From 23cea444002703a04469f9172630155e547d1cf2 Mon Sep 17 00:00:00 2001 From: David Date: Mon, 6 Jan 2025 10:10:54 -0600 Subject: [PATCH] change OCL CRD deployment to v1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Squashed commit messages: - MachineOSConfig: set ImageSecretObjectReference to optional - Add v1 versions of OnClusterBuild APIs - First step to GA'ing the currently v1alpha1 APIs. Don't add to payload manifests yet, and the featuregate is retained. - Temporarily exclude v1 MOSC/MOSB from payload - Update godoc and validation for MOSC/MOSB Mostly fixups, with some minor changes to the v1alpha1 API: - Removed Version and ConfigGeneration from MOSB as they were unused - Updated relatedobjects list - Changed all optional,omitempty structs to pointers - Removed default for ImageBuilderType, but keeping default build arch to noarch as we don’t foresee changing that. - Fixed RenderedImagePushspec validators to match description Additional fixes for MOSC/MOSB - Update from PodImageBuilder to JobImageBuilder, and add a MachineOSBuild reference to MachineOSConfig - Failed and Interrupted will now cause MOSBuild conditions to be immutable - Updated Arch enum to be PascalCase - Updated relatedObject go doc based on suggestion - Add validation for buildEnd > buildStart - Removed conditions field from MOSConfig. The build object is supposed to reflect conditions instead, so this is not needed at this time - Use dns1123 format check for all strings that match, and otherwise switch pattern checks to validation rules where appropriate - Updated godocs a bit more for formatting Additional MOSC/MOSB updates Mostly fixes around validation and godocs. Added some additional test cases. Further MOSC/MOSB updates - Removed BuildOutputs and the CurrentImagePullSecret field (not really needed at this time, we’d prefer if the user would put any additional pull secrets into the cluster-wide object) - Removed BuildInputs and lifted all fields to spec, removing: - ReleaseVersion - BaseOSImagePullSpec - BaseOSExtensionsImagePullSpec Which will be populated directly from the MCO instead. We will consider re-adding those if there is a need for on cluster pre-builds off new release images in the future. - Renamed finalImagePushSpec to digestedImagePushSpec - Switched MachineOSBuilderReference back to an union, and renamed the job object unionmember to just “job” - Changed “desiredConfig” to “MachineConfig” for clarity - Kept ObservedGeneration, but updated the validation, and will fix on the MCO side - Removed duplicate arch types, and updated containerfiles to allow at most 1 per arch (minus noarch) Read removed NodeDisruptionPolicy tests These were added for the alpha API originally, but they seem to have been removed during a refactor of the tests. The current tests are a duplicate of bootimage tests. MachineOSBuild: relax CEL for conditions The builder defaults these conditions to false to start, and the current CEL prevents that changing. Use CEL validations Since the new format library is not avaiable in 4.18, use similar validations to what we were doing for v1alpha1. Signed-off-by: Urvashi --- hack/update-payload-crds.sh | 4 +- machineconfiguration/v1/register.go | 4 + .../OnClusterBuild.yaml | 351 +++++++++++++++ .../OnClusterBuild.yaml | 112 +++++ .../v1/types_machineosbuild.go | 217 ++++++++++ .../v1/types_machineosconfig.go | 217 ++++++++++ ...1_machineosbuilds-CustomNoUpgrade.crd.yaml | 404 ++++++++++++++++++ ...chineosbuilds-DevPreviewNoUpgrade.crd.yaml | 404 ++++++++++++++++++ ...hineosbuilds-TechPreviewNoUpgrade.crd.yaml | 404 ++++++++++++++++++ ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 352 +++++++++++++++ ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 352 +++++++++++++++ ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 352 +++++++++++++++ .../v1/zz_generated.deepcopy.go | 371 ++++++++++++++++ ..._generated.featuregated-crd-manifests.yaml | 66 +++ .../OnClusterBuild.yaml | 404 ++++++++++++++++++ .../OnClusterBuild.yaml | 352 +++++++++++++++ .../v1/zz_generated.swagger_doc_generated.go | 169 ++++++++ .../v1alpha1/types_machineosconfig.go | 2 +- .../NodeDisruptionPolicy.yaml | 321 +++++++++----- ...1_machineosbuilds-CustomNoUpgrade.crd.yaml | 266 ++++++++---- ...chineosbuilds-DevPreviewNoUpgrade.crd.yaml | 266 ++++++++---- ...hineosbuilds-TechPreviewNoUpgrade.crd.yaml | 266 ++++++++---- ..._machineosconfigs-CustomNoUpgrade.crd.yaml | 386 +++++++++-------- ...hineosconfigs-DevPreviewNoUpgrade.crd.yaml | 386 +++++++++-------- ...ineosconfigs-TechPreviewNoUpgrade.crd.yaml | 386 +++++++++-------- 25 files changed, 5923 insertions(+), 891 deletions(-) create mode 100644 machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml create mode 100644 machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml create mode 100644 machineconfiguration/v1/types_machineosbuild.go create mode 100644 machineconfiguration/v1/types_machineosconfig.go create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml create mode 100644 machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml diff --git a/hack/update-payload-crds.sh b/hack/update-payload-crds.sh index 8146121a356..926b710c4c8 100755 --- a/hack/update-payload-crds.sh +++ b/hack/update-payload-crds.sh @@ -2,6 +2,7 @@ source "$(dirname "${BASH_SOURCE}")/lib/init.sh" +#TODO(jerzhang): once MOSC/MOSB graduates, update the v1 crds to include them crd_globs="\ authorization/v1/zz_generated.crd-manifests/*_config-operator_*.crd*yaml\ config/v1/zz_generated.crd-manifests/*_config-operator_*.crd*yaml\ @@ -22,7 +23,8 @@ crd_globs="\ config/v1/zz_generated.crd-manifests/0000_10_openshift-controller-manager_01_builds*.crd.yaml operator/v1/zz_generated.crd-manifests/0000_50_openshift-controller-manager_02_openshiftcontrollermanagers*.crd.yaml machineconfiguration/v1/zz_generated.crd-manifests/*.crd.yaml - machineconfiguration/v1alpha1/zz_generated.crd-manifests/*.crd.yaml + machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes*.crd.yaml + machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_pinnedimagesets*.crd.yaml operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations*.crd.yaml config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies*.crd.yaml config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies*.crd.yaml diff --git a/machineconfiguration/v1/register.go b/machineconfiguration/v1/register.go index bbafc28dea3..cddaa853015 100644 --- a/machineconfiguration/v1/register.go +++ b/machineconfiguration/v1/register.go @@ -34,6 +34,10 @@ func addKnownTypes(scheme *runtime.Scheme) error { &MachineConfigList{}, &MachineConfigPool{}, &MachineConfigPoolList{}, + &MachineOSConfig{}, + &MachineOSConfigList{}, + &MachineOSBuild{}, + &MachineOSBuildList{}, ) metav1.AddToGroupVersion(scheme, GroupVersion) diff --git a/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml new file mode 100644 index 00000000000..47e255ef74d --- /dev/null +++ b/machineconfiguration/v1/tests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -0,0 +1,351 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "MachineOSBuild" +crdName: machineosbuilds.machineconfiguration.openshift.io +featureGate: OnClusterBuild +tests: + onCreate: + - name: Should be able to create a minimal MachineOSBuild + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + onUpdate: + - name: Job imagebuilder type must have job reference + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + expectedStatusError: "status.builder: Invalid value: \"object\": job is required when imageBuilderType is Job, and forbidden otherwise" + - name: Successfully set buildEnd + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + buildStart: 2024-11-28T10:00:00Z + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + buildStart: 2024-11-28T10:00:00Z + buildEnd: 2024-11-28T11:00:00Z + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + buildStart: 2024-11-28T10:00:00Z + buildEnd: 2024-11-28T11:00:00Z + - name: Fail on invalid buildEnd time + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + buildStart: 2024-11-28T10:00:00Z + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + buildStart: 2024-11-28T10:00:00Z + buildEnd: 2024-11-28T09:00:00Z + expectedStatusError: "status: Invalid value: \"object\": buildEnd must be after buildStart" + - name: Should be able to set a condition + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + conditions: + - type: Succeeded + status: "False" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T10:00:00Z" + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + conditions: + - type: Succeeded + status: "True" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T11:00:00Z" + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + conditions: + - type: Succeeded + status: "True" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T11:00:00Z" + - name: Failed builds cannot change status + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + conditions: + - type: Failed + status: "True" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T10:00:00Z" + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + conditions: + - type: Failed + status: "False" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T10:00:00Z" + expectedStatusError: "status.conditions: Invalid value: \"array\": once a Failed condition is set, conditions are immutable" + - name: Interrupted builds cannot change status + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + conditions: + - type: Interrupted + status: "True" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T10:00:00Z" + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSBuild + metadata: + name: foobar + spec: + machineConfig: + name: rendered-worker-abcd + machineOSConfig: + name: worker + renderedImagePushSpec: quay.io/mco/renderedImage:latest + status: + builder: + imageBuilderType: Job + job: + group: batch + resource: jobs + namespace: openshift-machine-config-operator + name: buildjob + conditions: + - type: Succeeded + status: "True" + reason: "Reason" + message: "Message" + lastTransitionTime: "2024-11-28T10:00:00Z" + expectedStatusError: "status.conditions: Invalid value: \"array\": once an Interrupted condition is set, conditions are immutable" diff --git a/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml new file mode 100644 index 00000000000..d55a1d4dff6 --- /dev/null +++ b/machineconfiguration/v1/tests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -0,0 +1,112 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "MachineOSConfig" +crdName: machineosconfigs.machineconfiguration.openshift.io +featureGate: OnClusterBuild +tests: + onCreate: + - name: Should be able to create a minimal MachineOSConfig + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + imageBuilder: + imageBuilderType: Job + baseImagePullSecret: + name: foo + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + imageBuilder: + imageBuilderType: Job + baseImagePullSecret: + name: foo + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest + - name: Should be able to create a MachineOSConfig with a renderedImagePushSpec that contains a port + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + imageBuilder: + imageBuilderType: Job + baseImagePullSecret: + name: foo + renderedImagePushSecret: + name: foo + renderedImagePushSpec: registry.test.example.local:5000/test/custom-os-image:v0.1 + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + imageBuilder: + imageBuilderType: Job + baseImagePullSecret: + name: foo + renderedImagePushSecret: + name: foo + renderedImagePushSpec: registry.test.example.local:5000/test/custom-os-image:v0.1 + - name: Fail on invalid rendered image push spec + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + imageBuilder: + imageBuilderType: Job + baseImagePullSecret: + name: foo + renderedImagePushSecret: + name: foo + renderedImagePushSpec: foo.bar + expectedError: "spec.renderedImagePushSpec: Invalid value: \"string\": the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." + - name: Allows for an empty pull secret + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + imageBuilder: + imageBuilderType: Job + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineOSConfig + metadata: + name: foobar + spec: + machineConfigPool: + name: worker + imageBuilder: + imageBuilderType: Job + renderedImagePushSecret: + name: foo + renderedImagePushSpec: quay.io/mco/renderedImg:latest diff --git a/machineconfiguration/v1/types_machineosbuild.go b/machineconfiguration/v1/types_machineosbuild.go new file mode 100644 index 00000000000..8765363b575 --- /dev/null +++ b/machineconfiguration/v1/types_machineosbuild.go @@ -0,0 +1,217 @@ +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=machineosbuilds,scope=Cluster +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2090 +// +openshift:enable:FeatureGate=OnClusterBuild +// +openshift:file-pattern=cvoRunLevel=0000_80,operatorName=machine-config,operatorOrdering=01 +// +kubebuilder:metadata:labels=openshift.io/operator-managed= +// +kubebuilder:printcolumn:name="Prepared",type="string",JSONPath=.status.conditions[?(@.type=="Prepared")].status +// +kubebuilder:printcolumn:name="Building",type="string",JSONPath=.status.conditions[?(@.type=="Building")].status +// +kubebuilder:printcolumn:name="Succeeded",type="string",JSONPath=.status.conditions[?(@.type=="Succeeded")].status +// +kubebuilder:printcolumn:name="Interrupted",type="string",JSONPath=.status.conditions[?(@.type=="Interrupted")].status +// +kubebuilder:printcolumn:name="Failed",type="string",JSONPath=.status.conditions[?(@.type=="Failed")].status +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" + +// MachineOSBuild describes a build process managed and deployed by the MCO +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type MachineOSBuild struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object metadata. + // +optional + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec describes the configuration of the machine os build. + // It is immutable once set. + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="machineOSBuildSpec is immutable once set" + // +required + Spec MachineOSBuildSpec `json:"spec"` + + // status describes the last observed state of this machine os build. + // +optional + Status MachineOSBuildStatus `json:"status,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// MachineOSBuildList describes all of the Builds on the system +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type MachineOSBuildList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list metadata. + // +optional + metav1.ListMeta `json:"metadata,omitempty"` + + // items contains a collection of MachineOSBuild resources. + // +optional + Items []MachineOSBuild `json:"items,omitempty"` +} + +// MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object. +type MachineOSBuildSpec struct { + // machineConfig points to the rendered MachineConfig resource to be included in this image build. + // +required + MachineConfig MachineConfigReference `json:"machineConfig"` + // machineOSConfig references the MachineOSConfig resource that this image build extends. + // +required + MachineOSConfig MachineOSConfigReference `json:"machineOSConfig"` + // renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + // This field describes the location of the final image, which will be pushed by the build once complete. + // The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + // The length of the push spec must be between 1 to 447 characters. + // +required + RenderedImagePushSpec ImageTagFormat `json:"renderedImagePushSpec"` +} + +// MachineOSBuildStatus describes the state of a build and other helpful information. +// +kubebuilder:validation:XValidation:rule="has(self.buildEnd) ? has(self.buildStart) && timestamp(self.buildStart) < timestamp(self.buildEnd) : true",message="buildEnd must be after buildStart" +type MachineOSBuildStatus struct { + // conditions are state related conditions for the build. Valid types are: + // Prepared, Building, Failed, Interrupted, and Succeeded. + // Once a Build is marked as Failed, Interrupted or Succeeded, no future conditions can be set. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:XValidation:rule="oldSelf.exists(x, x.type=='Failed' && x.status=='True') ? self==oldSelf : true",message="once a Failed condition is set, conditions are immutable" + // +kubebuilder:validation:XValidation:rule="oldSelf.exists(x, x.type=='Interrupted' && x.status=='True') ? self==oldSelf : true",message="once an Interrupted condition is set, conditions are immutable" + // +kubebuilder:validation:XValidation:rule="oldSelf.exists(x, x.type=='Succeeded' && x.status=='True') ? self==oldSelf : true",message="once an Succeeded condition is set, conditions are immutable" + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + // builder describes the image builder backend used for this build. + // +optional + Builder *MachineOSBuilderReference `json:"builder,omitempty"` + // relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + // After a successful build or when this MachineOSBuild is deleted, these ephemeral objects will be removed. + // In the event of a failed build, the objects will remain until the build is removed to allow for inspection. + // +kubebuilder:validation:MaxItems=10 + // +listType=map + // +listMapKey=name + // +listMapKey=resource + // +optional + RelatedObjects []ObjectReference `json:"relatedObjects,omitempty"` + // buildStart is the timestamp corresponding to the build controller initiating the build backend for this MachineOSBuild. + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildStart is immutable once set" + // +optional + BuildStart *metav1.Time `json:"buildStart,omitempty"` + // buildEnd is the timestamp corresponding to completion of the builder backend. + // When omitted the build has either not been started, or is in progress. + // It will be populated once the build completes, fails or is interrupted. + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="buildEnd is immutable once set" + // +optional + BuildEnd *metav1.Time `json:"buildEnd,omitempty"` + // digestedImagePushSpec describes the fully qualified push spec produced by this build. + // The format of the push spec is: host[:port][/namespace]/name@sha256:, + // where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + // The length of the whole spec must be between 1 to 447 characters. + // +optional + DigestedImagePushSpec ImageDigestFormat `json:"digestedImagePushSpec,omitempty"` +} + +// MachineOSBuilderReference describes which ImageBuilder backend to use for this build +// +union +// +kubebuilder:validation:XValidation:rule="has(self.imageBuilderType) && self.imageBuilderType == 'Job' ? has(self.job) : !has(self.job)",message="job is required when imageBuilderType is Job, and forbidden otherwise" +type MachineOSBuilderReference struct { + // imageBuilderType describes the type of image builder used to build this image. + // Valid values are Job only. + // When set to Job, a pod based builder, using buildah, is launched to build the specified image. + // +unionDiscriminator + // +required + ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` + + // job is a reference to the job object that is managing the image build. + // This is required if the imageBuilderType is Job, and forbidden otherwise. + // +unionMember + // +optional + Job *ObjectReference `json:"job,omitempty"` +} + +// BuildProgess highlights some of the key phases of a build to be tracked in Conditions. +type BuildProgress string + +const ( + // prepared indicates that the build has finished preparing. A build is prepared + // by gathering the build inputs, validating them, and making sure we can do an update as specified. + MachineOSBuildPrepared BuildProgress = "Prepared" + // building indicates that the build has been kicked off with the specified image builder + MachineOSBuilding BuildProgress = "Building" + // failed indicates that during the build or preparation process, the build failed. + MachineOSBuildFailed BuildProgress = "Failed" + // interrupted indicates that the user stopped the build process by modifying part of the build config + MachineOSBuildInterrupted BuildProgress = "Interrupted" + // succeeded indicates that the build has completed and the image is ready to roll out. + MachineOSBuildSucceeded BuildProgress = "Succeeded" +) + +// Refers to the name of a rendered MachineConfig (e.g., "rendered-worker-ec40d2965ff81bce7cd7a7e82a680739", etc.): +// the build targets this MachineConfig, this is often used to tell us whether we need an update. +type MachineConfigReference struct { + // name is the name of the rendered MachineConfig object. + // This value should be between 10 and 253 characters, and must contain only lowercase + // alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + // +kubebuilder:validation:MinLength:=10 + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$')`,message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +required + Name string `json:"name"` +} + +// ObjectReference contains enough information to let you inspect or modify the referred object. +type ObjectReference struct { + // group of the referent. + // The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + // Example: "", "apps", "build.openshift.io", etc. + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$')`,message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +required + Group string `json:"group"` + // resource of the referent. + // This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + // and should start with an alphabetic character and end with an alphanumeric character. + // Example: "deployments", "deploymentconfigs", "pods", etc. + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=63 + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$')`,message="a DNS-1035 label must consist of lower case alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character" + Resource string `json:"resource"` + // namespace of the referent. + // This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + // and should start and end with an alphanumeric character. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=63 + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')`,message="the value must consist of only lowercase alphanumeric characters and hyphens" + // +optional + Namespace string `json:"namespace,omitempty"` + // name of the referent. + // The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$')`,message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +required + Name string `json:"name"` +} + +// MachineOSConfigReference refers to the MachineOSConfig this build is based off of +type MachineOSConfigReference struct { + // name of the MachineOSConfig. + // The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$')`,message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +required + Name string `json:"name"` +} diff --git a/machineconfiguration/v1/types_machineosconfig.go b/machineconfiguration/v1/types_machineosconfig.go new file mode 100644 index 00000000000..217e762ccce --- /dev/null +++ b/machineconfiguration/v1/types_machineosconfig.go @@ -0,0 +1,217 @@ +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=machineosconfigs,scope=Cluster +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2090 +// +openshift:enable:FeatureGate=OnClusterBuild +// +openshift:file-pattern=cvoRunLevel=0000_80,operatorName=machine-config,operatorOrdering=01 +// +kubebuilder:metadata:labels=openshift.io/operator-managed= + +// MachineOSConfig describes the configuration for a build process managed by the MCO +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type MachineOSConfig struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object metadata. + // +optional + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec describes the configuration of the machineosconfig + // +required + Spec MachineOSConfigSpec `json:"spec"` + + // status describes the status of the machineosconfig + // +optional + Status MachineOSConfigStatus `json:"status,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// MachineOSConfigList describes all configurations for image builds on the system +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type MachineOSConfigList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list metadata. + // +optional + metav1.ListMeta `json:"metadata,omitempty"` + + // items contains a collection of MachineOSConfig resources. + // +optional + Items []MachineOSConfig `json:"items"` +} + +// MachineOSConfigSpec describes user-configurable options as well as information about a build process. +type MachineOSConfigSpec struct { + // machineConfigPool is the pool which the build is for. + // The Machine Config Operator will perform the build and roll out the built image to the specified pool. + // +required + MachineConfigPool MachineConfigPoolReference `json:"machineConfigPool"` + // imageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + // Currently supported type(s): Job + // +required + ImageBuilder MachineOSImageBuilder `json:"imageBuilder"` + // baseImagePullSecret is the secret used to pull the base image. + // Must live in the openshift-machine-config-operator namespace if provided. + // Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. + // +optional + BaseImagePullSecret *ImageSecretObjectReference `json:"baseImagePullSecret,omitempty"` + // renderedImagePushSecret is the secret used to connect to a user registry. + // The final image push and pull secrets should be separate and assume the principal of least privilege. + // The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + // The pull secret with read only privileges is required on all nodes. + // By separating the two secrets, the risk of write credentials becoming compromised is reduced. + // +required + RenderedImagePushSecret ImageSecretObjectReference `json:"renderedImagePushSecret"` + // renderedImagePushSpec describes the location of the final image. + // The MachineOSConfig object will use the in cluster image registry configuration. + // If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + // The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + // The length of the push spec must be between 1 to 447 characters. + // +required + RenderedImagePushSpec ImageTagFormat `json:"renderedImagePushSpec"` + // containerFile describes the custom data the user has specified to build into the image. + // This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + // See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + // This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + // +patchMergeKey=containerfileArch + // +patchStrategy=merge + // +listType=map + // +listMapKey=containerfileArch + // +kubebuilder:validation:MinItems=0 + // +kubebuilder:validation:MaxItems=4 + // +optional + Containerfile []MachineOSContainerfile `json:"containerFile" patchStrategy:"merge" patchMergeKey:"containerfileArch"` +} + +// MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig +type MachineOSConfigStatus struct { + // conditions are state related conditions for the object. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + // +optional + // TODO(jerzhang): add godoc after conditions are finalized. Also consider adding printer columns. + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + // observedGeneration represents the generation of the MachineOSConfig object observed by the Machine Config Operator's build controller. + // +kubebuilder:validation:XValidation:rule="self >= oldSelf", message="observedGeneration must not move backwards" + // +kubebuilder:validation:Minimum=0 + // +optional + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + // currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. + // This is generated when the Machine Config Operator's build controller successfully completes the build, and is populated from the corresponding + // MachineOSBuild object's FinalImagePushSpec. This may change after completion in reaction to spec changes that would cause a new image build, + // but will not be removed. + // The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + // where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + // The length of the whole spec must be between 1 to 447 characters. + // +optional + CurrentImagePullSpec ImageDigestFormat `json:"currentImagePullSpec,omitempty"` + // machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image build. + // +optional + MachineOSBuild *ObjectReference `json:"machineOSBuild,omitempty"` +} + +type MachineOSImageBuilder struct { + // imageBuilderType specifies the backend to be used to build the image. + // +kubebuilder:validation:Enum:=Job + // Valid options are: Job + // +required + ImageBuilderType MachineOSImageBuilderType `json:"imageBuilderType"` +} + +// MachineOSContainerfile contains all custom content the user wants built into the image +type MachineOSContainerfile struct { + // containerfileArch describes the architecture this containerfile is to be built for. + // This arch is optional. If the user does not specify an architecture, it is assumed + // that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + // +kubebuilder:validation:Enum:=ARM64;AMD64;PPC64LE;S390X;NoArch + // +kubebuilder:default:=NoArch + // +optional + ContainerfileArch ContainerfileArch `json:"containerfileArch,omitempty"` + // content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + // See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + // for example, this would add the tree package to your hosts: + // FROM configs AS final + // RUN rpm-ostree install tree && \ + // ostree container commit + // This is a required field and can have a maximum length of **4096** characters. + // +required + // +kubebuilder:validation:MaxLength=4096 + Content string `json:"content"` +} + +// +enum +type ContainerfileArch string + +const ( + // describes the arm64 architecture + Arm64 ContainerfileArch = "ARM64" + // describes the amd64 architecture + Amd64 ContainerfileArch = "AMD64" + // describes the ppc64le architecture + Ppc ContainerfileArch = "PPC64LE" + // describes the s390x architecture + S390 ContainerfileArch = "S390X" + // describes a containerfile that can be applied to any arch + NoArch ContainerfileArch = "NoArch" +) + +// Refers to the name of a MachineConfigPool (e.g., "worker", "infra", etc.): +// the MachineOSBuilder pod validates that the user has provided a valid pool +type MachineConfigPoolReference struct { + // name of the MachineConfigPool object. + // This value should be at most 253 characters, and must contain only lowercase + // alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$')`,message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +required + Name string `json:"name"` +} + +// Refers to the name of an image registry push/pull secret needed in the build process. +type ImageSecretObjectReference struct { + // name is the name of the secret used to push or pull this MachineOSConfig object. + // Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + // This secret must be in the openshift-machine-config-operator namespace. + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$')`,message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + // +required + Name string `json:"name"` +} + +// ImageTagFormat is a type that conforms to the format host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. +// The length of the field must be between 1 to 447 characters. +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=447 +// +kubebuilder:validation:XValidation:rule=`self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag." +type ImageTagFormat string + +// ImageDigestFormat is a type that conforms to the format host[:port][/namespace]/name@sha256:. +// The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. +// The length of the field must be between 1 to 447 characters. +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=447 +// +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long" +// +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme" +type ImageDigestFormat string + +// +enum +type MachineOSImageBuilderType string + +const ( + // describes that the machine-os-builder will use a Job to spin up a custom pod builder that uses buildah + JobBuilder MachineOSImageBuilderType = "Job" +) diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..6a1b93cac94 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml @@ -0,0 +1,404 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosbuilds.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSBuild + listKind: MachineOSBuildList + plural: machineosbuilds + singular: machineosbuild + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Prepared")].status + name: Prepared + type: string + - jsonPath: .status.conditions[?(@.type=="Building")].status + name: Building + type: string + - jsonPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="Interrupted")].status + name: Interrupted + type: string + - jsonPath: .status.conditions[?(@.type=="Failed")].status + name: Failed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSBuild describes a build process managed and deployed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec describes the configuration of the machine os build. + It is immutable once set. + properties: + machineConfig: + description: machineConfig points to the rendered MachineConfig resource + to be included in this image build. + properties: + name: + description: |- + name is the name of the rendered MachineConfig object. + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + minLength: 10 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + machineOSConfig: + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. + properties: + name: + description: |- + name of the MachineOSConfig. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + required: + - machineConfig + - machineOSConfig + - renderedImagePushSpec + type: object + x-kubernetes-validations: + - message: machineOSBuildSpec is immutable once set + rule: self == oldSelf + status: + description: status describes the last observed state of this machine + os build. + properties: + buildEnd: + description: |- + buildEnd is the timestamp corresponding to completion of the builder backend. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. + format: date-time + type: string + x-kubernetes-validations: + - message: buildEnd is immutable once set + rule: self == oldSelf + buildStart: + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. + format: date-time + type: string + x-kubernetes-validations: + - message: buildStart is immutable once set + rule: self == oldSelf + builder: + description: builder describes the image builder backend used for + this build. + properties: + imageBuilderType: + description: |- + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, + and end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + required: + - imageBuilderType + type: object + x-kubernetes-validations: + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? has(self.job) : !has(self.job)' + conditions: + description: |- + conditions are state related conditions for the build. Valid types are: + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed, Interrupted or Succeeded, no future conditions can be set. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Failed'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Interrupted'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Succeeded condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Succeeded'' && x.status==''True'') + ? self==oldSelf : true' + digestedImagePushSpec: + description: |- + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + relatedObjects: + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects will be removed. + In the event of a failed build, the objects will remain until the build is removed to allow for inspection. + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + maxItems: 10 + type: array + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map + type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: 'has(self.buildEnd) ? has(self.buildStart) && timestamp(self.buildStart) + < timestamp(self.buildEnd) : true' + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..4bba53e59bd --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,404 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosbuilds.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSBuild + listKind: MachineOSBuildList + plural: machineosbuilds + singular: machineosbuild + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Prepared")].status + name: Prepared + type: string + - jsonPath: .status.conditions[?(@.type=="Building")].status + name: Building + type: string + - jsonPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="Interrupted")].status + name: Interrupted + type: string + - jsonPath: .status.conditions[?(@.type=="Failed")].status + name: Failed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSBuild describes a build process managed and deployed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec describes the configuration of the machine os build. + It is immutable once set. + properties: + machineConfig: + description: machineConfig points to the rendered MachineConfig resource + to be included in this image build. + properties: + name: + description: |- + name is the name of the rendered MachineConfig object. + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + minLength: 10 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + machineOSConfig: + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. + properties: + name: + description: |- + name of the MachineOSConfig. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + required: + - machineConfig + - machineOSConfig + - renderedImagePushSpec + type: object + x-kubernetes-validations: + - message: machineOSBuildSpec is immutable once set + rule: self == oldSelf + status: + description: status describes the last observed state of this machine + os build. + properties: + buildEnd: + description: |- + buildEnd is the timestamp corresponding to completion of the builder backend. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. + format: date-time + type: string + x-kubernetes-validations: + - message: buildEnd is immutable once set + rule: self == oldSelf + buildStart: + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. + format: date-time + type: string + x-kubernetes-validations: + - message: buildStart is immutable once set + rule: self == oldSelf + builder: + description: builder describes the image builder backend used for + this build. + properties: + imageBuilderType: + description: |- + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, + and end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + required: + - imageBuilderType + type: object + x-kubernetes-validations: + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? has(self.job) : !has(self.job)' + conditions: + description: |- + conditions are state related conditions for the build. Valid types are: + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed, Interrupted or Succeeded, no future conditions can be set. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Failed'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Interrupted'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Succeeded condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Succeeded'' && x.status==''True'') + ? self==oldSelf : true' + digestedImagePushSpec: + description: |- + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + relatedObjects: + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects will be removed. + In the event of a failed build, the objects will remain until the build is removed to allow for inspection. + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + maxItems: 10 + type: array + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map + type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: 'has(self.buildEnd) ? has(self.buildStart) && timestamp(self.buildStart) + < timestamp(self.buildEnd) : true' + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..835a837643d --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,404 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosbuilds.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSBuild + listKind: MachineOSBuildList + plural: machineosbuilds + singular: machineosbuild + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Prepared")].status + name: Prepared + type: string + - jsonPath: .status.conditions[?(@.type=="Building")].status + name: Building + type: string + - jsonPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="Interrupted")].status + name: Interrupted + type: string + - jsonPath: .status.conditions[?(@.type=="Failed")].status + name: Failed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSBuild describes a build process managed and deployed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec describes the configuration of the machine os build. + It is immutable once set. + properties: + machineConfig: + description: machineConfig points to the rendered MachineConfig resource + to be included in this image build. + properties: + name: + description: |- + name is the name of the rendered MachineConfig object. + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + minLength: 10 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + machineOSConfig: + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. + properties: + name: + description: |- + name of the MachineOSConfig. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + required: + - machineConfig + - machineOSConfig + - renderedImagePushSpec + type: object + x-kubernetes-validations: + - message: machineOSBuildSpec is immutable once set + rule: self == oldSelf + status: + description: status describes the last observed state of this machine + os build. + properties: + buildEnd: + description: |- + buildEnd is the timestamp corresponding to completion of the builder backend. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. + format: date-time + type: string + x-kubernetes-validations: + - message: buildEnd is immutable once set + rule: self == oldSelf + buildStart: + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. + format: date-time + type: string + x-kubernetes-validations: + - message: buildStart is immutable once set + rule: self == oldSelf + builder: + description: builder describes the image builder backend used for + this build. + properties: + imageBuilderType: + description: |- + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, + and end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + required: + - imageBuilderType + type: object + x-kubernetes-validations: + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? has(self.job) : !has(self.job)' + conditions: + description: |- + conditions are state related conditions for the build. Valid types are: + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed, Interrupted or Succeeded, no future conditions can be set. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Failed'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Interrupted'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Succeeded condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Succeeded'' && x.status==''True'') + ? self==oldSelf : true' + digestedImagePushSpec: + description: |- + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + relatedObjects: + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects will be removed. + In the event of a failed build, the objects will remain until the build is removed to allow for inspection. + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + maxItems: 10 + type: array + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map + type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: 'has(self.buildEnd) ? has(self.buildStart) && timestamp(self.buildStart) + < timestamp(self.buildEnd) : true' + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..ad8a259757d --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -0,0 +1,352 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSConfig + listKind: MachineOSConfigList + plural: machineosconfigs + singular: machineosconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSConfig describes the configuration for a build process managed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machineosconfig + properties: + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + This is a required field and can have a maximum length of **4096** characters. + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: |- + imageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job + properties: + imageBuilderType: + description: |- + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job + type: string + required: + - imageBuilderType + type: object + machineConfigPool: + description: |- + machineConfigPool is the pool which the build is for. + The Machine Config Operator will perform the build and roll out the built image to the specified pool. + properties: + name: + description: |- + name of the MachineConfigPool object. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + required: + - imageBuilder + - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec + type: object + status: + description: status describes the status of the machineosconfig + properties: + conditions: + description: conditions are state related conditions for the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentImagePullSpec: + description: |- + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. + This is generated when the Machine Config Operator's build controller successfully completes the build, and is populated from the corresponding + MachineOSBuild object's FinalImagePushSpec. This may change after completion in reaction to spec changes that would cause a new image build, + but will not be removed. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + observedGeneration: + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. + format: int64 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: observedGeneration must not move backwards + rule: self >= oldSelf + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..1c5a7a24d64 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,352 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSConfig + listKind: MachineOSConfigList + plural: machineosconfigs + singular: machineosconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSConfig describes the configuration for a build process managed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machineosconfig + properties: + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + This is a required field and can have a maximum length of **4096** characters. + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: |- + imageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job + properties: + imageBuilderType: + description: |- + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job + type: string + required: + - imageBuilderType + type: object + machineConfigPool: + description: |- + machineConfigPool is the pool which the build is for. + The Machine Config Operator will perform the build and roll out the built image to the specified pool. + properties: + name: + description: |- + name of the MachineConfigPool object. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + required: + - imageBuilder + - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec + type: object + status: + description: status describes the status of the machineosconfig + properties: + conditions: + description: conditions are state related conditions for the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentImagePullSpec: + description: |- + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. + This is generated when the Machine Config Operator's build controller successfully completes the build, and is populated from the corresponding + MachineOSBuild object's FinalImagePushSpec. This may change after completion in reaction to spec changes that would cause a new image build, + but will not be removed. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + observedGeneration: + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. + format: int64 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: observedGeneration must not move backwards + rule: self >= oldSelf + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..963d3fa22d4 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,352 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: machineosconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSConfig + listKind: MachineOSConfigList + plural: machineosconfigs + singular: machineosconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSConfig describes the configuration for a build process managed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machineosconfig + properties: + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + This is a required field and can have a maximum length of **4096** characters. + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: |- + imageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job + properties: + imageBuilderType: + description: |- + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job + type: string + required: + - imageBuilderType + type: object + machineConfigPool: + description: |- + machineConfigPool is the pool which the build is for. + The Machine Config Operator will perform the build and roll out the built image to the specified pool. + properties: + name: + description: |- + name of the MachineConfigPool object. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + required: + - imageBuilder + - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec + type: object + status: + description: status describes the status of the machineosconfig + properties: + conditions: + description: conditions are state related conditions for the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentImagePullSpec: + description: |- + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. + This is generated when the Machine Config Operator's build controller successfully completes the build, and is populated from the corresponding + MachineOSBuild object's FinalImagePushSpec. This may change after completion in reaction to spec changes that would cause a new image build, + but will not be removed. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + observedGeneration: + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. + format: int64 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: observedGeneration must not move backwards + rule: self >= oldSelf + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.deepcopy.go b/machineconfiguration/v1/zz_generated.deepcopy.go index 9ad13130fe3..94f9acbd5ad 100644 --- a/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/machineconfiguration/v1/zz_generated.deepcopy.go @@ -431,6 +431,22 @@ func (in *ImageRegistryBundle) DeepCopy() *ImageRegistryBundle { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImageSecretObjectReference) DeepCopyInto(out *ImageSecretObjectReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSecretObjectReference. +func (in *ImageSecretObjectReference) DeepCopy() *ImageSecretObjectReference { + if in == nil { + return nil + } + out := new(ImageSecretObjectReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeletConfig) DeepCopyInto(out *KubeletConfig) { *out = *in @@ -711,6 +727,22 @@ func (in *MachineConfigPoolList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineConfigPoolReference) DeepCopyInto(out *MachineConfigPoolReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineConfigPoolReference. +func (in *MachineConfigPoolReference) DeepCopy() *MachineConfigPoolReference { + if in == nil { + return nil + } + out := new(MachineConfigPoolReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineConfigPoolSpec) DeepCopyInto(out *MachineConfigPoolSpec) { *out = *in @@ -806,6 +838,22 @@ func (in *MachineConfigPoolStatusConfiguration) DeepCopy() *MachineConfigPoolSta return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineConfigReference) DeepCopyInto(out *MachineConfigReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineConfigReference. +func (in *MachineConfigReference) DeepCopy() *MachineConfigReference { + if in == nil { + return nil + } + out := new(MachineConfigReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MachineConfigSpec) DeepCopyInto(out *MachineConfigSpec) { *out = *in @@ -833,6 +881,313 @@ func (in *MachineConfigSpec) DeepCopy() *MachineConfigSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSBuild) DeepCopyInto(out *MachineOSBuild) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSBuild. +func (in *MachineOSBuild) DeepCopy() *MachineOSBuild { + if in == nil { + return nil + } + out := new(MachineOSBuild) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *MachineOSBuild) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSBuildList) DeepCopyInto(out *MachineOSBuildList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]MachineOSBuild, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSBuildList. +func (in *MachineOSBuildList) DeepCopy() *MachineOSBuildList { + if in == nil { + return nil + } + out := new(MachineOSBuildList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *MachineOSBuildList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSBuildSpec) DeepCopyInto(out *MachineOSBuildSpec) { + *out = *in + out.MachineConfig = in.MachineConfig + out.MachineOSConfig = in.MachineOSConfig + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSBuildSpec. +func (in *MachineOSBuildSpec) DeepCopy() *MachineOSBuildSpec { + if in == nil { + return nil + } + out := new(MachineOSBuildSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSBuildStatus) DeepCopyInto(out *MachineOSBuildStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Builder != nil { + in, out := &in.Builder, &out.Builder + *out = new(MachineOSBuilderReference) + (*in).DeepCopyInto(*out) + } + if in.RelatedObjects != nil { + in, out := &in.RelatedObjects, &out.RelatedObjects + *out = make([]ObjectReference, len(*in)) + copy(*out, *in) + } + if in.BuildStart != nil { + in, out := &in.BuildStart, &out.BuildStart + *out = (*in).DeepCopy() + } + if in.BuildEnd != nil { + in, out := &in.BuildEnd, &out.BuildEnd + *out = (*in).DeepCopy() + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSBuildStatus. +func (in *MachineOSBuildStatus) DeepCopy() *MachineOSBuildStatus { + if in == nil { + return nil + } + out := new(MachineOSBuildStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSBuilderReference) DeepCopyInto(out *MachineOSBuilderReference) { + *out = *in + if in.Job != nil { + in, out := &in.Job, &out.Job + *out = new(ObjectReference) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSBuilderReference. +func (in *MachineOSBuilderReference) DeepCopy() *MachineOSBuilderReference { + if in == nil { + return nil + } + out := new(MachineOSBuilderReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSConfig) DeepCopyInto(out *MachineOSConfig) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSConfig. +func (in *MachineOSConfig) DeepCopy() *MachineOSConfig { + if in == nil { + return nil + } + out := new(MachineOSConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *MachineOSConfig) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSConfigList) DeepCopyInto(out *MachineOSConfigList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]MachineOSConfig, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSConfigList. +func (in *MachineOSConfigList) DeepCopy() *MachineOSConfigList { + if in == nil { + return nil + } + out := new(MachineOSConfigList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *MachineOSConfigList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSConfigReference) DeepCopyInto(out *MachineOSConfigReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSConfigReference. +func (in *MachineOSConfigReference) DeepCopy() *MachineOSConfigReference { + if in == nil { + return nil + } + out := new(MachineOSConfigReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSConfigSpec) DeepCopyInto(out *MachineOSConfigSpec) { + *out = *in + out.MachineConfigPool = in.MachineConfigPool + out.ImageBuilder = in.ImageBuilder + if in.BaseImagePullSecret != nil { + in, out := &in.BaseImagePullSecret, &out.BaseImagePullSecret + *out = new(ImageSecretObjectReference) + **out = **in + } + out.RenderedImagePushSecret = in.RenderedImagePushSecret + if in.Containerfile != nil { + in, out := &in.Containerfile, &out.Containerfile + *out = make([]MachineOSContainerfile, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSConfigSpec. +func (in *MachineOSConfigSpec) DeepCopy() *MachineOSConfigSpec { + if in == nil { + return nil + } + out := new(MachineOSConfigSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSConfigStatus) DeepCopyInto(out *MachineOSConfigStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.MachineOSBuild != nil { + in, out := &in.MachineOSBuild, &out.MachineOSBuild + *out = new(ObjectReference) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSConfigStatus. +func (in *MachineOSConfigStatus) DeepCopy() *MachineOSConfigStatus { + if in == nil { + return nil + } + out := new(MachineOSConfigStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSContainerfile) DeepCopyInto(out *MachineOSContainerfile) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSContainerfile. +func (in *MachineOSContainerfile) DeepCopy() *MachineOSContainerfile { + if in == nil { + return nil + } + out := new(MachineOSContainerfile) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MachineOSImageBuilder) DeepCopyInto(out *MachineOSImageBuilder) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineOSImageBuilder. +func (in *MachineOSImageBuilder) DeepCopy() *MachineOSImageBuilder { + if in == nil { + return nil + } + out := new(MachineOSImageBuilder) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkInfo) DeepCopyInto(out *NetworkInfo) { *out = *in @@ -854,6 +1209,22 @@ func (in *NetworkInfo) DeepCopy() *NetworkInfo { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ObjectReference) DeepCopyInto(out *ObjectReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectReference. +func (in *ObjectReference) DeepCopy() *ObjectReference { + if in == nil { + return nil + } + out := new(ObjectReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PinnedImageSetRef) DeepCopyInto(out *PinnedImageSetRef) { *out = *in diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index 96dff59f312..a882f463236 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -170,3 +170,69 @@ machineconfigpools.machineconfiguration.openshift.io: TopLevelFeatureGates: [] Version: v1 +machineosbuilds.machineconfiguration.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2090 + CRDName: machineosbuilds.machineconfiguration.openshift.io + Capability: "" + Category: "" + FeatureGates: + - OnClusterBuild + FilenameOperatorName: machine-config + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_80" + GroupName: machineconfiguration.openshift.io + HasStatus: true + KindName: MachineOSBuild + Labels: + openshift.io/operator-managed: "" + PluralName: machineosbuilds + PrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Prepared")].status + name: Prepared + type: string + - jsonPath: .status.conditions[?(@.type=="Building")].status + name: Building + type: string + - jsonPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="Interrupted")].status + name: Interrupted + type: string + - jsonPath: .status.conditions[?(@.type=="Failed")].status + name: Failed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - OnClusterBuild + Version: v1 + +machineosconfigs.machineconfiguration.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2090 + CRDName: machineosconfigs.machineconfiguration.openshift.io + Capability: "" + Category: "" + FeatureGates: + - OnClusterBuild + FilenameOperatorName: machine-config + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_80" + GroupName: machineconfiguration.openshift.io + HasStatus: true + KindName: MachineOSConfig + Labels: + openshift.io/operator-managed: "" + PluralName: machineosconfigs + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - OnClusterBuild + Version: v1 + diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml new file mode 100644 index 00000000000..7aaaedd5f1b --- /dev/null +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosbuilds.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -0,0 +1,404 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 + api.openshift.io/filename-cvo-runlevel: "0000_80" + api.openshift.io/filename-operator: machine-config + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/OnClusterBuild: "true" + labels: + openshift.io/operator-managed: "" + name: machineosbuilds.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSBuild + listKind: MachineOSBuildList + plural: machineosbuilds + singular: machineosbuild + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Prepared")].status + name: Prepared + type: string + - jsonPath: .status.conditions[?(@.type=="Building")].status + name: Building + type: string + - jsonPath: .status.conditions[?(@.type=="Succeeded")].status + name: Succeeded + type: string + - jsonPath: .status.conditions[?(@.type=="Interrupted")].status + name: Interrupted + type: string + - jsonPath: .status.conditions[?(@.type=="Failed")].status + name: Failed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSBuild describes a build process managed and deployed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec describes the configuration of the machine os build. + It is immutable once set. + properties: + machineConfig: + description: machineConfig points to the rendered MachineConfig resource + to be included in this image build. + properties: + name: + description: |- + name is the name of the rendered MachineConfig object. + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + minLength: 10 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + machineOSConfig: + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. + properties: + name: + description: |- + name of the MachineOSConfig. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + required: + - machineConfig + - machineOSConfig + - renderedImagePushSpec + type: object + x-kubernetes-validations: + - message: machineOSBuildSpec is immutable once set + rule: self == oldSelf + status: + description: status describes the last observed state of this machine + os build. + properties: + buildEnd: + description: |- + buildEnd is the timestamp corresponding to completion of the builder backend. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. + format: date-time + type: string + x-kubernetes-validations: + - message: buildEnd is immutable once set + rule: self == oldSelf + buildStart: + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. + format: date-time + type: string + x-kubernetes-validations: + - message: buildStart is immutable once set + rule: self == oldSelf + builder: + description: builder describes the image builder backend used for + this build. + properties: + imageBuilderType: + description: |- + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, + and end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + required: + - imageBuilderType + type: object + x-kubernetes-validations: + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? has(self.job) : !has(self.job)' + conditions: + description: |- + conditions are state related conditions for the build. Valid types are: + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed, Interrupted or Succeeded, no future conditions can be set. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Failed'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Interrupted'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Succeeded condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Succeeded'' && x.status==''True'') + ? self==oldSelf : true' + digestedImagePushSpec: + description: |- + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + relatedObjects: + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects will be removed. + In the event of a failed build, the objects will remain until the build is removed to allow for inspection. + items: + description: ObjectReference contains enough information to let + you inspect or modify the referred object. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + maxItems: 10 + type: array + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map + type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: 'has(self.buildEnd) ? has(self.buildStart) && timestamp(self.buildStart) + < timestamp(self.buildEnd) : true' + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml new file mode 100644 index 00000000000..89645783564 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/machineosconfigs.machineconfiguration.openshift.io/OnClusterBuild.yaml @@ -0,0 +1,352 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 + api.openshift.io/filename-cvo-runlevel: "0000_80" + api.openshift.io/filename-operator: machine-config + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/OnClusterBuild: "true" + labels: + openshift.io/operator-managed: "" + name: machineosconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: MachineOSConfig + listKind: MachineOSConfigList + plural: machineosconfigs + singular: machineosconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + MachineOSConfig describes the configuration for a build process managed by the MCO + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec describes the configuration of the machineosconfig + properties: + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + This is a required field and can have a maximum length of **4096** characters. + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: |- + imageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job + properties: + imageBuilderType: + description: |- + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job + type: string + required: + - imageBuilderType + type: object + machineConfigPool: + description: |- + machineConfigPool is the pool which the build is for. + The Machine Config Operator will perform the build and roll out the built image to the specified pool. + properties: + name: + description: |- + name of the MachineConfigPool object. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. + properties: + name: + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') + required: + - imageBuilder + - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec + type: object + status: + description: status describes the status of the machineosconfig + properties: + conditions: + description: conditions are state related conditions for the object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentImagePullSpec: + description: |- + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. + This is generated when the Machine Config Operator's build controller successfully completes the build, and is populated from the corresponding + MachineOSBuild object's FinalImagePushSpec. This may change after completion in reaction to spec changes that would cause a new image build, + but will not be removed. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image reference must end with a valid '@sha256:' + suffix, where '' is 64 characters long + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object + observedGeneration: + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. + format: int64 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: observedGeneration must not move backwards + rule: self >= oldSelf + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 29a3a2a902b..2a125cfab43 100644 --- a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -359,4 +359,173 @@ func (PoolSynchronizerStatus) SwaggerDoc() map[string]string { return map_PoolSynchronizerStatus } +var map_MachineConfigReference = map[string]string{ + "": "Refers to the name of a rendered MachineConfig (e.g., \"rendered-worker-ec40d2965ff81bce7cd7a7e82a680739\", etc.): the build targets this MachineConfig, this is often used to tell us whether we need an update.", + "name": "name is the name of the rendered MachineConfig object. This value should be between 10 and 253 characters, and must contain only lowercase alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character.", +} + +func (MachineConfigReference) SwaggerDoc() map[string]string { + return map_MachineConfigReference +} + +var map_MachineOSBuild = map[string]string{ + "": "MachineOSBuild describes a build process managed and deployed by the MCO Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object metadata.", + "spec": "spec describes the configuration of the machine os build. It is immutable once set.", + "status": "status describes the last observed state of this machine os build.", +} + +func (MachineOSBuild) SwaggerDoc() map[string]string { + return map_MachineOSBuild +} + +var map_MachineOSBuildList = map[string]string{ + "": "MachineOSBuildList describes all of the Builds on the system\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list metadata.", + "items": "items contains a collection of MachineOSBuild resources.", +} + +func (MachineOSBuildList) SwaggerDoc() map[string]string { + return map_MachineOSBuildList +} + +var map_MachineOSBuildSpec = map[string]string{ + "": "MachineOSBuildSpec describes information about a build process primarily populated from a MachineOSConfig object.", + "machineConfig": "machineConfig points to the rendered MachineConfig resource to be included in this image build.", + "machineOSConfig": "machineOSConfig references the MachineOSConfig resource that this image build extends.", + "renderedImagePushSpec": "renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. This field describes the location of the final image, which will be pushed by the build once complete. The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. The length of the push spec must be between 1 to 447 characters.", +} + +func (MachineOSBuildSpec) SwaggerDoc() map[string]string { + return map_MachineOSBuildSpec +} + +var map_MachineOSBuildStatus = map[string]string{ + "": "MachineOSBuildStatus describes the state of a build and other helpful information.", + "conditions": "conditions are state related conditions for the build. Valid types are: Prepared, Building, Failed, Interrupted, and Succeeded. Once a Build is marked as Failed, Interrupted or Succeeded, no future conditions can be set.", + "builder": "builder describes the image builder backend used for this build.", + "relatedObjects": "relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. After a successful build or when this MachineOSBuild is deleted, these ephemeral objects will be removed. In the event of a failed build, the objects will remain until the build is removed to allow for inspection.", + "buildStart": "buildStart is the timestamp corresponding to the build controller initiating the build backend for this MachineOSBuild.", + "buildEnd": "buildEnd is the timestamp corresponding to completion of the builder backend. When omitted the build has either not been started, or is in progress. It will be populated once the build completes, fails or is interrupted.", + "digestedImagePushSpec": "digestedImagePushSpec describes the fully qualified push spec produced by this build. The format of the push spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", +} + +func (MachineOSBuildStatus) SwaggerDoc() map[string]string { + return map_MachineOSBuildStatus +} + +var map_MachineOSBuilderReference = map[string]string{ + "": "MachineOSBuilderReference describes which ImageBuilder backend to use for this build", + "imageBuilderType": "imageBuilderType describes the type of image builder used to build this image. Valid values are Job only. When set to Job, a pod based builder, using buildah, is launched to build the specified image.", + "job": "job is a reference to the job object that is managing the image build. This is required if the imageBuilderType is Job, and forbidden otherwise.", +} + +func (MachineOSBuilderReference) SwaggerDoc() map[string]string { + return map_MachineOSBuilderReference +} + +var map_MachineOSConfigReference = map[string]string{ + "": "MachineOSConfigReference refers to the MachineOSConfig this build is based off of", + "name": "name of the MachineOSConfig. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character.", +} + +func (MachineOSConfigReference) SwaggerDoc() map[string]string { + return map_MachineOSConfigReference +} + +var map_ObjectReference = map[string]string{ + "": "ObjectReference contains enough information to let you inspect or modify the referred object.", + "group": "group of the referent. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. Example: \"\", \"apps\", \"build.openshift.io\", etc.", + "resource": "resource of the referent. This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, and should start with an alphabetic character and end with an alphanumeric character. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", + "namespace": "namespace of the referent. This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, and should start and end with an alphanumeric character.", + "name": "name of the referent. The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character.", +} + +func (ObjectReference) SwaggerDoc() map[string]string { + return map_ObjectReference +} + +var map_ImageSecretObjectReference = map[string]string{ + "": "Refers to the name of an image registry push/pull secret needed in the build process.", + "name": "name is the name of the secret used to push or pull this MachineOSConfig object. Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. This secret must be in the openshift-machine-config-operator namespace.", +} + +func (ImageSecretObjectReference) SwaggerDoc() map[string]string { + return map_ImageSecretObjectReference +} + +var map_MachineConfigPoolReference = map[string]string{ + "": "Refers to the name of a MachineConfigPool (e.g., \"worker\", \"infra\", etc.): the MachineOSBuilder pod validates that the user has provided a valid pool", + "name": "name of the MachineConfigPool object. This value should be at most 253 characters, and must contain only lowercase alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character.", +} + +func (MachineConfigPoolReference) SwaggerDoc() map[string]string { + return map_MachineConfigPoolReference +} + +var map_MachineOSConfig = map[string]string{ + "": "MachineOSConfig describes the configuration for a build process managed by the MCO Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object metadata.", + "spec": "spec describes the configuration of the machineosconfig", + "status": "status describes the status of the machineosconfig", +} + +func (MachineOSConfig) SwaggerDoc() map[string]string { + return map_MachineOSConfig +} + +var map_MachineOSConfigList = map[string]string{ + "": "MachineOSConfigList describes all configurations for image builds on the system\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list metadata.", + "items": "items contains a collection of MachineOSConfig resources.", +} + +func (MachineOSConfigList) SwaggerDoc() map[string]string { + return map_MachineOSConfigList +} + +var map_MachineOSConfigSpec = map[string]string{ + "": "MachineOSConfigSpec describes user-configurable options as well as information about a build process.", + "machineConfigPool": "machineConfigPool is the pool which the build is for. The Machine Config Operator will perform the build and roll out the built image to the specified pool.", + "imageBuilder": "imageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. Currently supported type(s): Job", + "baseImagePullSecret": "baseImagePullSecret is the secret used to pull the base image. Must live in the openshift-machine-config-operator namespace if provided. Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret.", + "renderedImagePushSecret": "renderedImagePushSecret is the secret used to connect to a user registry. The final image push and pull secrets should be separate and assume the principal of least privilege. The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. The pull secret with read only privileges is required on all nodes. By separating the two secrets, the risk of write credentials becoming compromised is reduced.", + "renderedImagePushSpec": "renderedImagePushSpec describes the location of the final image. The MachineOSConfig object will use the in cluster image registry configuration. If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. The length of the push spec must be between 1 to 447 characters.", + "containerFile": "containerFile describes the custom data the user has specified to build into the image. This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4.", +} + +func (MachineOSConfigSpec) SwaggerDoc() map[string]string { + return map_MachineOSConfigSpec +} + +var map_MachineOSConfigStatus = map[string]string{ + "": "MachineOSConfigStatus describes the status this config object and relates it to the builds associated with this MachineOSConfig", + "conditions": "conditions are state related conditions for the object.", + "observedGeneration": "observedGeneration represents the generation of the MachineOSConfig object observed by the Machine Config Operator's build controller.", + "currentImagePullSpec": "currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. This is generated when the Machine Config Operator's build controller successfully completes the build, and is populated from the corresponding MachineOSBuild object's FinalImagePushSpec. This may change after completion in reaction to spec changes that would cause a new image build, but will not be removed. The format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", + "machineOSBuild": "machineOSBuild is a reference to the MachineOSBuild object for this MachineOSConfig, which contains the status for the image build.", +} + +func (MachineOSConfigStatus) SwaggerDoc() map[string]string { + return map_MachineOSConfigStatus +} + +var map_MachineOSContainerfile = map[string]string{ + "": "MachineOSContainerfile contains all custom content the user wants built into the image", + "containerfileArch": "containerfileArch describes the architecture this containerfile is to be built for. This arch is optional. If the user does not specify an architecture, it is assumed that the content can be applied to all architectures, or in a single arch cluster: the only architecture.", + "content": "content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. for example, this would add the tree package to your hosts:\n FROM configs AS final\n RUN rpm-ostree install tree && \\n ostree container commit\nThis is a required field and can have a maximum length of **4096** characters.", +} + +func (MachineOSContainerfile) SwaggerDoc() map[string]string { + return map_MachineOSContainerfile +} + +var map_MachineOSImageBuilder = map[string]string{ + "imageBuilderType": "imageBuilderType specifies the backend to be used to build the image. Valid options are: Job", +} + +func (MachineOSImageBuilder) SwaggerDoc() map[string]string { + return map_MachineOSImageBuilder +} + // AUTO-GENERATED FUNCTIONS END HERE diff --git a/machineconfiguration/v1alpha1/types_machineosconfig.go b/machineconfiguration/v1alpha1/types_machineosconfig.go index 35863517a54..9a11f8d0807 100644 --- a/machineconfiguration/v1alpha1/types_machineosconfig.go +++ b/machineconfiguration/v1alpha1/types_machineosconfig.go @@ -105,7 +105,7 @@ type BuildInputs struct { BaseOSImagePullspec string `json:"baseOSImagePullspec,omitempty"` // baseImagePullSecret is the secret used to pull the base image. // must live in the openshift-machine-config-operator namespace - // +kubebuilder:validation:Required + // +required BaseImagePullSecret ImageSecretObjectReference `json:"baseImagePullSecret"` // machineOSImageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig // +kubebuilder:validation:Required diff --git a/operator/v1/tests/machineconfigurations.operator.openshift.io/NodeDisruptionPolicy.yaml b/operator/v1/tests/machineconfigurations.operator.openshift.io/NodeDisruptionPolicy.yaml index fe6c45a81f7..0616fea62f3 100644 --- a/operator/v1/tests/machineconfigurations.operator.openshift.io/NodeDisruptionPolicy.yaml +++ b/operator/v1/tests/machineconfigurations.operator.openshift.io/NodeDisruptionPolicy.yaml @@ -5,115 +5,212 @@ featureGates: - NodeDisruptionPolicy tests: onCreate: - - name: Should be able to create a minimal MachineConfiguration - initial: | - apiVersion: operator.openshift.io/v1 - kind: MachineConfiguration - spec: {} # No spec is required for a MachineConfiguration - expected: | - apiVersion: operator.openshift.io/v1 - kind: MachineConfiguration - spec: - logLevel: Normal - operatorLogLevel: Normal - - name: Should be able to create an empty ManagedBootImages configuration knob - initial: | - apiVersion: operator.openshift.io/v1 - kind: MachineConfiguration - spec: - managedBootImages: - machineManagers: [] - expected: | - apiVersion: operator.openshift.io/v1 - kind: MachineConfiguration - spec: - logLevel: Normal - operatorLogLevel: Normal - managedBootImages: - machineManagers: [] - - name: Should be able to create a ManagedBootImages configuration knob that opts in all MachineSets - initial: | - apiVersion: operator.openshift.io/v1 - kind: MachineConfiguration - spec: - managedBootImages: - machineManagers: - - resource: machinesets - apiGroup: machine.openshift.io - selection: - mode: All - expected: | - apiVersion: operator.openshift.io/v1 - kind: MachineConfiguration - spec: - logLevel: Normal - operatorLogLevel: Normal - managedBootImages: - machineManagers: - - resource: machinesets - apiGroup: machine.openshift.io - selection: - mode: All - - name: Should be able to create a ManagedBootImages configuration knob that opts in MachineSets in partial mode - initial: | - apiVersion: operator.openshift.io/v1 - kind: MachineConfiguration - spec: - managedBootImages: - machineManagers: - - resource: machinesets - apiGroup: machine.openshift.io - selection: - mode: Partial - partial: - machineResourceSelector: - matchLabels: {} - expected: | - apiVersion: operator.openshift.io/v1 - kind: MachineConfiguration - spec: - logLevel: Normal - operatorLogLevel: Normal - managedBootImages: - machineManagers: - - resource: machinesets - apiGroup: machine.openshift.io - selection: - mode: Partial - partial: - machineResourceSelector: - matchLabels: {} - - name: Should not be able to add partial field if machineManager.selection.mode is not set to Partial - initial: | - apiVersion: operator.openshift.io/v1 - kind: MachineConfiguration - spec: - managedBootImages: - machineManagers: - - resource: machinesets - apiGroup: machine.openshift.io - selection: - mode: All - partial: - machineResourceSelector: - matchLabels: {} - expectedError: "Partial is required when type is partial, and forbidden otherwise" - - name: Only one unique pair of resource/apigroup is allowed in machineManagers - initial: | - apiVersion: operator.openshift.io/v1 - kind: MachineConfiguration - spec: - managedBootImages: - machineManagers: - - resource: machinesets - apiGroup: machine.openshift.io - selection: - mode: Partial - partial: - machineResourceSelector: - matchLabels: {} - - resource: machinesets - apiGroup: machine.openshift.io - selection: - mode: All - expectedError: "spec.managedBootImages.machineManagers[1]: Duplicate value: map[string]interface {}{\"apiGroup\":\"machine.openshift.io\", \"resource\":\"machinesets\"}" + - name: Should be able to create a valid node disruption policy + initial: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + reload: + serviceName: my.service + units: + - name: "my.service" + actions: + - type: Restart + restart: + serviceName: my-other.service + sshkey: + actions: + - type: None + expected: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + logLevel: Normal + operatorLogLevel: Normal + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + reload: + serviceName: my.service + units: + - name: "my.service" + actions: + - type: Restart + restart: + serviceName: my-other.service + sshkey: + actions: + - type: None + - name: Should be able to define a node disruption policy with multiple entries of the same type + initial: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + reload: + serviceName: my.service + - path: "/etc/my-other-file" + actions: + - type: Drain + - type: Restart + restart: + serviceName: my.service + expected: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + logLevel: Normal + operatorLogLevel: Normal + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + reload: + serviceName: my.service + - path: "/etc/my-other-file" + actions: + - type: Drain + - type: Restart + restart: + serviceName: my.service + - name: Node disruption policies with duplicate file entries should fail + initial: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + reload: + serviceName: my.service + - path: "/etc/my-file" + actions: + - type: Drain + - type: Reload + reload: + serviceName: my.service + expectedError: "spec.nodeDisruptionPolicy.files[1]: Duplicate value: map[string]interface {}{\"path\":\"/etc/my-file\"}" + - name: Node disruption policies that specify a reload action should fail if you don't specify the reload field + initial: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + expectedError: "reload is required when type is Reload, and forbidden otherwise" + - name: Node disruption policies that specify a reboot action should not allow other actions in the list + initial: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: Reboot + - type: DaemonReload + expectedError: "Reboot action can only be specified standalone, as it will override any other actions" + - name: Node disruption policies should use service name(s) which have a valid name prefix. + initial: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + reload: + serviceName: .service + expectedError: "Invalid ${NAME} in service name. Expected format is ${NAME}${SERVICETYPE}, where {NAME} must be atleast 1 character long and can only consist of alphabets, digits, \":\", \"-\", \"_\", \".\", and \"\\\"" + - name: Node disruption policies should use service name(s) which have a valid name suffix. + initial: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + reload: + serviceName: service + expectedError: "Invalid ${SERVICETYPE} in service name. Expected format is ${NAME}${SERVICETYPE}, where ${SERVICETYPE} must be one of \".service\", \".socket\", \".device\", \".mount\", \".automount\", \".swap\", \".target\", \".path\", \".timer\",\".snapshot\", \".slice\" or \".scope\"." + - name: Node disruption policies should use service name(s) which have a valid name suffix. + initial: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + reload: + serviceName: serv.ice + expectedError: "Invalid ${SERVICETYPE} in service name. Expected format is ${NAME}${SERVICETYPE}, where ${SERVICETYPE} must be one of \".service\", \".socket\", \".device\", \".mount\", \".automount\", \".swap\", \".target\", \".path\", \".timer\",\".snapshot\", \".slice\" or \".scope\"." + - name: Should be able to define a node disruption policy that has a service name which has multiple permitted special characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + reload: + serviceName: a:b_c-d\.e.swap + - path: "/etc/my-other-file" + actions: + - type: Drain + - type: Restart + restart: + serviceName: a.b.c.d.e.snapshot + expected: | + apiVersion: operator.openshift.io/v1 + kind: MachineConfiguration + spec: + logLevel: Normal + operatorLogLevel: Normal + nodeDisruptionPolicy: + files: + - path: "/etc/my-file" + actions: + - type: DaemonReload + - type: Reload + reload: + serviceName: a:b_c-d\.e.swap + - path: "/etc/my-other-file" + actions: + - type: Drain + - type: Restart + restart: + serviceName: a.b.c.d.e.snapshot diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml index aee396dfe32..6a1b93cac94 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-CustomNoUpgrade.crd.