From fe22f774f2c158b4d3393187e6d1b91215f66388 Mon Sep 17 00:00:00 2001 From: Andrej Krejcir Date: Fri, 1 Nov 2024 13:56:45 +0100 Subject: [PATCH] api: Update SSP API version to v1beta3 The new API version removes feature gates and unused parameters. It is directly compatible with the old version, so a conversion webhook is not needed. The stored version is still set to v1beta2, and ssp-operator watches this old version. In a next release we may switch to using the v1beta3 as stored version. Signed-off-by: Andrej Krejcir --- PROJECT | 14 + api/v1beta3/groupversion_info.go | 36 + api/v1beta3/ssp_types.go | 121 + api/v1beta3/zz_generated.deepcopy.go | 210 ++ config/crd/bases/ssp.kubevirt.io_ssps.yaml | 2211 +++++++++++++++++ config/samples/kustomization.yaml | 1 + config/samples/ssp_v1beta3_ssp.yaml | 10 + config/webhook/manifests.yaml | 22 +- data/crd/ssp.kubevirt.io_ssps.yaml | 2211 +++++++++++++++++ .../ssp-operator.clusterserviceversion.yaml | 42 +- hack/csv-generator.go | 4 +- internal/common/scheme.go | 3 + tests/tests_suite_test.go | 8 + tests/webhook_test.go | 112 +- .../api/v1beta3/groupversion_info.go | 36 + .../ssp-operator/api/v1beta3/ssp_types.go | 121 + .../api/v1beta3/zz_generated.deepcopy.go | 210 ++ vendor/modules.txt | 1 + webhooks/convert/convert.go | 70 + webhooks/ssp_webhook.go | 48 +- webhooks/ssp_webhook_test.go | 375 ++- 21 files changed, 5735 insertions(+), 131 deletions(-) create mode 100644 api/v1beta3/groupversion_info.go create mode 100644 api/v1beta3/ssp_types.go create mode 100644 api/v1beta3/zz_generated.deepcopy.go create mode 100644 config/samples/ssp_v1beta3_ssp.yaml create mode 100644 vendor/kubevirt.io/ssp-operator/api/v1beta3/groupversion_info.go create mode 100644 vendor/kubevirt.io/ssp-operator/api/v1beta3/ssp_types.go create mode 100644 vendor/kubevirt.io/ssp-operator/api/v1beta3/zz_generated.deepcopy.go create mode 100644 webhooks/convert/convert.go diff --git a/PROJECT b/PROJECT index 2c41f4bfa..2251fee9d 100644 --- a/PROJECT +++ b/PROJECT @@ -3,6 +3,20 @@ layout: go.kubebuilder.io/v3 projectName: ssp-operator repo: kubevirt.io/ssp-operator resources: +- api: + crdVersion: v1 + namespaced: true + controller: true + domain: kubevirt.io + group: ssp + kind: SSP + path: kubevirt.io/ssp-operator/api/v1beta3 + version: v1beta3 + webhooks: + # conversion: true + # defaulting: true + validation: true + webhookVersion: v1 - api: crdVersion: v1 namespaced: true diff --git a/api/v1beta3/groupversion_info.go b/api/v1beta3/groupversion_info.go new file mode 100644 index 000000000..131ba91cd --- /dev/null +++ b/api/v1beta3/groupversion_info.go @@ -0,0 +1,36 @@ +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package v1beta3 contains API Schema definitions for the ssp v1beta3 API group +// +kubebuilder:object:generate=true +// +groupName=ssp.kubevirt.io +package v1beta3 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +var ( + // GroupVersion is group version used to register these objects + GroupVersion = schema.GroupVersion{Group: "ssp.kubevirt.io", Version: "v1beta3"} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) diff --git a/api/v1beta3/ssp_types.go b/api/v1beta3/ssp_types.go new file mode 100644 index 000000000..c2af6b9bb --- /dev/null +++ b/api/v1beta3/ssp_types.go @@ -0,0 +1,121 @@ +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta3 + +import ( + ocpv1 "github.com/openshift/api/config/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + cdiv1beta1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1" + lifecycleapi "kubevirt.io/controller-lifecycle-operator-sdk/api" +) + +const ( + OperatorPausedAnnotation = "kubevirt.io/operator.paused" +) + +type TemplateValidator struct { + // Replicas is the number of replicas of the template validator pod + //+kubebuilder:validation:Minimum=0 + //+kubebuilder:default=2 + Replicas *int32 `json:"replicas,omitempty"` + + // Placement describes the node scheduling configuration + Placement *lifecycleapi.NodePlacement `json:"placement,omitempty"` +} + +type CommonTemplates struct { + // Namespace is the k8s namespace where CommonTemplates should be installed + //+kubebuilder:validation:MaxLength=63 + //+kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + Namespace string `json:"namespace"` + + // DataImportCronTemplates defines a list of DataImportCrons managed by the SSP Operator. + DataImportCronTemplates []DataImportCronTemplate `json:"dataImportCronTemplates,omitempty"` +} + +// SSPSpec defines the desired state of SSP +type SSPSpec struct { + // TemplateValidator is configuration of the template validator operand + TemplateValidator *TemplateValidator `json:"templateValidator,omitempty"` + + // CommonTemplates is the configuration of the common templates operand + CommonTemplates CommonTemplates `json:"commonTemplates"` + + // TLSSecurityProfile is a configuration for the TLS. + TLSSecurityProfile *ocpv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"` + + // TokenGenerationService configures the service for generating tokens to access VNC for a VM. + TokenGenerationService *TokenGenerationService `json:"tokenGenerationService,omitempty"` +} + +// DataImportCronTemplate defines the template type for DataImportCrons. +// It requires metadata.name to be specified while leaving namespace as optional. +type DataImportCronTemplate struct { + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec cdiv1beta1.DataImportCronSpec `json:"spec"` +} + +// AsDataImportCron converts the DataImportCronTemplate to a cdiv1beta1.DataImportCron +func (t *DataImportCronTemplate) AsDataImportCron() cdiv1beta1.DataImportCron { + return cdiv1beta1.DataImportCron{ + ObjectMeta: t.ObjectMeta, + Spec: t.Spec, + } +} + +// TokenGenerationService configures the service for generating tokens to access VNC for a VM. +type TokenGenerationService struct { + Enabled bool `json:"enabled,omitempty"` +} + +// SSPStatus defines the observed state of SSP +type SSPStatus struct { + lifecycleapi.Status `json:",inline"` + + // Paused is true when the operator notices paused annotation. + Paused bool `json:"paused,omitempty"` + + // ObservedGeneration is the latest generation observed by the operator. + ObservedGeneration int64 `json:"observedGeneration,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="Phase",type="string",JSONPath=".status.phase" + +// SSP is the Schema for the ssps API +type SSP struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec SSPSpec `json:"spec,omitempty"` + Status SSPStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// SSPList contains a list of SSP +type SSPList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []SSP `json:"items"` +} + +func init() { + SchemeBuilder.Register(&SSP{}, &SSPList{}) +} diff --git a/api/v1beta3/zz_generated.deepcopy.go b/api/v1beta3/zz_generated.deepcopy.go new file mode 100644 index 000000000..b572d7c1f --- /dev/null +++ b/api/v1beta3/zz_generated.deepcopy.go @@ -0,0 +1,210 @@ +//go:build !ignore_autogenerated + +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1beta3 + +import ( + "github.com/openshift/api/config/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CommonTemplates) DeepCopyInto(out *CommonTemplates) { + *out = *in + if in.DataImportCronTemplates != nil { + in, out := &in.DataImportCronTemplates, &out.DataImportCronTemplates + *out = make([]DataImportCronTemplate, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonTemplates. +func (in *CommonTemplates) DeepCopy() *CommonTemplates { + if in == nil { + return nil + } + out := new(CommonTemplates) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DataImportCronTemplate) DeepCopyInto(out *DataImportCronTemplate) { + *out = *in + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataImportCronTemplate. +func (in *DataImportCronTemplate) DeepCopy() *DataImportCronTemplate { + if in == nil { + return nil + } + out := new(DataImportCronTemplate) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SSP) DeepCopyInto(out *SSP) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSP. +func (in *SSP) DeepCopy() *SSP { + if in == nil { + return nil + } + out := new(SSP) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SSP) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SSPList) DeepCopyInto(out *SSPList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]SSP, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSPList. +func (in *SSPList) DeepCopy() *SSPList { + if in == nil { + return nil + } + out := new(SSPList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SSPList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SSPSpec) DeepCopyInto(out *SSPSpec) { + *out = *in + if in.TemplateValidator != nil { + in, out := &in.TemplateValidator, &out.TemplateValidator + *out = new(TemplateValidator) + (*in).DeepCopyInto(*out) + } + in.CommonTemplates.DeepCopyInto(&out.CommonTemplates) + if in.TLSSecurityProfile != nil { + in, out := &in.TLSSecurityProfile, &out.TLSSecurityProfile + *out = new(v1.TLSSecurityProfile) + (*in).DeepCopyInto(*out) + } + if in.TokenGenerationService != nil { + in, out := &in.TokenGenerationService, &out.TokenGenerationService + *out = new(TokenGenerationService) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSPSpec. +func (in *SSPSpec) DeepCopy() *SSPSpec { + if in == nil { + return nil + } + out := new(SSPSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SSPStatus) DeepCopyInto(out *SSPStatus) { + *out = *in + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSPStatus. +func (in *SSPStatus) DeepCopy() *SSPStatus { + if in == nil { + return nil + } + out := new(SSPStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TemplateValidator) DeepCopyInto(out *TemplateValidator) { + *out = *in + if in.Replicas != nil { + in, out := &in.Replicas, &out.Replicas + *out = new(int32) + **out = **in + } + if in.Placement != nil { + in, out := &in.Placement, &out.Placement + *out = (*in).DeepCopy() + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateValidator. +func (in *TemplateValidator) DeepCopy() *TemplateValidator { + if in == nil { + return nil + } + out := new(TemplateValidator) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenGenerationService) DeepCopyInto(out *TokenGenerationService) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenGenerationService. +func (in *TokenGenerationService) DeepCopy() *TokenGenerationService { + if in == nil { + return nil + } + out := new(TokenGenerationService) + in.DeepCopyInto(out) + return out +} diff --git a/config/crd/bases/ssp.kubevirt.io_ssps.yaml b/config/crd/bases/ssp.kubevirt.io_ssps.yaml index f4cfe1d83..3295aec69 100644 --- a/config/crd/bases/ssp.kubevirt.io_ssps.yaml +++ b/config/crd/bases/ssp.kubevirt.io_ssps.yaml @@ -2288,3 +2288,2214 @@ spec: storage: true subresources: status: {} + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + name: v1beta3 + schema: + openAPIV3Schema: + description: SSP is the Schema for the ssps API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SSPSpec defines the desired state of SSP + properties: + commonTemplates: + description: CommonTemplates is the configuration of the common templates + operand + properties: + dataImportCronTemplates: + description: DataImportCronTemplates defines a list of DataImportCrons + managed by the SSP Operator. + items: + description: |- + DataImportCronTemplate defines the template type for DataImportCrons. + It requires metadata.name to be specified while leaving namespace as optional. + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: DataImportCronSpec defines specification for + DataImportCron + properties: + garbageCollect: + description: |- + GarbageCollect specifies whether old PVCs should be cleaned up after a new PVC is imported. + Options are currently "Outdated" and "Never", defaults to "Outdated". + type: string + importsToKeep: + description: Number of import PVCs to keep when garbage + collecting. Default is 3. + format: int32 + type: integer + managedDataSource: + description: |- + ManagedDataSource specifies the name of the corresponding DataSource this cron will manage. + DataSource has to be in the same namespace. + type: string + retentionPolicy: + description: RetentionPolicy specifies whether the created + DataVolumes and DataSources are retained when their + DataImportCron is deleted. Default is RatainAll. + type: string + schedule: + description: Schedule specifies in cron format when + and how often to look for new imports + type: string + template: + description: Template specifies template for the DVs + to be created + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: DataVolumeSpec defines the DataVolume + type specification + properties: + checkpoints: + description: Checkpoints is a list of DataVolumeCheckpoints, + representing stages in a multistage import. + items: + description: DataVolumeCheckpoint defines + a stage in a warm migration. + properties: + current: + description: Current is the identifier + of the snapshot created for this checkpoint. + type: string + previous: + description: Previous is the identifier + of the snapshot from the previous checkpoint. + type: string + required: + - current + - previous + type: object + type: array + contentType: + description: 'DataVolumeContentType options: + "kubevirt", "archive"' + enum: + - kubevirt + - archive + type: string + finalCheckpoint: + description: FinalCheckpoint indicates whether + the current DataVolumeCheckpoint is the final + checkpoint. + type: boolean + preallocation: + description: Preallocation controls whether + storage for DataVolumes should be allocated + in advance. + type: boolean + priorityClassName: + description: PriorityClassName for Importer, + Cloner and Uploader pod + type: string + pvc: + description: PVC is the PVC specification + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + source: + description: Source is the src of the data for + the requested DataVolume + properties: + blank: + description: DataVolumeBlankImage provides + the parameters to create a new raw blank + image for the PVC + type: object + gcs: + description: DataVolumeSourceGCS provides + the parameters to create a Data Volume + from an GCS source + properties: + secretRef: + description: SecretRef provides the + secret reference needed to access + the GCS source + type: string + url: + description: URL is the url of the GCS + source + type: string + required: + - url + type: object + http: + description: DataVolumeSourceHTTP can be + either an http or https endpoint, with + an optional basic auth user name and password, + and an optional configmap containing additional + CAs + properties: + certConfigMap: + description: CertConfigMap is a configmap + reference, containing a Certificate + Authority(CA) public key, and a base64 + encoded pem certificate + type: string + extraHeaders: + description: ExtraHeaders is a list + of strings containing extra headers + to include with HTTP transfer requests + items: + type: string + type: array + secretExtraHeaders: + description: SecretExtraHeaders is a + list of Secret references, each containing + an extra HTTP header that may include + sensitive information + items: + type: string + type: array + secretRef: + description: SecretRef A Secret reference, + the secret should contain accessKeyId + (user name) base64 encoded, and secretKey + (password) also base64 encoded + type: string + url: + description: URL is the URL of the http(s) + endpoint + type: string + required: + - url + type: object + imageio: + description: DataVolumeSourceImageIO provides + the parameters to create a Data Volume + from an imageio source + properties: + certConfigMap: + description: CertConfigMap provides + a reference to the CA cert + type: string + diskId: + description: DiskID provides id of a + disk to be imported + type: string + secretRef: + description: SecretRef provides the + secret reference needed to access + the ovirt-engine + type: string + url: + description: URL is the URL of the ovirt-engine + type: string + required: + - diskId + - url + type: object + pvc: + description: DataVolumeSourcePVC provides + the parameters to create a Data Volume + from an existing PVC + properties: + name: + description: The name of the source + PVC + type: string + namespace: + description: The namespace of the source + PVC + type: string + required: + - name + - namespace + type: object + registry: + description: DataVolumeSourceRegistry provides + the parameters to create a Data Volume + from an registry source + properties: + certConfigMap: + description: CertConfigMap provides + a reference to the Registry certs + type: string + imageStream: + description: ImageStream is the name + of image stream for import + type: string + pullMethod: + description: PullMethod can be either + "pod" (default import), or "node" + (node docker cache based import) + type: string + secretRef: + description: SecretRef provides the + secret reference needed to access + the Registry source + type: string + url: + description: 'URL is the url of the + registry source (starting with the + scheme: docker, oci-archive)' + type: string + type: object + s3: + description: DataVolumeSourceS3 provides + the parameters to create a Data Volume + from an S3 source + properties: + certConfigMap: + description: CertConfigMap is a configmap + reference, containing a Certificate + Authority(CA) public key, and a base64 + encoded pem certificate + type: string + secretRef: + description: SecretRef provides the + secret reference needed to access + the S3 source + type: string + url: + description: URL is the url of the S3 + source + type: string + required: + - url + type: object + snapshot: + description: DataVolumeSourceSnapshot provides + the parameters to create a Data Volume + from an existing VolumeSnapshot + properties: + name: + description: The name of the source + VolumeSnapshot + type: string + namespace: + description: The namespace of the source + VolumeSnapshot + type: string + required: + - name + - namespace + type: object + upload: + description: DataVolumeSourceUpload provides + the parameters to create a Data Volume + by uploading the source + type: object + vddk: + description: DataVolumeSourceVDDK provides + the parameters to create a Data Volume + from a Vmware source + properties: + backingFile: + description: BackingFile is the path + to the virtual hard disk to migrate + from vCenter/ESXi + type: string + initImageURL: + description: InitImageURL is an optional + URL to an image containing an extracted + VDDK library, overrides v2v-vmware + config map + type: string + secretRef: + description: SecretRef provides a reference + to a secret containing the username + and password needed to access the + vCenter or ESXi host + type: string + thumbprint: + description: Thumbprint is the certificate + thumbprint of the vCenter or ESXi + host + type: string + url: + description: URL is the URL of the vCenter + or ESXi host with the VM to migrate + type: string + uuid: + description: UUID is the UUID of the + virtual machine that the backing file + is attached to in vCenter/ESXi + type: string + type: object + type: object + sourceRef: + description: SourceRef is an indirect reference + to the source of data for the requested DataVolume + properties: + kind: + description: The kind of the source reference, + currently only "DataSource" is supported + type: string + name: + description: The name of the source reference + type: string + namespace: + description: The namespace of the source + reference, defaults to the DataVolume + namespace + type: string + required: + - kind + - name + type: object + storage: + description: Storage is the requested storage + specification + properties: + accessModes: + description: |- + AccessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + dataSource: + description: |- + This field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) * An existing custom resource that implements data population (Alpha) In order to use custom resource types that implement data population, the AnyVolumeDataSource feature gate must be enabled. If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. + If the AnyVolumeDataSource feature gate is enabled, this field will always have the same contents as the DataSourceRef field. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + Specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any local object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. + This field will replace the functionality of the DataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, both fields (DataSource and DataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. + There are two important differences between DataSource and DataSourceRef: + * While DataSource only allows two specific types of objects, DataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. + * While DataSource ignores disallowed values (dropping them), DataSourceRef preserves all values, and generates an error if a disallowed value is specified. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + Resources represents the minimum resources the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: A label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + Name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: VolumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + type: object + status: + description: DataVolumeStatus contains the current + status of the DataVolume + properties: + claimName: + description: ClaimName is the name of the underlying + PVC used by the DataVolume. + type: string + conditions: + items: + description: DataVolumeCondition represents + the state of a data volume condition. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + description: DataVolumeConditionType is + the string representation of known condition + types + type: string + required: + - status + - type + type: object + type: array + phase: + description: Phase is the current phase of the + data volume + type: string + progress: + description: DataVolumeProgress is the current + progress of the DataVolume transfer operation. + Value between 0 and 100 inclusive, N/A if + not available + type: string + restartCount: + description: RestartCount is the number of times + the pod populating the DataVolume has restarted + format: int32 + type: integer + type: object + required: + - spec + type: object + required: + - managedDataSource + - schedule + - template + type: object + required: + - spec + type: object + type: array + namespace: + description: Namespace is the k8s namespace where CommonTemplates + should be installed + maxLength: 63 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - namespace + type: object + templateValidator: + description: TemplateValidator is configuration of the template validator + operand + properties: + placement: + description: Placement describes the node scheduling configuration + properties: + affinity: + description: |- + affinity enables pod affinity/anti-affinity placement expanding the types of constraints + that can be expressed with nodeSelector. + affinity is going to be applied to the relevant kind of pods in parallel with nodeSelector + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector is the node selector applied to the relevant kind of pods + It specifies a map of key-value pairs: for the pod to be eligible to run on a node, + the node must have each of the indicated key-value pairs as labels + (it can have additional labels as well). + See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + type: object + tolerations: + description: |- + tolerations is a list of tolerations applied to the relevant kind of pods + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ for more info. + These are additional tolerations other than default ones. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + replicas: + default: 2 + description: Replicas is the number of replicas of the template + validator pod + format: int32 + minimum: 0 + type: integer + type: object + tlsSecurityProfile: + description: TLSSecurityProfile is a configuration for the TLS. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + + ciphers: + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + + minTLSVersion: VersionTLS11 + + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + + - ECDHE-RSA-AES256-GCM-SHA384 + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - DHE-RSA-AES128-GCM-SHA256 + + + - DHE-RSA-AES256-GCM-SHA384 + + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + + - ECDHE-RSA-AES256-GCM-SHA384 + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - DHE-RSA-AES128-GCM-SHA256 + + + - DHE-RSA-AES256-GCM-SHA384 + + + - DHE-RSA-CHACHA20-POLY1305 + + + - ECDHE-ECDSA-AES128-SHA256 + + + - ECDHE-RSA-AES128-SHA256 + + + - ECDHE-ECDSA-AES128-SHA + + + - ECDHE-RSA-AES128-SHA + + + - ECDHE-ECDSA-AES256-SHA384 + + + - ECDHE-RSA-AES256-SHA384 + + + - ECDHE-ECDSA-AES256-SHA + + + - ECDHE-RSA-AES256-SHA + + + - DHE-RSA-AES128-SHA256 + + + - DHE-RSA-AES256-SHA256 + + + - AES128-GCM-SHA256 + + + - AES256-GCM-SHA384 + + + - AES128-SHA256 + + + - AES256-SHA256 + + + - AES128-SHA + + + - AES256-SHA + + + - DES-CBC3-SHA + + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tokenGenerationService: + description: TokenGenerationService configures the service for generating + tokens to access VNC for a VM. + properties: + enabled: + type: boolean + type: object + required: + - commonTemplates + type: object + status: + description: SSPStatus defines the observed state of SSP + properties: + conditions: + description: A list of current conditions of the resource + items: + description: |- + Condition represents the state of the operator's + reconciliation functionality. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + description: ConditionType is the state of the operator's reconciliation + functionality. + type: string + required: + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the operator. + format: int64 + type: integer + observedVersion: + description: The observed version of the resource + type: string + operatorVersion: + description: The version of the resource as defined by the operator + type: string + paused: + description: Paused is true when the operator notices paused annotation. + type: boolean + phase: + description: Phase is the current phase of the deployment + type: string + targetVersion: + description: The desired version of the resource + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index db771cb95..aa76002fa 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -1,4 +1,5 @@ ## Append samples you want in your CSV to this file as resources ## resources: - ssp_v1beta2_ssp.yaml +- ssp_v1beta3_ssp.yaml # +kubebuilder:scaffold:manifestskustomizesamples diff --git a/config/samples/ssp_v1beta3_ssp.yaml b/config/samples/ssp_v1beta3_ssp.yaml new file mode 100644 index 000000000..d937d94cb --- /dev/null +++ b/config/samples/ssp_v1beta3_ssp.yaml @@ -0,0 +1,10 @@ +apiVersion: ssp.kubevirt.io/v1beta3 +kind: SSP +metadata: + name: ssp-sample + namespace: kubevirt +spec: + commonTemplates: + namespace: kubevirt + templateValidator: + replicas: 2 diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 534888a58..0d0e58494 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -12,7 +12,7 @@ webhooks: namespace: system path: /validate-ssp-kubevirt-io-v1beta2-ssp failurePolicy: Fail - name: validation.ssp.kubevirt.io + name: validation.v1beta2.ssp.kubevirt.io rules: - apiGroups: - ssp.kubevirt.io @@ -24,3 +24,23 @@ webhooks: resources: - ssps sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-ssp-kubevirt-io-v1beta3-ssp + failurePolicy: Fail + name: validation.v1beta3.ssp.kubevirt.io + rules: + - apiGroups: + - ssp.kubevirt.io + apiVersions: + - v1beta3 + operations: + - CREATE + - UPDATE + resources: + - ssps + sideEffects: None diff --git a/data/crd/ssp.kubevirt.io_ssps.yaml b/data/crd/ssp.kubevirt.io_ssps.yaml index 8e7abcabd..f8dbf8449 100644 --- a/data/crd/ssp.kubevirt.io_ssps.yaml +++ b/data/crd/ssp.kubevirt.io_ssps.yaml @@ -2290,6 +2290,2217 @@ spec: storage: true subresources: status: {} + - additionalPrinterColumns: + - jsonPath: .status.phase + name: Phase + type: string + name: v1beta3 + schema: + openAPIV3Schema: + description: SSP is the Schema for the ssps API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SSPSpec defines the desired state of SSP + properties: + commonTemplates: + description: CommonTemplates is the configuration of the common templates + operand + properties: + dataImportCronTemplates: + description: DataImportCronTemplates defines a list of DataImportCrons + managed by the SSP Operator. + items: + description: |- + DataImportCronTemplate defines the template type for DataImportCrons. + It requires metadata.name to be specified while leaving namespace as optional. + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: DataImportCronSpec defines specification for + DataImportCron + properties: + garbageCollect: + description: |- + GarbageCollect specifies whether old PVCs should be cleaned up after a new PVC is imported. + Options are currently "Outdated" and "Never", defaults to "Outdated". + type: string + importsToKeep: + description: Number of import PVCs to keep when garbage + collecting. Default is 3. + format: int32 + type: integer + managedDataSource: + description: |- + ManagedDataSource specifies the name of the corresponding DataSource this cron will manage. + DataSource has to be in the same namespace. + type: string + retentionPolicy: + description: RetentionPolicy specifies whether the created + DataVolumes and DataSources are retained when their + DataImportCron is deleted. Default is RatainAll. + type: string + schedule: + description: Schedule specifies in cron format when + and how often to look for new imports + type: string + template: + description: Template specifies template for the DVs + to be created + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: DataVolumeSpec defines the DataVolume + type specification + properties: + checkpoints: + description: Checkpoints is a list of DataVolumeCheckpoints, + representing stages in a multistage import. + items: + description: DataVolumeCheckpoint defines + a stage in a warm migration. + properties: + current: + description: Current is the identifier + of the snapshot created for this checkpoint. + type: string + previous: + description: Previous is the identifier + of the snapshot from the previous checkpoint. + type: string + required: + - current + - previous + type: object + type: array + contentType: + description: 'DataVolumeContentType options: + "kubevirt", "archive"' + enum: + - kubevirt + - archive + type: string + finalCheckpoint: + description: FinalCheckpoint indicates whether + the current DataVolumeCheckpoint is the final + checkpoint. + type: boolean + preallocation: + description: Preallocation controls whether + storage for DataVolumes should be allocated + in advance. + type: boolean + priorityClassName: + description: PriorityClassName for Importer, + Cloner and Uploader pod + type: string + pvc: + description: PVC is the PVC specification + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + source: + description: Source is the src of the data for + the requested DataVolume + properties: + blank: + description: DataVolumeBlankImage provides + the parameters to create a new raw blank + image for the PVC + type: object + gcs: + description: DataVolumeSourceGCS provides + the parameters to create a Data Volume + from an GCS source + properties: + secretRef: + description: SecretRef provides the + secret reference needed to access + the GCS source + type: string + url: + description: URL is the url of the GCS + source + type: string + required: + - url + type: object + http: + description: DataVolumeSourceHTTP can be + either an http or https endpoint, with + an optional basic auth user name and password, + and an optional configmap containing additional + CAs + properties: + certConfigMap: + description: CertConfigMap is a configmap + reference, containing a Certificate + Authority(CA) public key, and a base64 + encoded pem certificate + type: string + extraHeaders: + description: ExtraHeaders is a list + of strings containing extra headers + to include with HTTP transfer requests + items: + type: string + type: array + secretExtraHeaders: + description: SecretExtraHeaders is a + list of Secret references, each containing + an extra HTTP header that may include + sensitive information + items: + type: string + type: array + secretRef: + description: SecretRef A Secret reference, + the secret should contain accessKeyId + (user name) base64 encoded, and secretKey + (password) also base64 encoded + type: string + url: + description: URL is the URL of the http(s) + endpoint + type: string + required: + - url + type: object + imageio: + description: DataVolumeSourceImageIO provides + the parameters to create a Data Volume + from an imageio source + properties: + certConfigMap: + description: CertConfigMap provides + a reference to the CA cert + type: string + diskId: + description: DiskID provides id of a + disk to be imported + type: string + secretRef: + description: SecretRef provides the + secret reference needed to access + the ovirt-engine + type: string + url: + description: URL is the URL of the ovirt-engine + type: string + required: + - diskId + - url + type: object + pvc: + description: DataVolumeSourcePVC provides + the parameters to create a Data Volume + from an existing PVC + properties: + name: + description: The name of the source + PVC + type: string + namespace: + description: The namespace of the source + PVC + type: string + required: + - name + - namespace + type: object + registry: + description: DataVolumeSourceRegistry provides + the parameters to create a Data Volume + from an registry source + properties: + certConfigMap: + description: CertConfigMap provides + a reference to the Registry certs + type: string + imageStream: + description: ImageStream is the name + of image stream for import + type: string + pullMethod: + description: PullMethod can be either + "pod" (default import), or "node" + (node docker cache based import) + type: string + secretRef: + description: SecretRef provides the + secret reference needed to access + the Registry source + type: string + url: + description: 'URL is the url of the + registry source (starting with the + scheme: docker, oci-archive)' + type: string + type: object + s3: + description: DataVolumeSourceS3 provides + the parameters to create a Data Volume + from an S3 source + properties: + certConfigMap: + description: CertConfigMap is a configmap + reference, containing a Certificate + Authority(CA) public key, and a base64 + encoded pem certificate + type: string + secretRef: + description: SecretRef provides the + secret reference needed to access + the S3 source + type: string + url: + description: URL is the url of the S3 + source + type: string + required: + - url + type: object + snapshot: + description: DataVolumeSourceSnapshot provides + the parameters to create a Data Volume + from an existing VolumeSnapshot + properties: + name: + description: The name of the source + VolumeSnapshot + type: string + namespace: + description: The namespace of the source + VolumeSnapshot + type: string + required: + - name + - namespace + type: object + upload: + description: DataVolumeSourceUpload provides + the parameters to create a Data Volume + by uploading the source + type: object + vddk: + description: DataVolumeSourceVDDK provides + the parameters to create a Data Volume + from a Vmware source + properties: + backingFile: + description: BackingFile is the path + to the virtual hard disk to migrate + from vCenter/ESXi + type: string + initImageURL: + description: InitImageURL is an optional + URL to an image containing an extracted + VDDK library, overrides v2v-vmware + config map + type: string + secretRef: + description: SecretRef provides a reference + to a secret containing the username + and password needed to access the + vCenter or ESXi host + type: string + thumbprint: + description: Thumbprint is the certificate + thumbprint of the vCenter or ESXi + host + type: string + url: + description: URL is the URL of the vCenter + or ESXi host with the VM to migrate + type: string + uuid: + description: UUID is the UUID of the + virtual machine that the backing file + is attached to in vCenter/ESXi + type: string + type: object + type: object + sourceRef: + description: SourceRef is an indirect reference + to the source of data for the requested DataVolume + properties: + kind: + description: The kind of the source reference, + currently only "DataSource" is supported + type: string + name: + description: The name of the source reference + type: string + namespace: + description: The namespace of the source + reference, defaults to the DataVolume + namespace + type: string + required: + - kind + - name + type: object + storage: + description: Storage is the requested storage + specification + properties: + accessModes: + description: |- + AccessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + dataSource: + description: |- + This field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) * An existing custom resource that implements data population (Alpha) In order to use custom resource types that implement data population, the AnyVolumeDataSource feature gate must be enabled. If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. + If the AnyVolumeDataSource feature gate is enabled, this field will always have the same contents as the DataSourceRef field. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + Specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any local object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. + This field will replace the functionality of the DataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, both fields (DataSource and DataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. + There are two important differences between DataSource and DataSourceRef: + * While DataSource only allows two specific types of objects, DataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. + * While DataSource ignores disallowed values (dropping them), DataSourceRef preserves all values, and generates an error if a disallowed value is specified. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + Resources represents the minimum resources the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: A label query over volumes + to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + Name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: VolumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + type: object + status: + description: DataVolumeStatus contains the current + status of the DataVolume + properties: + claimName: + description: ClaimName is the name of the underlying + PVC used by the DataVolume. + type: string + conditions: + items: + description: DataVolumeCondition represents + the state of a data volume condition. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + description: DataVolumeConditionType is + the string representation of known condition + types + type: string + required: + - status + - type + type: object + type: array + phase: + description: Phase is the current phase of the + data volume + type: string + progress: + description: DataVolumeProgress is the current + progress of the DataVolume transfer operation. + Value between 0 and 100 inclusive, N/A if + not available + type: string + restartCount: + description: RestartCount is the number of times + the pod populating the DataVolume has restarted + format: int32 + type: integer + type: object + required: + - spec + type: object + required: + - managedDataSource + - schedule + - template + type: object + required: + - spec + type: object + type: array + namespace: + description: Namespace is the k8s namespace where CommonTemplates + should be installed + maxLength: 63 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - namespace + type: object + templateValidator: + description: TemplateValidator is configuration of the template validator + operand + properties: + placement: + description: Placement describes the node scheduling configuration + properties: + affinity: + description: |- + affinity enables pod affinity/anti-affinity placement expanding the types of constraints + that can be expressed with nodeSelector. + affinity is going to be applied to the relevant kind of pods in parallel with nodeSelector + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + nodeSelector is the node selector applied to the relevant kind of pods + It specifies a map of key-value pairs: for the pod to be eligible to run on a node, + the node must have each of the indicated key-value pairs as labels + (it can have additional labels as well). + See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + type: object + tolerations: + description: |- + tolerations is a list of tolerations applied to the relevant kind of pods + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ for more info. + These are additional tolerations other than default ones. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + replicas: + default: 2 + description: Replicas is the number of replicas of the template + validator pod + format: int32 + minimum: 0 + type: integer + type: object + tlsSecurityProfile: + description: TLSSecurityProfile is a configuration for the TLS. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + + ciphers: + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + + minTLSVersion: VersionTLS11 + + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + + - ECDHE-RSA-AES256-GCM-SHA384 + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - DHE-RSA-AES128-GCM-SHA256 + + + - DHE-RSA-AES256-GCM-SHA384 + + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + + and looks like this (yaml): + + + ciphers: + + + - TLS_AES_128_GCM_SHA256 + + + - TLS_AES_256_GCM_SHA384 + + + - TLS_CHACHA20_POLY1305_SHA256 + + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + + - ECDHE-RSA-AES128-GCM-SHA256 + + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + + - ECDHE-RSA-AES256-GCM-SHA384 + + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + + - ECDHE-RSA-CHACHA20-POLY1305 + + + - DHE-RSA-AES128-GCM-SHA256 + + + - DHE-RSA-AES256-GCM-SHA384 + + + - DHE-RSA-CHACHA20-POLY1305 + + + - ECDHE-ECDSA-AES128-SHA256 + + + - ECDHE-RSA-AES128-SHA256 + + + - ECDHE-ECDSA-AES128-SHA + + + - ECDHE-RSA-AES128-SHA + + + - ECDHE-ECDSA-AES256-SHA384 + + + - ECDHE-RSA-AES256-SHA384 + + + - ECDHE-ECDSA-AES256-SHA + + + - ECDHE-RSA-AES256-SHA + + + - DHE-RSA-AES128-SHA256 + + + - DHE-RSA-AES256-SHA256 + + + - AES128-GCM-SHA256 + + + - AES256-GCM-SHA384 + + + - AES128-SHA256 + + + - AES256-SHA256 + + + - AES128-SHA + + + - AES256-SHA + + + - DES-CBC3-SHA + + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tokenGenerationService: + description: TokenGenerationService configures the service for generating + tokens to access VNC for a VM. + properties: + enabled: + type: boolean + type: object + required: + - commonTemplates + type: object + status: + description: SSPStatus defines the observed state of SSP + properties: + conditions: + description: A list of current conditions of the resource + items: + description: |- + Condition represents the state of the operator's + reconciliation functionality. + properties: + lastHeartbeatTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + description: ConditionType is the state of the operator's reconciliation + functionality. + type: string + required: + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the operator. + format: int64 + type: integer + observedVersion: + description: The observed version of the resource + type: string + operatorVersion: + description: The version of the resource as defined by the operator + type: string + paused: + description: Paused is true when the operator notices paused annotation. + type: boolean + phase: + description: Phase is the current phase of the deployment + type: string + targetVersion: + description: The desired version of the resource + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} status: acceptedNames: kind: "" diff --git a/data/olm-catalog/ssp-operator.clusterserviceversion.yaml b/data/olm-catalog/ssp-operator.clusterserviceversion.yaml index 00cb3305d..e2d3bcb8a 100644 --- a/data/olm-catalog/ssp-operator.clusterserviceversion.yaml +++ b/data/olm-catalog/ssp-operator.clusterserviceversion.yaml @@ -23,6 +23,22 @@ metadata: "replicas": 2 } } + }, + { + "apiVersion": "ssp.kubevirt.io/v1beta3", + "kind": "SSP", + "metadata": { + "name": "ssp-sample", + "namespace": "kubevirt" + }, + "spec": { + "commonTemplates": { + "namespace": "kubevirt" + }, + "templateValidator": { + "replicas": 2 + } + } } ] capabilities: Basic Install @@ -44,6 +60,9 @@ spec: kind: SSP name: ssps.ssp.kubevirt.io version: v1beta2 + - kind: SSP + name: ssps.ssp.kubevirt.io + version: v1beta3 description: Operator that deploys and controls additional KubeVirt resources displayName: ssp-operator icon: @@ -622,12 +641,11 @@ spec: containerPort: 9443 deploymentName: ssp-operator failurePolicy: Fail - generateName: validation.ssp.kubevirt.io + generateName: validation.v1beta2.ssp.kubevirt.io rules: - apiGroups: - ssp.kubevirt.io apiVersions: - - v1beta1 - v1beta2 operations: - CREATE @@ -638,3 +656,23 @@ spec: targetPort: 9443 type: ValidatingAdmissionWebhook webhookPath: /validate-ssp-kubevirt-io-v1beta2-ssp + - admissionReviewVersions: + - v1 + containerPort: 9443 + deploymentName: ssp-operator + failurePolicy: Fail + generateName: validation.v1beta3.ssp.kubevirt.io + rules: + - apiGroups: + - ssp.kubevirt.io + apiVersions: + - v1beta3 + operations: + - CREATE + - UPDATE + resources: + - ssps + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-ssp-kubevirt-io-v1beta3-ssp diff --git a/hack/csv-generator.go b/hack/csv-generator.go index 7bf549ed4..8166e9223 100644 --- a/hack/csv-generator.go +++ b/hack/csv-generator.go @@ -222,7 +222,9 @@ func replaceVariables(flags generatorFlags, csv *csvv1.ClusterServiceVersion) er } if flags.webhookPort > 0 { - csv.Spec.WebhookDefinitions[0].ContainerPort = flags.webhookPort + for i := range csv.Spec.WebhookDefinitions { + csv.Spec.WebhookDefinitions[i].ContainerPort = flags.webhookPort + } } return nil diff --git a/internal/common/scheme.go b/internal/common/scheme.go index dd1fdac76..59f47ed5c 100644 --- a/internal/common/scheme.go +++ b/internal/common/scheme.go @@ -12,7 +12,9 @@ import ( kubevirtv1 "kubevirt.io/api/core/v1" instancetypev1alpha2 "kubevirt.io/api/instancetype/v1alpha2" instancetypev1beta1 "kubevirt.io/api/instancetype/v1beta1" + sspv1beta2 "kubevirt.io/ssp-operator/api/v1beta2" + sspv1beta3 "kubevirt.io/ssp-operator/api/v1beta3" ) var ( @@ -25,6 +27,7 @@ func init() { utilruntime.Must(extv1.AddToScheme(Scheme)) utilruntime.Must(internalmeta.AddToScheme(Scheme)) utilruntime.Must(sspv1beta2.AddToScheme(Scheme)) + utilruntime.Must(sspv1beta3.AddToScheme(Scheme)) utilruntime.Must(osconfv1.Install(Scheme)) utilruntime.Must(instancetypev1alpha2.AddToScheme(Scheme)) utilruntime.Must(instancetypev1beta1.AddToScheme(Scheme)) diff --git a/tests/tests_suite_test.go b/tests/tests_suite_test.go index d528f9b0a..ffeac3d41 100644 --- a/tests/tests_suite_test.go +++ b/tests/tests_suite_test.go @@ -42,6 +42,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client/config" sspv1beta2 "kubevirt.io/ssp-operator/api/v1beta2" + sspv1beta3 "kubevirt.io/ssp-operator/api/v1beta3" "kubevirt.io/ssp-operator/internal/common" "kubevirt.io/ssp-operator/tests/env" ) @@ -469,6 +470,13 @@ func getSsp() *sspv1beta2.SSP { return foundSsp } +func getSspV1Beta3() *sspv1beta3.SSP { + key := client.ObjectKey{Name: strategy.GetName(), Namespace: strategy.GetNamespace()} + foundSsp := &sspv1beta3.SSP{} + Expect(apiClient.Get(ctx, key, foundSsp)).ToNot(HaveOccurred()) + return foundSsp +} + func getTemplateValidatorDeployment() *apps.Deployment { key := client.ObjectKey{Name: "virt-template-validator", Namespace: strategy.GetNamespace()} deployment := &apps.Deployment{} diff --git a/tests/webhook_test.go b/tests/webhook_test.go index e160e29a8..2d2c8ec8e 100644 --- a/tests/webhook_test.go +++ b/tests/webhook_test.go @@ -6,14 +6,16 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "kubevirt.io/controller-lifecycle-operator-sdk/api" "sigs.k8s.io/controller-runtime/pkg/client" - "kubevirt.io/controller-lifecycle-operator-sdk/api" sspv1beta2 "kubevirt.io/ssp-operator/api/v1beta2" + sspv1beta3 "kubevirt.io/ssp-operator/api/v1beta3" ) // Placement API tests variables @@ -69,7 +71,7 @@ var _ = Describe("Validation webhook", func() { }) Context("creation", func() { - It("[test_id:5242] should fail to create a second SSP CR", func() { + It("[test_id:5242] should fail to create a second v1beta2.SSP CR", func() { foundSsp := getSsp() ssp2 := foundSsp.DeepCopy() ssp2.ObjectMeta = v1.ObjectMeta{ @@ -89,15 +91,38 @@ var _ = Describe("Validation webhook", func() { ))) }) + It("[test_id:TODO] should fail to create a second v1beta3.SSP CR", func() { + foundSsp := getSspV1Beta3() + ssp2 := foundSsp.DeepCopy() + ssp2.ObjectMeta = v1.ObjectMeta{ + Name: "test-ssp2", + Namespace: foundSsp.GetNamespace(), + } + + err := apiClient.Create(ctx, ssp2, client.DryRunAll) + if err == nil { + Fail("Second SSP resource created.") + return + } + Expect(err.Error()).To(ContainSubstring(fmt.Sprintf( + "creation failed, an SSP CR already exists in namespace %v: %v", + foundSsp.Namespace, + foundSsp.Name, + ))) + }) + Context("removed existing SSP CR", func() { var ( - newSsp *sspv1beta2.SSP + newSspV1Beta2 *sspv1beta2.SSP + newSspV1Beta3 *sspv1beta3.SSP ) BeforeEach(func() { strategy.SkipSspUpdateTestsIfNeeded() foundSsp := getSsp() + newSspV1Beta3 = getSspV1Beta3() + Expect(apiClient.Delete(ctx, foundSsp)).ToNot(HaveOccurred()) waitForDeletion(client.ObjectKey{Name: foundSsp.GetName(), Namespace: foundSsp.GetNamespace()}, &sspv1beta2.SSP{}) @@ -106,7 +131,7 @@ var _ = Describe("Validation webhook", func() { Namespace: foundSsp.GetNamespace(), } - newSsp = foundSsp + newSspV1Beta2 = foundSsp }) AfterEach(func() { @@ -115,39 +140,61 @@ var _ = Describe("Validation webhook", func() { Context("Placement API validation", func() { It("[test_id:5988]should succeed with valid template-validator placement fields", func() { - newSsp.Spec.TemplateValidator = &sspv1beta2.TemplateValidator{ + newSspV1Beta2.Spec.TemplateValidator = &sspv1beta2.TemplateValidator{ + Placement: &placementAPIValidationValidPlacement, + } + + Expect(apiClient.Create(ctx, newSspV1Beta2, client.DryRunAll)).ToNot(HaveOccurred(), + "failed to create SSP CR with valid template-validator placement fields") + }) + + It("[test_id:TODO] [v1beta3] should succeed with valid template-validator placement fields", func() { + newSspV1Beta3.Spec.TemplateValidator = &sspv1beta3.TemplateValidator{ Placement: &placementAPIValidationValidPlacement, } - Expect(apiClient.Create(ctx, newSsp, client.DryRunAll)).ToNot(HaveOccurred(), + Expect(apiClient.Create(ctx, newSspV1Beta3, client.DryRunAll)).ToNot(HaveOccurred(), "failed to create SSP CR with valid template-validator placement fields") }) It("[test_id:5987]should fail with invalid template-validator placement fields", func() { - newSsp.Spec.TemplateValidator = &sspv1beta2.TemplateValidator{ + newSspV1Beta2.Spec.TemplateValidator = &sspv1beta2.TemplateValidator{ Placement: &placementAPIValidationInvalidPlacement, } - Expect(apiClient.Create(ctx, newSsp, client.DryRunAll)).To(HaveOccurred(), + Expect(apiClient.Create(ctx, newSspV1Beta2, client.DryRunAll)).To(HaveOccurred(), + "created SSP CR with invalid template-validator placement fields") + }) + + It("[test_id:5987] [v1beat3] should fail with invalid template-validator placement fields", func() { + newSspV1Beta3.Spec.TemplateValidator = &sspv1beta3.TemplateValidator{ + Placement: &placementAPIValidationInvalidPlacement, + } + + Expect(apiClient.Create(ctx, newSspV1Beta3, client.DryRunAll)).To(HaveOccurred(), "created SSP CR with invalid template-validator placement