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. - If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. - Once set, this field is immutable. - When the value is the empty string "", the controller might default to a value depending on the platform. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: baseDomain must be a valid domain name (e.g., example, - example.com, sub.example.com) - rule: self == "" || self.matches('^(?:(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,}|[a-zA-Z0-9-]+)$') - - message: baseDomain is immutable - rule: oldSelf == "" || self == oldSelf - baseDomainPrefix: - description: |- - baseDomainPrefix is the base domain prefix for the hosted cluster ingress. - It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. - If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. - Set baseDomainPrefix to an empty string "", if you don't want a prefix at all (not even hostedCluster.name) to be prepended to baseDomain. - This field is immutable. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: baseDomainPrefix must be a valid domain name (e.g., - example, example.com, sub.example.com) - rule: self == "" || self.matches('^(?:(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,}|[a-zA-Z0-9-]+)$') - - message: baseDomainPrefix is immutable - rule: self == oldSelf - privateZoneID: - description: |- - privateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. - This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. - Once set, this value is immutable. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: privateZoneID is immutable - rule: oldSelf == "" || self == oldSelf - publicZoneID: - description: |- - publicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. - This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. - Once set, this value is immutable. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: publicZoneID is immutable - rule: oldSelf == "" || self == oldSelf - required: - - baseDomain - type: object - etcd: - default: - managed: - storage: - persistentVolume: - size: 8Gi - type: PersistentVolume - managementType: Managed - description: |- - etcd specifies configuration for the control plane etcd cluster. The - default managementType is Managed. Once set, the managementType cannot be - changed. - properties: - managed: - description: managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - persistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: |- - size is the minimum size of the data volume for each etcd member. - Default is 8Gi. - This field is immutable - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - storageClassName is the StorageClass of the data volume for each etcd member. - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - x-kubernetes-validations: - - message: storageClassName is immutable - rule: self == oldSelf - type: object - restoreSnapshotURL: - description: |- - restoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: |- - type is the kind of persistent storage implementation to use for etcd. - Only PersistentVolume is supported at the moment. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: |- - managementType defines how the etcd cluster is managed. - This can be either Managed or Unmanaged. - This field is immutable. - enum: - - Managed - - Unmanaged - type: string - x-kubernetes-validations: - - message: managementType is immutable - rule: self == oldSelf - unmanaged: - description: |- - unmanaged specifies configuration which enables the control plane to - integrate with an externally managed etcd cluster. - properties: - endpoint: - description: |- - endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: tls specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - x-kubernetes-validations: - - message: Only managed configuration must be set when managementType - is Managed - rule: 'self.managementType == ''Managed'' ? has(self.managed) : - !has(self.managed)' - - message: Only unmanaged configuration must be set when managementType - is Unmanaged - rule: 'self.managementType == ''Unmanaged'' ? has(self.unmanaged) - : !has(self.unmanaged)' - fips: - description: |- - fips indicates whether this cluster's nodes will be running in FIPS mode. - If set to true, the control plane's ignition server will be configured to - expect that nodes joining the cluster will be FIPS-enabled. - type: boolean - x-kubernetes-validations: - - message: fips is immutable - rule: self == oldSelf - imageContentSources: - description: |- - imageContentSources specifies image mirrors that can be used by cluster - nodes to pull content. - When imageContentSources is set, the controllers will generate a machineConfig. - This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. - Changing this value will trigger a rollout for all existing NodePools in the cluster. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - description: |- - infraID is a globally unique identifier for the cluster. - It must consist of lowercase alphanumeric characters and hyphens ('-') only, and start and end with an alphanumeric character. - It must be no more than 253 characters in length. - This identifier will be used to associate various cloud resources with the HostedCluster and its associated NodePools. - infraID is used to compute and tag created resources with "kubernetes.io/cluster/"+hcluster.Spec.InfraID which has contractual meaning for the cloud provider implementations. - If a value is not specified, a random infraID will be generated and set by the controller. - Once set, this value is immutable. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: infraID must consist of lowercase alphanumeric characters - or '-', start and end with an alphanumeric character, and be between - 1 and 253 characters - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') - - message: infraID is immutable - rule: oldSelf == "" || self == oldSelf - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - infrastructureAvailabilityPolicy specifies the availability policy applied to infrastructure services which run on the hosted cluster data plane like the ingress controller and image registry controller. - Possible values are HighlyAvailable and SingleReplica. The default value is SingleReplica. - enum: - - HighlyAvailable - - SingleReplica - type: string - issuerURL: - default: https://kubernetes.default.svc - description: |- - issuerURL is an OIDC issuer URL which will be used as the issuer in all - ServiceAccount tokens generated by the control plane API server via --service-account-issuer kube api server flag. - https://k8s-docs.netlify.app/en/docs/reference/command-line-tools-reference/kube-apiserver/ - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection - The default value is kubernetes.default.svc, which only works for in-cluster - validation. - If the platform is AWS and this value is set, the controller will update an s3 object with the appropriate OIDC documents (using the serviceAccountSigningKey info) into that issuerURL. - The expectation is for this s3 url to be backed by an OIDC provider in the AWS IAM. - type: string - x-kubernetes-validations: - - message: issuerURL is immutable - rule: self == oldSelf - - message: issuerURL must be a valid absolute URL - rule: isURL(self) - labels: - additionalProperties: - type: string - description: |- - labels when specified, define what custom labels are added to the hcp pods. - Changing this day 2 will cause a rollout of all hcp pods. - Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. - Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - - -kubebuilder:validation:XValidation:rule=`self.all(key, size(key) <= 317 && key.matches('^(([A-Za-z0-9]+(\\.[A-Za-z0-9]+)?)*[A-Za-z0-9]\\/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'))`, message="label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)" - -kubebuilder:validation:XValidation:rule=`self.all(key, size(self[key]) <= 63 && self[key].matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$'))`, message="label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character" - maxProperties: 20 - type: object - networking: - default: - clusterNetwork: - - cidr: 10.132.0.0/14 - networkType: OVNKubernetes - serviceNetwork: - - cidr: 172.31.0.0/16 - description: |- - networking specifies network configuration for the hosted cluster. - Defaults to OVNKubernetes with a cluster network of cidr: "10.132.0.0/14" and a service network of cidr: "172.31.0.0/16". - properties: - apiServer: - description: |- - apiServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a hosted cluster node. - properties: - advertiseAddress: - description: |- - advertiseAddress is the address that pods within the nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - This value is immutable. - type: string - x-kubernetes-validations: - - message: advertiseAddress is immutable - rule: self == oldSelf - allowedCIDRBlocks: - description: |- - allowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If omitted 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - This value is immutable. - format: int32 - type: integer - x-kubernetes-validations: - - message: port is immutable - rule: self == oldSelf - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: |- - clusterNetwork is the list of IP address pools for pods. - Defaults to cidr: "10.132.0.0/14". - Currently only one entry is supported. - This field is immutable. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: cidr is the IP block address pool. - maxLength: 43 - type: string - x-kubernetes-validations: - - message: cidr must be a valid IPv4 or IPv6 CIDR notation - (e.g., 192.168.1.0/24 or 2001:db8::/64) - rule: self.matches('^((\\d{1,3}\\.){3}\\d{1,3}/\\d{1,2})$') - || self.matches('^([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4})?/[0-9]{1,3}$') - hostPrefix: - description: |- - hostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^(32-24)=2^8=256 addresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - maxItems: 2 - minItems: 1 - type: array - x-kubernetes-validations: - - message: clusterNetwork is immutable and cannot be modified - once set. - rule: self == oldSelf - machineNetwork: - description: |- - machineNetwork is the list of IP address pools for machines. - This might be used among other things to generate appropriate networking security groups in some clouds providers. - Currently only one entry or two for dual stack is supported. - This field is immutable. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - maxLength: 43 - type: string - x-kubernetes-validations: - - message: cidr must be a valid IPv4 or IPv6 CIDR notation - (e.g., 192.168.1.0/24 or 2001:db8::/64) - rule: self.matches('^((\\d{1,3}\\.){3}\\d{1,3}/\\d{1,2})$') - || self.matches('^([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4})?/[0-9]{1,3}$') - required: - - cidr - type: object - maxItems: 2 - minItems: 1 - type: array - x-kubernetes-validations: - - message: machineNetwork is immutable and cannot be modified - once set. - rule: self == oldSelf - networkType: - default: OVNKubernetes - description: |- - networkType specifies the SDN provider used for cluster networking. - Defaults to OVNKubernetes. - This field is required and immutable. - kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable" - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - serviceNetwork is the list of IP address pools for services. - Defaults to cidr: "172.31.0.0/16". - Currently only one entry is supported. - This field is immutable. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: cidr is the IP block address pool for services - within the cluster in CIDR format (e.g., 192.168.1.0/24 - or 2001:0db8::/64) - maxLength: 43 - type: string - x-kubernetes-validations: - - message: cidr must be a valid IPv4 or IPv6 CIDR notation - (e.g., 192.168.1.0/24 or 2001:db8::/64) - rule: self.matches('^((\\d{1,3}\\.){3}\\d{1,3}/\\d{1,2})$') - || self.matches('^([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4})?/[0-9]{1,3}$') - required: - - cidr - type: object - maxItems: 2 - minItems: 1 - type: array - x-kubernetes-validations: - - message: serviceNetwork is immutable and cannot be modified - once set. - rule: self == oldSelf - type: object - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector when specified, is propagated to all control plane Deployments and Stateful sets running management side. - It must be satisfied by the management Nodes for the pods to be scheduled. Otherwise the HostedCluster will enter a degraded state. - Changes to this field will propagate to existing Deployments and StatefulSets. - type: object - x-kubernetes-validations: - - message: nodeSelector map can have at most 20 entries - rule: size(self) <= 20 - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - x-kubernetes-validations: - - message: OLMCatalogPlacement is immutable - rule: self == oldSelf - pausedUntil: - description: |- - pausedUntil is a field that can be used to pause reconciliation on the HostedCluster controller, resulting in any change to the HostedCluster being ignored. - Either a date can be provided in RFC3339 format or a boolean as in 'true', 'false', 'True', 'False'. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - maxLength: 35 - minLength: 4 - type: string - x-kubernetes-validations: - - message: PausedUntil must be a date in RFC3339 format or 'True', - 'true', 'False' or 'false' - rule: self.matches('^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.*$') - || self in ['true', 'false', 'True', 'False'] - platform: - description: |- - platform specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and parenthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and parenthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - tenantID: - description: tenantID is a unique identifier for the tenant - where Azure resources will be created and managed in. - type: string - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - tenantID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicitly define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capabilities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON. - If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. - This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster - and it will be injected into the container runtime of all NodePools. - Changing this value will trigger a rollout for all existing NodePools in the cluster. - Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - release: - description: |- - release specifies the desired OCP release payload for all the hosted cluster components. - This includes those components running management side like the Kube API Server and the CVO but also the operands which land in the hosted cluster data plane like the ingress controller, ovn agents, etc. - The maximum and minimum supported release versions are determined by the running Hypersfhit Operator. - Attempting to use an unsupported version will result in the HostedCluster being degraded and the validateReleaseImage condition being false. - Attempting to use a release with a skew against a NodePool release bigger than N-2 for the y-stream will result in leaving the NodePool in an unsupported state. - Changing this field will trigger a rollout of the control plane components. - The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - secretEncryption: - description: |- - secretEncryption specifies a Kubernetes secret encryption strategy for the - control plane. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - serviceAccountSigningKey is a local reference to a secret that must have a "key" key whose content must be the private key - used by the service account token issuer. - If not specified, a service account signing key will - be generated automatically for the cluster. - When specifying a service account signing key, an IssuerURL must also be specified. - If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - services specifies how individual control plane services endpoints are published for consumption. - This requires APIServer;OAuthServer;Konnectivity;Ignition. - This field is immutable for all platforms but IBMCloud. - Max is 6 to account for OIDC;OVNSbDb for backward compatibility though they are no-op. - - -kubebuilder:validation:XValidation:rule="self.all(s, !(s.service == 'APIServer' && s.servicePublishingStrategy.type == 'Route') || has(s.servicePublishingStrategy.route.hostname))",message="If serviceType is 'APIServer' and publishing strategy is 'Route', then hostname must be set" - -kubebuilder:validation:XValidation:rule="['APIServer', 'OAuthServer', 'Konnectivity', 'Ignition'].all(requiredType, self.exists(s, s.service == requiredType))",message="Services list must contain at least 'APIServer', 'OAuthServer', 'Konnectivity', and 'Ignition' service types" - -kubebuilder:validation:XValidation:rule="self.filter(s, s.servicePublishingStrategy.type == 'Route' && has(s.servicePublishingStrategy.route) && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y, y.servicePublishingStrategy.type == 'Route' && (has(y.servicePublishingStrategy.route) && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname == x.servicePublishingStrategy.route.hostname)).size() <= 1)",message="Each route publishingStrategy 'hostname' must be unique within the Services list." - -kubebuilder:validation:XValidation:rule="self.filter(s, s.servicePublishingStrategy.type == 'NodePort' && has(s.servicePublishingStrategy.nodePort) && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x, self.filter(y, y.servicePublishingStrategy.type == 'NodePort' && (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address) && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port == x.servicePublishingStrategy.nodePort.port )).size() <= 1)",message="Each nodePort publishingStrategy 'nodePort' and 'hostname' must be unique within the Services list." - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane services endpoints are published for consumption. - This includes APIServer;OAuthServer;Konnectivity;Ignition. - If a given service is not present in this list, it will be exposed publicly by default. - properties: - service: - description: |- - service identifies the type of service being published. - It can be APIServer;OAuthServer;Konnectivity;Ignition - OVNSbDb;OIDC are no-op and kept for backward compatibility. - This field is immutable. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: servicePublishingStrategy specifies how to publish - a service endpoint. - properties: - loadBalancer: - description: loadBalancer configures exposing a service - using a dedicated LoadBalancer. - properties: - hostname: - description: |- - hostname is the name of the DNS record that will be created pointing to the LoadBalancer and passed through to consumers of the service. - If omitted, the value will be inferred from the corev1.Service Load balancer type .status. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: hostname must be a valid domain name (e.g., - example.com) - rule: self.matches('^(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,}$') - type: object - nodePort: - description: nodePort configures exposing a service using - a NodePort. - properties: - address: - description: address is the host/ip that the NodePort - service is exposed over. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: address must be a valid hostname, IPv4, or - IPv6 address - rule: isIP(self) || self.matches('^(([a-zA-Z0-9][-a-zA-Z0-9]*\\.)+[a-zA-Z]{2,}|localhost)$') - || self.matches('^((\\d{1,3}\\.){3}\\d{1,3})$') - || self.matches('^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$') - port: - description: |- - port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: |- - route configures exposing a service using a Route through and an ingress controller behind a cloud Load Balancer. - The specifics of the setup are platform dependent. - properties: - hostname: - description: |- - Hostname is the name of the DNS record that will be created pointing to the Route and passed through to consumers of the service. - If omitted, the value will be inferred from management ingress.Spec.Domain. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: hostname must be a valid domain name (e.g., - example.com) - rule: self.matches('^(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,}$') - type: object - type: - description: |- - type is the publishing strategy used for the service. - It can be LoadBalancer;NodePort;Route;None;S3 - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: nodePort is required when type is NodePort, and forbidden - otherwise - rule: 'self.type == ''NodePort'' ? has(self.nodePort) : !has(self.nodePort)' - - message: only route is allowed when type is Route, and forbidden - otherwise - rule: 'self.type == ''Route'' ? !has(self.nodePort) && !has(self.loadBalancer) - : !has(self.route)' - - message: only loadBalancer is required when type is LoadBalancer, - and forbidden otherwise - rule: 'self.type == ''LoadBalancer'' ? !has(self.nodePort) - && !has(self.route) : !has(self.loadBalancer)' - - message: None does not allowed any configuration for loadBalancer, - nodePort, or route - rule: 'self.type == ''None'' ? !has(self.nodePort) && !has(self.route) - && !has(self.loadBalancer) : true' - - message: S3 does not allowed any configuration for loadBalancer, - nodePort, or route - rule: 'self.type == ''S3'' ? !has(self.nodePort) && !has(self.route) - && !has(self.loadBalancer) : true' - required: - - service - - servicePublishingStrategy - type: object - maxItems: 6 - minItems: 4 - type: array - sshKey: - description: |- - sshKey is a local reference to a Secret that must have a "id_rsa.pub" key whose content must be the public part of 1..N SSH keys. - If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. - When sshKey is set, the controllers will generate a machineConfig with the sshAuthorizedKeys https://coreos.github.io/ignition/configuration-v3_2/ populated with this value. - This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. - Changing this value will trigger a rollout for all existing NodePools in the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custom tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - If omitted we will use the appropriate update service for the cluster and region. - This is used by the control plane operator to determine and signal the appropriate available upgrades in the hostedCluster.status. - type: string - x-kubernetes-validations: - - message: updateService must be a valid absolute URL - rule: isURL(self) - required: - - etcd - - networking - - platform - - pullSecret - - release - - services - type: object - x-kubernetes-validations: - - message: Services is immutable. Changes might result in unpredictable - and disruptive behavior. - rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services - : true' - - message: Azure platform requires APIServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: Azure platform requires OAuthServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Konnectivity Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Konnectivity" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Ignition Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Ignition" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: If serviceAccountSigningKey is set, issuerURL must be set - rule: has(self.issuerURL) || !has(self.serviceAccountSigningKey) - - message: CIDR ranges in machineNetwork, clusterNetwork, and serviceNetwork - must be unique and non-overlapping - rule: (self.platform.type == "IBMCloud" || !has(self.networking.machineNetwork) - && self.networking.clusterNetwork.all(c, self.networking.serviceNetwork.all(s, - c.cidr != s.cidr)) || (has(self.networking.machineNetwork) && (self.networking.machineNetwork.all(m, - self.networking.clusterNetwork.all(c, m.cidr != c.cidr)) && self.networking.machineNetwork.all(m, - self.networking.serviceNetwork.all(s, m.cidr != s.cidr)) && self.networking.clusterNetwork.all(c, - self.networking.serviceNetwork.all(s, c.cidr != s.cidr))))) - status: - description: Status is the latest observed status of the HostedCluster. - properties: - conditions: - description: |- - Conditions represents the latest available observations of a control - plane's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - ignitionEndpoint: - description: |- - IgnitionEndpoint is the endpoint injected in the ign config userdata. - It exposes the config for instances to become kubernetes nodes. - type: string - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret that contains the initial - kubeadmin user password for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeconfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - payloadArch: - description: |- - payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: - Multi, ARM64, AMD64, S390X, or PPC64LE. - enum: - - Multi - - ARM64 - - AMD64 - - PPC64LE - - S390X - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - version: - description: |- - Version is the status of the release version applied to the - HostedCluster. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml index 748918d043..51d5e554fd 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml @@ -2372,6 +2372,19 @@ spec: rule: self == oldSelf - message: issuerURL must be a valid absolute URL rule: isURL(self) + labels: + additionalProperties: + type: string + description: |- + labels when specified, define what custom labels are added to the hcp pods. + Changing this day 2 will cause a rollout of all hcp pods. + Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. + Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + + -kubebuilder:validation:XValidation:rule=`self.all(key, size(key) <= 317 && key.matches('^(([A-Za-z0-9]+(\\.