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" @@ -35,12 +35,15 @@ spec: - jsonPath: .status.conditions[?(@.type=="Failed")].status name: Failed type: string - name: v1alpha1 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: description: |- MachineOSBuild describes a build process managed and deployed by the MCO - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). properties: apiVersion: description: |- @@ -60,132 +63,178 @@ spec: metadata: type: object spec: - description: spec describes the configuration of the machine os build + description: |- + spec describes the configuration of the machine os build. + It is immutable once set. properties: - configGeneration: - description: configGeneration tracks which version of MachineOSConfig - this build is based off of - format: int64 - minimum: 1 - type: integer - desiredConfig: - description: desiredConfig is the desired config we want to build - an image for. + machineConfig: + description: machineConfig points to the rendered MachineConfig resource + to be included in this image build. properties: name: - description: name is the name of the rendered MachineConfig object. + description: |- + name is the name of the rendered MachineConfig object. + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + minLength: 10 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') required: - name type: object machineOSConfig: - description: machineOSConfig is the config object which the build - is based off of + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. properties: name: - description: name of the MachineOSConfig + description: |- + name of the MachineOSConfig. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec is set from the MachineOSConfig - The format of the image pullspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, where - '' is 64 characters long and '' is any valid string Or - it must be a valid .svc followed by a port, repository, image - name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - version: - description: version tracks the newest MachineOSBuild for each MachineOSConfig - format: int64 - minimum: 1 - type: integer + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - configGeneration - - desiredConfig + - machineConfig - machineOSConfig - - renderedImagePushspec - - version + - renderedImagePushSpec type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set rule: self == oldSelf status: - description: status describes the lst observed state of this machine os - build + description: status describes the last observed state of this machine + os build. properties: buildEnd: - description: buildEnd describes when the build ended. + description: |- + buildEnd is the timestamp corresponding to completion of the builder backend. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. format: date-time type: string x-kubernetes-validations: - message: buildEnd is immutable once set rule: self == oldSelf buildStart: - description: buildStart describes when the build started. + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. format: date-time type: string x-kubernetes-validations: - message: buildStart is immutable once set rule: self == oldSelf - builderReference: - description: ImageBuilderType describes the image builder set in the - MachineOSConfig + builder: + description: builder describes the image builder backend used for + this build. properties: - buildPod: - description: relatedObjects is a list of objects that are related - to the build process. + imageBuilderType: + description: |- + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. properties: group: - description: group of the referent. + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') name: - description: name of the referent. + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, + and end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') required: - group - name - resource type: object - imageBuilderType: - description: ImageBuilderType describes the image builder set - in the MachineOSConfig - type: string required: - imageBuilderType type: object x-kubernetes-validations: - - message: buildPod is required when imageBuilderType is PodImageBuilder, - and forbidden otherwise - rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? true : !has(self.buildPod)' + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? has(self.job) : !has(self.job)' conditions: description: |- conditions are state related conditions for the build. Valid types are: - Prepared, Building, Failed, Interrupted, and Succeeded - once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed, Interrupted or Succeeded, no future conditions can be set. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -240,47 +289,112 @@ spec: - status - type type: object + maxItems: 8 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - finalImagePullspec: - description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must be in sha - format. + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Failed'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Interrupted'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Succeeded condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Succeeded'' && x.status==''True'') + ? self==oldSelf : true' + digestedImagePushSpec: + description: |- + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long - rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) relatedObjects: - description: relatedObjects is a list of objects that are related - to the build process. + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects will be removed. + In the event of a failed build, the objects will remain until the build is removed to allow for inspection. items: description: ObjectReference contains enough information to let you inspect or modify the referred object. properties: group: - description: group of the referent. + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') name: - description: name of the referent. + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') required: - group - name - resource type: object + maxItems: 10 type: array - required: - - buildStart + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: 'has(self.buildEnd) ? has(self.buildStart) && timestamp(self.buildStart) + < timestamp(self.buildEnd) : true' required: - spec type: object diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml index 4cf5f001636..4bba53e59bd 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-DevPreviewNoUpgrade.crd.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" @@ -35,12 +35,15 @@ spec: - jsonPath: .status.conditions[?(@.type=="Failed")].status name: Failed type: string - name: v1alpha1 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: description: |- MachineOSBuild describes a build process managed and deployed by the MCO - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). properties: apiVersion: description: |- @@ -60,132 +63,178 @@ spec: metadata: type: object spec: - description: spec describes the configuration of the machine os build + description: |- + spec describes the configuration of the machine os build. + It is immutable once set. properties: - configGeneration: - description: configGeneration tracks which version of MachineOSConfig - this build is based off of - format: int64 - minimum: 1 - type: integer - desiredConfig: - description: desiredConfig is the desired config we want to build - an image for. + machineConfig: + description: machineConfig points to the rendered MachineConfig resource + to be included in this image build. properties: name: - description: name is the name of the rendered MachineConfig object. + description: |- + name is the name of the rendered MachineConfig object. + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + minLength: 10 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') required: - name type: object machineOSConfig: - description: machineOSConfig is the config object which the build - is based off of + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. properties: name: - description: name of the MachineOSConfig + description: |- + name of the MachineOSConfig. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec is set from the MachineOSConfig - The format of the image pullspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, where - '' is 64 characters long and '' is any valid string Or - it must be a valid .svc followed by a port, repository, image - name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - version: - description: version tracks the newest MachineOSBuild for each MachineOSConfig - format: int64 - minimum: 1 - type: integer + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - configGeneration - - desiredConfig + - machineConfig - machineOSConfig - - renderedImagePushspec - - version + - renderedImagePushSpec type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set rule: self == oldSelf status: - description: status describes the lst observed state of this machine os - build + description: status describes the last observed state of this machine + os build. properties: buildEnd: - description: buildEnd describes when the build ended. + description: |- + buildEnd is the timestamp corresponding to completion of the builder backend. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. format: date-time type: string x-kubernetes-validations: - message: buildEnd is immutable once set rule: self == oldSelf buildStart: - description: buildStart describes when the build started. + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. format: date-time type: string x-kubernetes-validations: - message: buildStart is immutable once set rule: self == oldSelf - builderReference: - description: ImageBuilderType describes the image builder set in the - MachineOSConfig + builder: + description: builder describes the image builder backend used for + this build. properties: - buildPod: - description: relatedObjects is a list of objects that are related - to the build process. + imageBuilderType: + description: |- + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. properties: group: - description: group of the referent. + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') name: - description: name of the referent. + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, + and end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') required: - group - name - resource type: object - imageBuilderType: - description: ImageBuilderType describes the image builder set - in the MachineOSConfig - type: string required: - imageBuilderType type: object x-kubernetes-validations: - - message: buildPod is required when imageBuilderType is PodImageBuilder, - and forbidden otherwise - rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? true : !has(self.buildPod)' + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? has(self.job) : !has(self.job)' conditions: description: |- conditions are state related conditions for the build. Valid types are: - Prepared, Building, Failed, Interrupted, and Succeeded - once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed, Interrupted or Succeeded, no future conditions can be set. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -240,47 +289,112 @@ spec: - status - type type: object + maxItems: 8 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - finalImagePullspec: - description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must be in sha - format. + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Failed'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Interrupted'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Succeeded condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Succeeded'' && x.status==''True'') + ? self==oldSelf : true' + digestedImagePushSpec: + description: |- + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long - rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) relatedObjects: - description: relatedObjects is a list of objects that are related - to the build process. + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects will be removed. + In the event of a failed build, the objects will remain until the build is removed to allow for inspection. items: description: ObjectReference contains enough information to let you inspect or modify the referred object. properties: group: - description: group of the referent. + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') name: - description: name of the referent. + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') required: - group - name - resource type: object + maxItems: 10 type: array - required: - - buildStart + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: 'has(self.buildEnd) ? has(self.buildStart) && timestamp(self.buildStart) + < timestamp(self.buildEnd) : true' required: - spec type: object diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml index 0e2fe374f10..835a837643d 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosbuilds-TechPreviewNoUpgrade.crd.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" @@ -35,12 +35,15 @@ spec: - jsonPath: .status.conditions[?(@.type=="Failed")].status name: Failed type: string - name: v1alpha1 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: description: |- MachineOSBuild describes a build process managed and deployed by the MCO - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). properties: apiVersion: description: |- @@ -60,132 +63,178 @@ spec: metadata: type: object spec: - description: spec describes the configuration of the machine os build + description: |- + spec describes the configuration of the machine os build. + It is immutable once set. properties: - configGeneration: - description: configGeneration tracks which version of MachineOSConfig - this build is based off of - format: int64 - minimum: 1 - type: integer - desiredConfig: - description: desiredConfig is the desired config we want to build - an image for. + machineConfig: + description: machineConfig points to the rendered MachineConfig resource + to be included in this image build. properties: name: - description: name is the name of the rendered MachineConfig object. + description: |- + name is the name of the rendered MachineConfig object. + This value should be between 10 and 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + minLength: 10 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') required: - name type: object machineOSConfig: - description: machineOSConfig is the config object which the build - is based off of + description: machineOSConfig references the MachineOSConfig resource + that this image build extends. properties: name: - description: name of the MachineOSConfig + description: |- + name of the MachineOSConfig. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') required: - name type: object - renderedImagePushspec: + renderedImagePushSpec: description: |- - renderedImagePushspec is set from the MachineOSConfig - The format of the image pullspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: + renderedImagePushSpec is set by the Machine Config Operator from the MachineOSConfig object this build is attached to. + This field describes the location of the final image, which will be pushed by the build once complete. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, where - '' is 64 characters long and '' is any valid string Or - it must be a valid .svc followed by a port, repository, image - name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme. Or it must be a valid .svc followed by a port, repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - version: - description: version tracks the newest MachineOSBuild for each MachineOSConfig - format: int64 - minimum: 1 - type: integer + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - configGeneration - - desiredConfig + - machineConfig - machineOSConfig - - renderedImagePushspec - - version + - renderedImagePushSpec type: object x-kubernetes-validations: - message: machineOSBuildSpec is immutable once set rule: self == oldSelf status: - description: status describes the lst observed state of this machine os - build + description: status describes the last observed state of this machine + os build. properties: buildEnd: - description: buildEnd describes when the build ended. + description: |- + buildEnd is the timestamp corresponding to completion of the builder backend. + When omitted the build has either not been started, or is in progress. + It will be populated once the build completes, fails or is interrupted. format: date-time type: string x-kubernetes-validations: - message: buildEnd is immutable once set rule: self == oldSelf buildStart: - description: buildStart describes when the build started. + description: buildStart is the timestamp corresponding to the build + controller initiating the build backend for this MachineOSBuild. format: date-time type: string x-kubernetes-validations: - message: buildStart is immutable once set rule: self == oldSelf - builderReference: - description: ImageBuilderType describes the image builder set in the - MachineOSConfig + builder: + description: builder describes the image builder backend used for + this build. properties: - buildPod: - description: relatedObjects is a list of objects that are related - to the build process. + imageBuilderType: + description: |- + imageBuilderType describes the type of image builder used to build this image. + Valid values are Job only. + When set to Job, a pod based builder, using buildah, is launched to build the specified image. + type: string + job: + description: |- + job is a reference to the job object that is managing the image build. + This is required if the imageBuilderType is Job, and forbidden otherwise. properties: group: - description: group of the referent. + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') name: - description: name of the referent. + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of + lower case alphanumeric characters, '-' or '.', and must + start and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, + and end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') required: - group - name - resource type: object - imageBuilderType: - description: ImageBuilderType describes the image builder set - in the MachineOSConfig - type: string required: - imageBuilderType type: object x-kubernetes-validations: - - message: buildPod is required when imageBuilderType is PodImageBuilder, - and forbidden otherwise - rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''PodImageBuilder'' - ? true : !has(self.buildPod)' + - message: job is required when imageBuilderType is Job, and forbidden + otherwise + rule: 'has(self.imageBuilderType) && self.imageBuilderType == ''Job'' + ? has(self.job) : !has(self.job)' conditions: description: |- conditions are state related conditions for the build. Valid types are: - Prepared, Building, Failed, Interrupted, and Succeeded - once a Build is marked as Failed, no future conditions can be set. This is enforced by the MCO. + Prepared, Building, Failed, Interrupted, and Succeeded. + Once a Build is marked as Failed, Interrupted or Succeeded, no future conditions can be set. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -240,47 +289,112 @@ spec: - status - type type: object + maxItems: 8 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - finalImagePullspec: - description: finalImagePushSpec describes the fully qualified pushspec - produced by this build that the final image can be. Must be in sha - format. + x-kubernetes-validations: + - message: once a Failed condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Failed'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Interrupted condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Interrupted'' && x.status==''True'') + ? self==oldSelf : true' + - message: once an Succeeded condition is set, conditions are immutable + rule: 'oldSelf.exists(x, x.type==''Succeeded'' && x.status==''True'') + ? self==oldSelf : true' + digestedImagePushSpec: + description: |- + digestedImagePushSpec describes the fully qualified push spec produced by this build. + The format of the push spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 type: string x-kubernetes-validations: - message: the OCI Image reference must end with a valid '@sha256:' suffix, where '' is 64 characters long - rule: ((self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))) + rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme + rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) relatedObjects: - description: relatedObjects is a list of objects that are related - to the build process. + description: |- + relatedObjects is a list of references to ephemeral objects such as ConfigMaps or Secrets that are meant to be consumed while the build process runs. + After a successful build or when this MachineOSBuild is deleted, these ephemeral objects will be removed. + In the event of a failed build, the objects will remain until the build is removed to allow for inspection. items: description: ObjectReference contains enough information to let you inspect or modify the referred object. properties: group: - description: group of the referent. + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') name: - description: name of the referent. + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start + and end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') namespace: - description: namespace of the referent. + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') resource: - description: resource of the referent. + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') required: - group - name - resource type: object + maxItems: 10 type: array - required: - - buildStart + x-kubernetes-list-map-keys: + - name + - resource + x-kubernetes-list-type: map type: object + x-kubernetes-validations: + - message: buildEnd must be after buildStart + rule: 'has(self.buildEnd) ? has(self.buildStart) && timestamp(self.buildStart) + < timestamp(self.buildEnd) : true' required: - spec type: object diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml index aadee09ccc7..ad8a259757d 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-CustomNoUpgrade.crd.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" @@ -19,12 +19,12 @@ spec: singular: machineosconfig scope: Cluster versions: - - name: v1alpha1 + - name: v1 schema: openAPIV3Schema: description: |- MachineOSConfig describes the configuration for a build process managed by the MCO - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). properties: apiVersion: description: |- @@ -46,202 +46,156 @@ spec: spec: description: spec describes the configuration of the machineosconfig properties: - buildInputs: - description: buildInputs is where user input options for the build - live + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: - baseImagePullSecret: - description: |- - baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. - type: string - required: - - name - type: object - baseOSExtensionsImagePullspec: - description: |- - baseOSExtensionsImagePullspec is the base Extensions image used in the build process - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullspec: + name: description: |- - baseOSImagePullspec is the base OSImage we use to build our custom image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - maxLength: 447 - minLength: 1 + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - containerFile: - description: |- - containerFile describes the custom data the user has specified to build into the image. - this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. - items: - description: MachineOSContainerfile contains all custom content - the user wants built into the image - properties: - containerfileArch: - default: noarch - description: |- - containerfileArch describes the architecture this containerfile is to be built for - this arch is optional. If the user does not specify an architecture, it is assumed - that the content can be applied to all architectures, or in a single arch cluster: the only architecture. - enum: - - arm64 - - amd64 - - ppc64le - - s390x - - aarch64 - - x86_64 - - noarch - type: string - content: - description: content is the custom content to be built - type: string - required: - - content - type: object - maxItems: 7 - minItems: 0 - type: array - x-kubernetes-list-map-keys: - - containerfileArch - x-kubernetes-list-type: map - imageBuilder: - description: machineOSImageBuilder describes which image builder - will be used in each build triggered by this MachineOSConfig - properties: - imageBuilderType: - default: PodImageBuilder - description: |- - imageBuilderType specifies the backend to be used to build the image. - Valid options are: PodImageBuilder - enum: - - PodImageBuilder - type: string - required: - - imageBuilderType - type: object - releaseVersion: - description: |- - releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. - This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. - It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the dockerfile that builds the OS image. - type: string - renderedImagePushSecret: - description: |- - renderedImagePushSecret is the secret used to connect to a user registry. - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them - will only need to pull the image in order to use it. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. - type: string - required: - - name - type: object - renderedImagePushspec: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + This is a required field and can have a maximum length of **4096** characters. + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: |- + imageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job + properties: + imageBuilderType: description: |- - renderedImagePushspec describes the location of the final image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pushspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: - maxLength: 447 - minLength: 1 + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, - where '' is 64 characters long and '' is any - valid string Or it must be a valid .svc followed by a port, - repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: - - baseImagePullSecret - - imageBuilder - - renderedImagePushSecret - - renderedImagePushspec + - imageBuilderType type: object - buildOutputs: - description: buildOutputs is where user input options for the build - live + machineConfigPool: + description: |- + machineConfigPool is the pool which the build is for. + The Machine Config Operator will perform the build and roll out the built image to the specified pool. properties: - currentImagePullSecret: + name: description: |- - currentImagePullSecret is the secret used to pull the final produced image. - must live in the openshift-machine-config-operator namespace - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. - type: string - required: - - name - type: object + name of the MachineConfigPool object. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name type: object - machineConfigPool: - description: machineConfigPool is the pool which the build is for + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. properties: name: - description: name of the MachineConfigPool object. + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') required: - name type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - buildInputs + - imageBuilder - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec type: object status: description: status describes the status of the machineosconfig properties: conditions: - description: conditions are state related conditions for the config. + description: conditions are state related conditions for the object. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -300,10 +254,15 @@ spec: x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - currentImagePullspec: - description: currentImagePullspec is the fully qualified image pull - spec used by the MCO to pull down the new OSImage. This must include - sha256. + currentImagePullSpec: + description: |- + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. + This is generated when the Machine Config Operator's build controller successfully completes the build, and is populated from the corresponding + MachineOSBuild object's FinalImagePushSpec. This may change after completion in reaction to spec changes that would cause a new image build, + but will not be removed. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -314,14 +273,75 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object observedGeneration: - description: |- - observedGeneration represents the generation observed by the controller. - this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. format: int64 + minimum: 0 type: integer - required: - - observedGeneration + x-kubernetes-validations: + - message: observedGeneration must not move backwards + rule: self >= oldSelf type: object required: - spec diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml index e2560073c6e..1c5a7a24d64 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-DevPreviewNoUpgrade.crd.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" @@ -19,12 +19,12 @@ spec: singular: machineosconfig scope: Cluster versions: - - name: v1alpha1 + - name: v1 schema: openAPIV3Schema: description: |- MachineOSConfig describes the configuration for a build process managed by the MCO - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). properties: apiVersion: description: |- @@ -46,202 +46,156 @@ spec: spec: description: spec describes the configuration of the machineosconfig properties: - buildInputs: - description: buildInputs is where user input options for the build - live + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: - baseImagePullSecret: - description: |- - baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. - type: string - required: - - name - type: object - baseOSExtensionsImagePullspec: - description: |- - baseOSExtensionsImagePullspec is the base Extensions image used in the build process - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullspec: + name: description: |- - baseOSImagePullspec is the base OSImage we use to build our custom image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - maxLength: 447 - minLength: 1 + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - containerFile: - description: |- - containerFile describes the custom data the user has specified to build into the image. - this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. - items: - description: MachineOSContainerfile contains all custom content - the user wants built into the image - properties: - containerfileArch: - default: noarch - description: |- - containerfileArch describes the architecture this containerfile is to be built for - this arch is optional. If the user does not specify an architecture, it is assumed - that the content can be applied to all architectures, or in a single arch cluster: the only architecture. - enum: - - arm64 - - amd64 - - ppc64le - - s390x - - aarch64 - - x86_64 - - noarch - type: string - content: - description: content is the custom content to be built - type: string - required: - - content - type: object - maxItems: 7 - minItems: 0 - type: array - x-kubernetes-list-map-keys: - - containerfileArch - x-kubernetes-list-type: map - imageBuilder: - description: machineOSImageBuilder describes which image builder - will be used in each build triggered by this MachineOSConfig - properties: - imageBuilderType: - default: PodImageBuilder - description: |- - imageBuilderType specifies the backend to be used to build the image. - Valid options are: PodImageBuilder - enum: - - PodImageBuilder - type: string - required: - - imageBuilderType - type: object - releaseVersion: - description: |- - releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. - This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. - It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the dockerfile that builds the OS image. - type: string - renderedImagePushSecret: - description: |- - renderedImagePushSecret is the secret used to connect to a user registry. - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them - will only need to pull the image in order to use it. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. - type: string - required: - - name - type: object - renderedImagePushspec: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + This is a required field and can have a maximum length of **4096** characters. + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: |- + imageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job + properties: + imageBuilderType: description: |- - renderedImagePushspec describes the location of the final image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pushspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: - maxLength: 447 - minLength: 1 + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, - where '' is 64 characters long and '' is any - valid string Or it must be a valid .svc followed by a port, - repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: - - baseImagePullSecret - - imageBuilder - - renderedImagePushSecret - - renderedImagePushspec + - imageBuilderType type: object - buildOutputs: - description: buildOutputs is where user input options for the build - live + machineConfigPool: + description: |- + machineConfigPool is the pool which the build is for. + The Machine Config Operator will perform the build and roll out the built image to the specified pool. properties: - currentImagePullSecret: + name: description: |- - currentImagePullSecret is the secret used to pull the final produced image. - must live in the openshift-machine-config-operator namespace - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. - type: string - required: - - name - type: object + name of the MachineConfigPool object. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name type: object - machineConfigPool: - description: machineConfigPool is the pool which the build is for + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. properties: name: - description: name of the MachineConfigPool object. + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') required: - name type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - buildInputs + - imageBuilder - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec type: object status: description: status describes the status of the machineosconfig properties: conditions: - description: conditions are state related conditions for the config. + description: conditions are state related conditions for the object. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -300,10 +254,15 @@ spec: x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - currentImagePullspec: - description: currentImagePullspec is the fully qualified image pull - spec used by the MCO to pull down the new OSImage. This must include - sha256. + currentImagePullSpec: + description: |- + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. + This is generated when the Machine Config Operator's build controller successfully completes the build, and is populated from the corresponding + MachineOSBuild object's FinalImagePushSpec. This may change after completion in reaction to spec changes that would cause a new image build, + but will not be removed. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -314,14 +273,75 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object observedGeneration: - description: |- - observedGeneration represents the generation observed by the controller. - this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. format: int64 + minimum: 0 type: integer - required: - - observedGeneration + x-kubernetes-validations: + - message: observedGeneration must not move backwards + rule: self >= oldSelf type: object required: - spec diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml index 95fcd5c5672..963d3fa22d4 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_machineosconfigs-TechPreviewNoUpgrade.crd.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1773 + api-approved.openshift.io: https://github.com/openshift/api/pull/2090 api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" @@ -19,12 +19,12 @@ spec: singular: machineosconfig scope: Cluster versions: - - name: v1alpha1 + - name: v1 schema: openAPIV3Schema: description: |- MachineOSConfig describes the configuration for a build process managed by the MCO - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). properties: apiVersion: description: |- @@ -46,202 +46,156 @@ spec: spec: description: spec describes the configuration of the machineosconfig properties: - buildInputs: - description: buildInputs is where user input options for the build - live + baseImagePullSecret: + description: |- + baseImagePullSecret is the secret used to pull the base image. + Must live in the openshift-machine-config-operator namespace if provided. + Defaults to using the cluster-wide pull secret if not specified. This is provided during install time of the cluster, and lives in the openshift-config namespace as a secret. properties: - baseImagePullSecret: - description: |- - baseImagePullSecret is the secret used to pull the base image. - must live in the openshift-machine-config-operator namespace - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. - type: string - required: - - name - type: object - baseOSExtensionsImagePullspec: - description: |- - baseOSExtensionsImagePullspec is the base Extensions image used in the build process - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - maxLength: 447 - minLength: 1 - type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - baseOSImagePullspec: + name: description: |- - baseOSImagePullspec is the base OSImage we use to build our custom image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pullspec is: - host[:port][/namespace]/name@sha256: - maxLength: 447 - minLength: 1 + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. + maxLength: 253 type: string x-kubernetes-validations: - - message: the OCI Image reference must end with a valid '@sha256:' - suffix, where '' is 64 characters long - rule: (self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme - rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - containerFile: - description: |- - containerFile describes the custom data the user has specified to build into the image. - this is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. - items: - description: MachineOSContainerfile contains all custom content - the user wants built into the image - properties: - containerfileArch: - default: noarch - description: |- - containerfileArch describes the architecture this containerfile is to be built for - this arch is optional. If the user does not specify an architecture, it is assumed - that the content can be applied to all architectures, or in a single arch cluster: the only architecture. - enum: - - arm64 - - amd64 - - ppc64le - - s390x - - aarch64 - - x86_64 - - noarch - type: string - content: - description: content is the custom content to be built - type: string - required: - - content - type: object - maxItems: 7 - minItems: 0 - type: array - x-kubernetes-list-map-keys: - - containerfileArch - x-kubernetes-list-type: map - imageBuilder: - description: machineOSImageBuilder describes which image builder - will be used in each build triggered by this MachineOSConfig - properties: - imageBuilderType: - default: PodImageBuilder - description: |- - imageBuilderType specifies the backend to be used to build the image. - Valid options are: PodImageBuilder - enum: - - PodImageBuilder - type: string - required: - - imageBuilderType - type: object - releaseVersion: - description: |- - releaseVersion is associated with the base OS Image. This is the version of Openshift that the Base Image is associated with. - This field is populated from the machine-config-osimageurl configmap in the openshift-machine-config-operator namespace. - It will come in the format: 4.16.0-0.nightly-2024-04-03-065948 or any valid release. The MachineOSBuilder populates this field and validates that this is a valid stream. - This is used as a label in the dockerfile that builds the OS image. - type: string - renderedImagePushSecret: - description: |- - renderedImagePushSecret is the secret used to connect to a user registry. - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this push secret will be used only by the MachineConfigController pod to push the image to the final destination. Not all nodes will need to push this image, most of them - will only need to pull the image in order to use it. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. - type: string - required: - - name - type: object - renderedImagePushspec: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name + type: object + containerFile: + description: |- + containerFile describes the custom data the user has specified to build into the image. + This is also commonly called a Dockerfile and you can treat it as such. The content is the content of your Dockerfile. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + This is a list indexed by architecture name (e.g. AMD64), and allows specifying one containerFile per arch, up to 4. + items: + description: MachineOSContainerfile contains all custom content + the user wants built into the image + properties: + containerfileArch: + default: NoArch + description: |- + containerfileArch describes the architecture this containerfile is to be built for. + This arch is optional. If the user does not specify an architecture, it is assumed + that the content can be applied to all architectures, or in a single arch cluster: the only architecture. + enum: + - ARM64 + - AMD64 + - PPC64LE + - S390X + - NoArch + type: string + content: + description: |- + content is an embedded Containerfile/Dockerfile that defines the contents to be built into your image. + See https://github.com/containers/common/blob/main/docs/Containerfile.5.md for the spec reference. + for example, this would add the tree package to your hosts: + FROM configs AS final + RUN rpm-ostree install tree && \ + ostree container commit + This is a required field and can have a maximum length of **4096** characters. + maxLength: 4096 + type: string + required: + - content + type: object + maxItems: 4 + minItems: 0 + type: array + x-kubernetes-list-map-keys: + - containerfileArch + x-kubernetes-list-type: map + imageBuilder: + description: |- + imageBuilder describes which image builder will be used in each build triggered by this MachineOSConfig. + Currently supported type(s): Job + properties: + imageBuilderType: description: |- - renderedImagePushspec describes the location of the final image. - the MachineOSConfig object will use the in cluster image registry configuration. - if you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf. - The format of the image pushspec is: - host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name: - maxLength: 447 - minLength: 1 + imageBuilderType specifies the backend to be used to build the image. + Valid options are: Job + enum: + - Job type: string - x-kubernetes-validations: - - message: the OCI Image reference must end with a valid :, - where '' is 64 characters long and '' is any - valid string Or it must be a valid .svc followed by a port, - repository, image name, and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[1].matches('^([a-zA-Z0-9-./:])+$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) - - message: the OCI Image name should follow the host[:port][/namespace]/name - format, resembling a valid URL without the scheme. Or it must - be a valid .svc followed by a port, repository, image name, - and tag. - rule: ((self.split(':').size() == 2 && self.split(':')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) - || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$')) required: - - baseImagePullSecret - - imageBuilder - - renderedImagePushSecret - - renderedImagePushspec + - imageBuilderType type: object - buildOutputs: - description: buildOutputs is where user input options for the build - live + machineConfigPool: + description: |- + machineConfigPool is the pool which the build is for. + The Machine Config Operator will perform the build and roll out the built image to the specified pool. properties: - currentImagePullSecret: + name: description: |- - currentImagePullSecret is the secret used to pull the final produced image. - must live in the openshift-machine-config-operator namespace - the final image push and pull secrets should be separate for security concerns. If the final image push secret is somehow exfiltrated, - that gives someone the power to push images to the image repository. By comparison, if the final image pull secret gets exfiltrated, - that only gives someone to pull images from the image repository. It's basically the principle of least permissions. - this pull secret will be used on all nodes in the pool. These nodes will need to pull the final OS image and boot into it using rpm-ostree or bootc. - properties: - name: - description: |- - name is the name of the secret used to push or pull this MachineOSConfig object. - this secret must be in the openshift-machine-config-operator namespace. - type: string - required: - - name - type: object + name of the MachineConfigPool object. + This value should be at most 253 characters, and must contain only lowercase + alphanumeric characters, hyphens and periods, and should start and end with an alphanumeric character. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + required: + - name type: object - machineConfigPool: - description: machineConfigPool is the pool which the build is for + renderedImagePushSecret: + description: |- + renderedImagePushSecret is the secret used to connect to a user registry. + The final image push and pull secrets should be separate and assume the principal of least privilege. + The push secret with write privilege is only required to be present on the node hosting the MachineConfigController pod. + The pull secret with read only privileges is required on all nodes. + By separating the two secrets, the risk of write credentials becoming compromised is reduced. properties: name: - description: name of the MachineConfigPool object. + description: |- + name is the name of the secret used to push or pull this MachineOSConfig object. + Must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character. + This secret must be in the openshift-machine-config-operator namespace. maxLength: 253 - pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') required: - name type: object + renderedImagePushSpec: + description: |- + renderedImagePushSpec describes the location of the final image. + The MachineOSConfig object will use the in cluster image registry configuration. + If you wish to use a mirror or any other settings specific to registries.conf, please specify those in the cluster wide registries.conf via the cluster image.config, ImageContentSourcePolicies, ImageDigestMirrorSet, or ImageTagMirrorSet objects. + The format of the image push spec is: host[:port][/namespace]/name: or svc_name.namespace.svc[:port]/repository/name:. + The length of the push spec must be between 1 to 447 characters. + maxLength: 447 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the OCI Image name should follow the host[:port][/namespace]/name + format, resembling a valid URL without the scheme. Or it must + be a valid .svc followed by a port, repository, image name, and + tag. + rule: self.matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?(/[a-zA-Z0-9-_]{1,61})*/[a-zA-Z0-9-_.]+:[a-zA-Z0-9._-]+$') + || self.matches('^[^.]+\\.[^.]+\\.svc:\\d+\\/[^\\/]+\\/[^\\/]+:[^\\/]+$') required: - - buildInputs + - imageBuilder - machineConfigPool + - renderedImagePushSecret + - renderedImagePushSpec type: object status: description: status describes the status of the machineosconfig properties: conditions: - description: conditions are state related conditions for the config. + description: conditions are state related conditions for the object. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -300,10 +254,15 @@ spec: x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map - currentImagePullspec: - description: currentImagePullspec is the fully qualified image pull - spec used by the MCO to pull down the new OSImage. This must include - sha256. + currentImagePullSpec: + description: |- + currentImagePullSpec is the fully qualified image pull spec used by the MCO to pull down the new OSImage. This includes the sha256 image digest. + This is generated when the Machine Config Operator's build controller successfully completes the build, and is populated from the corresponding + MachineOSBuild object's FinalImagePushSpec. This may change after completion in reaction to spec changes that would cause a new image build, + but will not be removed. + The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + The length of the whole spec must be between 1 to 447 characters. maxLength: 447 minLength: 1 type: string @@ -314,14 +273,75 @@ spec: - message: the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$')) + machineOSBuild: + description: machineOSBuild is a reference to the MachineOSBuild object + for this MachineOSConfig, which contains the status for the image + build. + properties: + group: + description: |- + group of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + Example: "", "apps", "build.openshift.io", etc. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + name: + description: |- + name of the referent. + The name must contain only lowercase alphanumeric characters, '-' or '.' and start/end with an alphanumeric character. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a lowercase RFC 1123 subdomain must consist of lower + case alphanumeric characters, '-' or '.', and must start and + end with an alphanumeric character. + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$') + namespace: + description: |- + namespace of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start and end with an alphanumeric character. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: the value must consist of only lowercase alphanumeric + characters and hyphens + rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + resource: + description: |- + resource of the referent. + This value should consist of at most 63 characters, and of only lowercase alphanumeric characters and hyphens, + and should start with an alphabetic character and end with an alphanumeric character. + Example: "deployments", "deploymentconfigs", "pods", etc. + maxLength: 63 + minLength: 1 + type: string + x-kubernetes-validations: + - message: a DNS-1035 label must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, and + end with an alphanumeric character + rule: self.matches('^[a-z]([-a-z0-9]*[a-z0-9])?$') + required: + - group + - name + - resource + type: object observedGeneration: - description: |- - observedGeneration represents the generation observed by the controller. - this field is updated when the user changes the configuration in BuildSettings or the MCP this object is associated with. + description: observedGeneration represents the generation of the MachineOSConfig + object observed by the Machine Config Operator's build controller. format: int64 + minimum: 0 type: integer - required: - - observedGeneration + x-kubernetes-validations: + - message: observedGeneration must not move backwards + rule: self >= oldSelf type: object required: - spec