fields") }) }) It("[test_id:TODO] should fail when DataImportCronTemplate does not have a name", func() { - newSsp.Spec.CommonTemplates.DataImportCronTemplates = []sspv1beta2.DataImportCronTemplate{{ + newSspV1Beta2.Spec.CommonTemplates.DataImportCronTemplates = []sspv1beta2.DataImportCronTemplate{{ + ObjectMeta: metav1.ObjectMeta{Name: ""}, + }} + err := apiClient.Create(ctx, newSspV1Beta2, client.DryRunAll) + Expect(err).To(MatchError(ContainSubstring("missing name in DataImportCronTemplate"))) + }) + + It("[test_id:TODO] [v1beta3] should fail when DataImportCronTemplate does not have a name", func() { + newSspV1Beta3.Spec.CommonTemplates.DataImportCronTemplates = []sspv1beta3.DataImportCronTemplate{{ ObjectMeta: metav1.ObjectMeta{Name: ""}, }} - err := apiClient.Create(ctx, newSsp, client.DryRunAll) + err := apiClient.Create(ctx, newSspV1Beta3, client.DryRunAll) Expect(err).To(MatchError(ContainSubstring("missing name in DataImportCronTemplate"))) }) }) }) Context("update", func() { - var ( - foundSsp *sspv1beta2.SSP - ) - BeforeEach(func() { strategy.SkipSspUpdateTestsIfNeeded() }) @@ -159,7 +206,7 @@ var _ = Describe("Validation webhook", func() { Context("Placement API validation", func() { It("[test_id:5990]should succeed with valid template-validator placement fields", func() { Eventually(func() error { - foundSsp = getSsp() + foundSsp := getSsp() foundSsp.Spec.TemplateValidator = &sspv1beta2.TemplateValidator{ Placement: &placementAPIValidationValidPlacement, } @@ -167,9 +214,19 @@ var _ = Describe("Validation webhook", func() { }, 20*time.Second, time.Second).ShouldNot(HaveOccurred(), "failed to update SSP CR with valid template-validator placement fields") }) + It("[test_id:5990] [v1beta3] should succeed with valid template-validator placement fields", func() { + Eventually(func() error { + foundSsp := getSspV1Beta3() + foundSsp.Spec.TemplateValidator = &sspv1beta3.TemplateValidator{ + Placement: &placementAPIValidationValidPlacement, + } + return apiClient.Update(ctx, foundSsp, client.DryRunAll) + }, 20*time.Second, time.Second).ShouldNot(HaveOccurred(), "failed to update SSP CR with valid template-validator placement fields") + }) + It("[test_id:5989]should fail with invalid template-validator placement fields", func() { Eventually(func() v1.StatusReason { - foundSsp = getSsp() + foundSsp := getSsp() foundSsp.Spec.TemplateValidator = &sspv1beta2.TemplateValidator{ Placement: &placementAPIValidationInvalidPlacement, } @@ -177,16 +234,37 @@ var _ = Describe("Validation webhook", func() { return errors.ReasonForError(err) }, 20*time.Second, time.Second).Should(Equal(metav1.StatusReasonInvalid), "SSP CR updated with invalid template-validator placement fields") }) + + It("[test_id:5989] [v1beta3] should fail with invalid template-validator placement fields", func() { + Eventually(func() v1.StatusReason { + foundSsp := getSspV1Beta3() + foundSsp.Spec.TemplateValidator = &sspv1beta3.TemplateValidator{ + Placement: &placementAPIValidationInvalidPlacement, + } + err := apiClient.Update(ctx, foundSsp, client.DryRunAll) + return errors.ReasonForError(err) + }, 20*time.Second, time.Second).Should(Equal(metav1.StatusReasonInvalid), "SSP CR updated with invalid template-validator placement fields") + }) }) It("[test_id:TODO] should fail when DataImportCronTemplate does not have a name", func() { Eventually(func() error { - foundSsp = getSsp() + foundSsp := getSsp() foundSsp.Spec.CommonTemplates.DataImportCronTemplates = []sspv1beta2.DataImportCronTemplate{{ ObjectMeta: metav1.ObjectMeta{Name: ""}, }} return apiClient.Update(ctx, foundSsp, client.DryRunAll) }, 20*time.Second, time.Second).Should(MatchError(ContainSubstring("missing name in DataImportCronTemplate"))) }) + + It("[test_id:TODO] [v1beta3] should fail when DataImportCronTemplate does not have a name", func() { + Eventually(func() error { + foundSsp := getSspV1Beta3() + foundSsp.Spec.CommonTemplates.DataImportCronTemplates = []sspv1beta3.DataImportCronTemplate{{ + ObjectMeta: metav1.ObjectMeta{Name: ""}, + }} + return apiClient.Update(ctx, foundSsp, client.DryRunAll) + }, 20*time.Second, time.Second).Should(MatchError(ContainSubstring("missing name in DataImportCronTemplate"))) + }) }) }) diff --git a/vendor/kubevirt.io/ssp-operator/api/v1beta3/groupversion_info.go b/vendor/kubevirt.io/ssp-operator/api/v1beta3/groupversion_info.go new file mode 100644 index 000000000..131ba91cd --- /dev/null +++ b/vendor/kubevirt.io/ssp-operator/api/v1beta3/groupversion_info.go @@ -0,0 +1,36 @@ +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package v1beta3 contains API Schema definitions for the ssp v1beta3 API group +// +kubebuilder:object:generate=true +// +groupName=ssp.kubevirt.io +package v1beta3 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +var ( + // GroupVersion is group version used to register these objects + GroupVersion = schema.GroupVersion{Group: "ssp.kubevirt.io", Version: "v1beta3"} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) diff --git a/vendor/kubevirt.io/ssp-operator/api/v1beta3/ssp_types.go b/vendor/kubevirt.io/ssp-operator/api/v1beta3/ssp_types.go new file mode 100644 index 000000000..c2af6b9bb --- /dev/null +++ b/vendor/kubevirt.io/ssp-operator/api/v1beta3/ssp_types.go @@ -0,0 +1,121 @@ +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta3 + +import ( + ocpv1 "github.com/openshift/api/config/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + cdiv1beta1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1" + lifecycleapi "kubevirt.io/controller-lifecycle-operator-sdk/api" +) + +const ( + OperatorPausedAnnotation = "kubevirt.io/operator.paused" +) + +type TemplateValidator struct { + // Replicas is the number of replicas of the template validator pod + //+kubebuilder:validation:Minimum=0 + //+kubebuilder:default=2 + Replicas *int32 `json:"replicas,omitempty"` + + // Placement describes the node scheduling configuration + Placement *lifecycleapi.NodePlacement `json:"placement,omitempty"` +} + +type CommonTemplates struct { + // Namespace is the k8s namespace where CommonTemplates should be installed + //+kubebuilder:validation:MaxLength=63 + //+kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + Namespace string `json:"namespace"` + + // DataImportCronTemplates defines a list of DataImportCrons managed by the SSP Operator. + DataImportCronTemplates []DataImportCronTemplate `json:"dataImportCronTemplates,omitempty"` +} + +// SSPSpec defines the desired state of SSP +type SSPSpec struct { + // TemplateValidator is configuration of the template validator operand + TemplateValidator *TemplateValidator `json:"templateValidator,omitempty"` + + // CommonTemplates is the configuration of the common templates operand + CommonTemplates CommonTemplates `json:"commonTemplates"` + + // TLSSecurityProfile is a configuration for the TLS. + TLSSecurityProfile *ocpv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"` + + // TokenGenerationService configures the service for generating tokens to access VNC for a VM. + TokenGenerationService *TokenGenerationService `json:"tokenGenerationService,omitempty"` +} + +// DataImportCronTemplate defines the template type for DataImportCrons. +// It requires metadata.name to be specified while leaving namespace as optional. +type DataImportCronTemplate struct { + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec cdiv1beta1.DataImportCronSpec `json:"spec"` +} + +// AsDataImportCron converts the DataImportCronTemplate to a cdiv1beta1.DataImportCron +func (t *DataImportCronTemplate) AsDataImportCron() cdiv1beta1.DataImportCron { + return cdiv1beta1.DataImportCron{ + ObjectMeta: t.ObjectMeta, + Spec: t.Spec, + } +} + +// TokenGenerationService configures the service for generating tokens to access VNC for a VM. +type TokenGenerationService struct { + Enabled bool `json:"enabled,omitempty"` +} + +// SSPStatus defines the observed state of SSP +type SSPStatus struct { + lifecycleapi.Status `json:",inline"` + + // Paused is true when the operator notices paused annotation. + Paused bool `json:"paused,omitempty"` + + // ObservedGeneration is the latest generation observed by the operator. + ObservedGeneration int64 `json:"observedGeneration,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="Phase",type="string",JSONPath=".status.phase" + +// SSP is the Schema for the ssps API +type SSP struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec SSPSpec `json:"spec,omitempty"` + Status SSPStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// SSPList contains a list of SSP +type SSPList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []SSP `json:"items"` +} + +func init() { + SchemeBuilder.Register(&SSP{}, &SSPList{}) +} diff --git