[A-Za-z0-9]+)?)*[A-Za-z0-9]\\/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'))`, message="label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)" + -kubebuilder:validation:XValidation:rule=`self.all(key, size(self[key]) <= 63 && self[key].matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$'))`, message="label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character" + maxProperties: 20 + type: object networking: default: clusterNetwork: diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml index 9496b67521..92fe9e3993 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml @@ -2506,6 +2506,19 @@ spec: rule: self == oldSelf - message: issuerURL must be a valid absolute URL rule: isURL(self) + labels: + additionalProperties: + type: string + description: |- + labels when specified, define what custom labels are added to the hcp pods. + Changing this day 2 will cause a rollout of all hcp pods. + Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. + Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + + -kubebuilder:validation:XValidation:rule=`self.all(key, size(key) <= 317 && key.matches('^(([A-Za-z0-9]+(\\.[A-Za-z0-9]+)?)*[A-Za-z0-9]\\/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'))`, message="label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)" + -kubebuilder:validation:XValidation:rule=`self.all(key, size(self[key]) <= 63 && self[key].matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$'))`, message="label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character" + maxProperties: 20 + type: object networking: default: clusterNetwork: diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml index bdc3e53daa..5d0a926ee9 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml @@ -2354,6 +2354,19 @@ spec: rule: self == oldSelf - message: issuerURL must be a valid absolute URL rule: isURL(self) + labels: + additionalProperties: + type: string + description: |- + labels when specified, define what custom labels are added to the hcp pods. + Changing this day 2 will cause a rollout of all hcp pods. + Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. + Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + + -kubebuilder:validation:XValidation:rule=`self.all(key, size(key) <= 317 && key.matches('^(([A-Za-z0-9]+(\\.[A-Za-z0-9]+)?)*[A-Za-z0-9]\\/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'))`, message="label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)" + -kubebuilder:validation:XValidation:rule=`self.all(key, size(self[key]) <= 63 && self[key].matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$'))`, message="label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character" + maxProperties: 20 + type: object networking: default: clusterNetwork: diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml index b4371760b4..c0cd7eb715 100644 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml +++ b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml @@ -2772,6 +2772,19 @@ spec: rule: self == oldSelf - message: issuerURL must be a valid absolute URL rule: isURL(self) + labels: + additionalProperties: + type: string + description: |- + labels when specified, define what custom labels are added to the hcp pods. + Changing this day 2 will cause a rollout of all hcp pods. + Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. + Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set + + -kubebuilder:validation:XValidation:rule=`self.all(key, size(key) <= 317 && key.matches('^(([A-Za-z0-9]+(\\.[A-Za-z0-9]+)?)*[A-Za-z0-9]\\/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'))`, message="label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)" + -kubebuilder:validation:XValidation:rule=`self.all(key, size(self[key]) <= 63 && self[key].matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$'))`, message="label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character" + maxProperties: 20 + type: object networking: default: clusterNetwork: diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go index c541d9639b..07cb74271c 100644 --- a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go +++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go @@ -632,7 +632,6 @@ type HostedClusterSpec struct { // TODO: key/value validations break cost budget for <=4.17. We should figure why and enable it back. // +kubebuilder:validation:MaxProperties=20 // +optional - // +openshift:enable:FeatureGate=HCPPodsLabels Labels map[string]string `json:"labels,omitempty"` } diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml index d7d9b8cdde..2d4e3a6cec 100644 --- a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml @@ -99,7 +99,6 @@ hostedclusters.hypershift.openshift.io: - AutoNodeKarpenter - DynamicResourceAllocation - ExternalOIDC - - HCPPodsLabels - ImageStreamImportMode - NetworkDiagnosticsConfig - OpenStack From ea67dbf81c2a3045e8370f0a1d532c948f6f99fd Mon Sep 17 00:00:00 2001 From: Mulham Raee Date: Tue, 4 Feb 2025 18:13:16 +0100 Subject: [PATCH 3/3] Add Labels validation test to TestOnCreateAPIUX --- test/e2e/create_cluster_test.go | 124 +++++++++++++++++--------------- 1 file changed, 68 insertions(+), 56 deletions(-) diff --git a/test/e2e/create_cluster_test.go b/test/e2e/create_cluster_test.go index 817454d0fa..d497a0b89a 100644 --- a/test/e2e/create_cluster_test.go +++ b/test/e2e/create_cluster_test.go @@ -171,62 +171,74 @@ func TestOnCreateAPIUX(t *testing.T) { }, }, }, - // TODO: enable this test when the API validation is enabled. The validation is currently disabled because it breaks cost budget, - // { - // name: "when Labels contain invalid entries it should fail", - // file: "hostedcluster-base.yaml", - // validations: []struct { - // name string - // mutateInput func(*hyperv1.HostedCluster) - // expectedErrorSubstring string - // }{ - // { - // name: "when label key is empty it should fail", - // mutateInput: func(hc *hyperv1.HostedCluster) { - // hc.Spec.Labels = map[string]string{ - // "": "test-value", - // } - // }, - // expectedErrorSubstring: "label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)", - // }, - // { - // name: "when label key contains invalid prefix it should fail", - // mutateInput: func(hc *hyperv1.HostedCluster) { - // hc.Spec.Labels = map[string]string{ - // "invalid-prefix/name": "test-value", - // } - // }, - // expectedErrorSubstring: "label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)", - // }, - // { - // name: "when label key has valid prefix but empty name it should fail", - // mutateInput: func(hc *hyperv1.HostedCluster) { - // hc.Spec.Labels = map[string]string{ - // "valid.prefix.domain/": "test-value", - // } - // }, - // expectedErrorSubstring: "label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)", - // }, - // { - // name: "when label value is not valid it should fail", - // mutateInput: func(hc *hyperv1.HostedCluster) { - // hc.Spec.Labels = map[string]string{ - // "test-key": "@", - // } - // }, - // expectedErrorSubstring: "label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character", - // }, - // { - // name: "when label key and value are valid it should pass", - // mutateInput: func(hc *hyperv1.HostedCluster) { - // hc.Spec.Labels = map[string]string{ - // "valid.prefix.domain/test-name": "test-value", - // } - // }, - // expectedErrorSubstring: "", - // }, - // }, - // }, + { + name: "when Labels contain invalid entries it should fail", + file: "hostedcluster-base.yaml", + validations: []struct { + name string + mutateInput func(*hyperv1.HostedCluster) + expectedErrorSubstring string + }{ + { + name: "when labels have more than 20 entries it should fail", + mutateInput: func(hc *hyperv1.HostedCluster) { + labels := map[string]string{} + for i := 0; i < 25; i++ { + key := fmt.Sprintf("test%d", i) + labels[key] = key + } + hc.Spec.Labels = labels + }, + expectedErrorSubstring: "must have at most 20 items", + }, + // TODO: enable this test when the API validation is enabled. The validation is currently disabled because it breaks cost budget + // { + // name: "when label key is empty it should fail", + // mutateInput: func(hc *hyperv1.HostedCluster) { + // hc.Spec.Labels = map[string]string{ + // "": "test-value", + // } + // }, + // expectedErrorSubstring: "label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)", + // }, + // { + // name: "when label key contains invalid prefix it should fail", + // mutateInput: func(hc *hyperv1.HostedCluster) { + // hc.Spec.Labels = map[string]string{ + // "invalid-prefix/name": "test-value", + // } + // }, + // expectedErrorSubstring: "label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)", + // }, + // { + // name: "when label key has valid prefix but empty name it should fail", + // mutateInput: func(hc *hyperv1.HostedCluster) { + // hc.Spec.Labels = map[string]string{ + // "valid.prefix.domain/": "test-value", + // } + // }, + // expectedErrorSubstring: "label key must have two segments: an optional prefix and name, separated by a slash (/). The name segment is required and must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. The prefix is optional. If specified, the prefix must be a DNS subdomain: a series of DNS labels separated by dots (.), not longer than 253 characters in total, followed by a slash (/)", + // }, + // { + // name: "when label value is not valid it should fail", + // mutateInput: func(hc *hyperv1.HostedCluster) { + // hc.Spec.Labels = map[string]string{ + // "test-key": "@", + // } + // }, + // expectedErrorSubstring: "label value must be 63 characters or less (can be empty), consist of alphanumeric characters, dashes (-), underscores (_) or dots (.), and begin and end with an alphanumeric character", + // }, + // { + // name: "when label key and value are valid it should pass", + // mutateInput: func(hc *hyperv1.HostedCluster) { + // hc.Spec.Labels = map[string]string{ + // "valid.prefix.domain/test-name": "test-value", + // } + // }, + // expectedErrorSubstring: "", + // }, + }, + }, { name: "when updateService is not a valid url it should fail", file: "hostedcluster-base.yaml",