a/vendor/kubevirt.io/ssp-operator/api/v1beta3/zz_generated.deepcopy.go b/vendor/kubevirt.io/ssp-operator/api/v1beta3/zz_generated.deepcopy.go new file mode 100644 index 000000000..b572d7c1f --- /dev/null +++ b/vendor/kubevirt.io/ssp-operator/api/v1beta3/zz_generated.deepcopy.go @@ -0,0 +1,210 @@ +//go:build !ignore_autogenerated + +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1beta3 + +import ( + "github.com/openshift/api/config/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CommonTemplates) DeepCopyInto(out *CommonTemplates) { + *out = *in + if in.DataImportCronTemplates != nil { + in, out := &in.DataImportCronTemplates, &out.DataImportCronTemplates + *out = make([]DataImportCronTemplate, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonTemplates. +func (in *CommonTemplates) DeepCopy() *CommonTemplates { + if in == nil { + return nil + } + out := new(CommonTemplates) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DataImportCronTemplate) DeepCopyInto(out *DataImportCronTemplate) { + *out = *in + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataImportCronTemplate. +func (in *DataImportCronTemplate) DeepCopy() *DataImportCronTemplate { + if in == nil { + return nil + } + out := new(DataImportCronTemplate) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SSP) DeepCopyInto(out *SSP) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSP. +func (in *SSP) DeepCopy() *SSP { + if in == nil { + return nil + } + out := new(SSP) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SSP) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SSPList) DeepCopyInto(out *SSPList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]SSP, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSPList. +func (in *SSPList) DeepCopy() *SSPList { + if in == nil { + return nil + } + out := new(SSPList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SSPList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SSPSpec) DeepCopyInto(out *SSPSpec) { + *out = *in + if in.TemplateValidator != nil { + in, out := &in.TemplateValidator, &out.TemplateValidator + *out = new(TemplateValidator) + (*in).DeepCopyInto(*out) + } + in.CommonTemplates.DeepCopyInto(&out.CommonTemplates) + if in.TLSSecurityProfile != nil { + in, out := &in.TLSSecurityProfile, &out.TLSSecurityProfile + *out = new(v1.TLSSecurityProfile) + (*in).DeepCopyInto(*out) + } + if in.TokenGenerationService != nil { + in, out := &in.TokenGenerationService, &out.TokenGenerationService + *out = new(TokenGenerationService) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSPSpec. +func (in *SSPSpec) DeepCopy() *SSPSpec { + if in == nil { + return nil + } + out := new(SSPSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SSPStatus) DeepCopyInto(out *SSPStatus) { + *out = *in + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSPStatus. +func (in *SSPStatus) DeepCopy() *SSPStatus { + if in == nil { + return nil + } + out := new(SSPStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TemplateValidator) DeepCopyInto(out *TemplateValidator) { + *out = *in + if in.Replicas != nil { + in, out := &in.Replicas, &out.Replicas + *out = new(int32) + **out = **in + } + if in.Placement != nil { + in, out := &in.Placement, &out.Placement + *out = (*in).DeepCopy() + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateValidator. +func (in *TemplateValidator) DeepCopy() *TemplateValidator { + if in == nil { + return nil + } + out := new(TemplateValidator) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TokenGenerationService) DeepCopyInto(out *TokenGenerationService) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenGenerationService. +func (in *TokenGenerationService) DeepCopy() *TokenGenerationService { + if in == nil { + return nil + } + out := new(TokenGenerationService) + in.DeepCopyInto(out) + return out +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 957be9162..5c610f8cf 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -886,6 +886,7 @@ kubevirt.io/qe-tools/pkg/polarion-xml # kubevirt.io/ssp-operator/api v0.0.0 => ./api ## explicit; go 1.22.4 kubevirt.io/ssp-operator/api/v1beta2 +kubevirt.io/ssp-operator/api/v1beta3 # sigs.k8s.io/controller-runtime v0.18.5 ## explicit; go 1.22.0 sigs.k8s.io/controller-runtime diff --git a/webhooks/convert/convert.go b/webhooks/convert/convert.go new file mode 100644 index 000000000..393e7ea77 --- /dev/null +++ b/webhooks/convert/convert.go @@ -0,0 +1,70 @@ +package convert + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + sspv1beta2 "kubevirt.io/ssp-operator/api/v1beta2" + sspv1beta3 "kubevirt.io/ssp-operator/api/v1beta3" +) + +func ConvertSSP(src *sspv1beta3.SSP) *sspv1beta2.SSP { + return &sspv1beta2.SSP{ + TypeMeta: metav1.TypeMeta{ + Kind: src.Kind, + APIVersion: sspv1beta2.GroupVersion.String(), + }, + ObjectMeta: src.ObjectMeta, + Spec: sspv1beta2.SSPSpec{ + TemplateValidator: convertTemplateValidator(src.Spec.TemplateValidator), + CommonTemplates: sspv1beta2.CommonTemplates{ + Namespace: src.Spec.CommonTemplates.Namespace, + DataImportCronTemplates: convertDataImportCronTemplates(src.Spec.CommonTemplates.DataImportCronTemplates), + }, + TLSSecurityProfile: src.Spec.TLSSecurityProfile, + TokenGenerationService: convertTokenGenerationService(src.Spec.TokenGenerationService), + }, + Status: sspv1beta2.SSPStatus{ + Status: src.Status.Status, + Paused: src.Status.Paused, + ObservedGeneration: src.Status.ObservedGeneration, + }, + } +} + +func convertTemplateValidator(src *sspv1beta3.TemplateValidator) *sspv1beta2.TemplateValidator { + if src == nil { + return nil + } + + return &sspv1beta2.TemplateValidator{ + Replicas: src.Replicas, + Placement: src.Placement, + } +} + +func convertDataImportCronTemplates(src []sspv1beta3.DataImportCronTemplate) []sspv1beta2.DataImportCronTemplate { + if len(src) == 0 { + return nil + } + + result := make([]sspv1beta2.DataImportCronTemplate, 0, len(src)) + for i := range src { + oldTemplate := &src[i] + result = append(result, sspv1beta2.DataImportCronTemplate{ + ObjectMeta: oldTemplate.ObjectMeta, + Spec: oldTemplate.Spec, + }) + } + + return result +} + +func convertTokenGenerationService(src *sspv1beta3.TokenGenerationService) *sspv1beta2.TokenGenerationService { + if src == nil { + return nil + } + + return &sspv1beta2.TokenGenerationService{ + Enabled: src.Enabled, + } +} diff --git a/webhooks/ssp_webhook.go b/webhooks/ssp_webhook.go index fbeecb3fa..347775656 100644 --- a/webhooks/ssp_webhook.go +++ b/webhooks/ssp_webhook.go @@ -32,17 +32,33 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook/admission" sspv1beta2 "kubevirt.io/ssp-operator/api/v1beta2" + sspv1beta3 "kubevirt.io/ssp-operator/api/v1beta3" + "kubevirt.io/ssp-operator/webhooks/convert" ) -// +kubebuilder:webhook:verbs=create;update,path=/validate-ssp-kubevirt-io-v1beta2-ssp,mutating=false,failurePolicy=fail,groups=ssp.kubevirt.io,resources=ssps,versions=v1beta2,name=validation.ssp.kubevirt.io,admissionReviewVersions=v1,sideEffects=None +// +kubebuilder:webhook:verbs=create;update,path=/validate-ssp-kubevirt-io-v1beta2-ssp,mutating=false,failurePolicy=fail,groups=ssp.kubevirt.io,resources=ssps,versions=v1beta2,name=validation.v1beta2.ssp.kubevirt.io,admissionReviewVersions=v1,sideEffects=None +// +kubebuilder:webhook:verbs=create;update,path=/validate-ssp-kubevirt-io-v1beta3-ssp,mutating=false,failurePolicy=fail,groups=ssp.kubevirt.io,resources=ssps,versions=v1beta3,name=validation.v1beta3.ssp.kubevirt.io,admissionReviewVersions=v1,sideEffects=None var ssplog = logf.Log.WithName("ssp-resource") func Setup(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). + err := ctrl.NewWebhookManagedBy(mgr). For(&sspv1beta2.SSP{}). WithValidator(newSspValidator(mgr.GetClient())). Complete() + if err != nil { + return fmt.Errorf("failed to create webhook for v1beta2.SSP") + } + + err = ctrl.NewWebhookManagedBy(mgr). + For(&sspv1beta3.SSP{}). + WithValidator(newSspValidatorV1Beta3(mgr.GetClient())). + Complete() + if err != nil { + return fmt.Errorf("failed to create webhook for v1beta3.SSP") + } + + return nil } type sspValidator struct { @@ -170,3 +186,31 @@ func validateDataImportCronTemplates(ssp *sspv1beta2.SSP) error { func newSspValidator(clt client.Client) *sspValidator { return &sspValidator{apiClient: clt} } + +type sspValidatorV1Beta3 struct { + innerValidator sspValidator +} + +var _ admission.CustomValidator = &sspValidatorV1Beta3{} + +func (s *sspValidatorV1Beta3) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) { + ssp := obj.(*sspv1beta3.SSP) + return s.innerValidator.ValidateCreate(ctx, convert.ConvertSSP(ssp)) +} + +func (s *sspValidatorV1Beta3) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) { + oldSsp := oldObj.(*sspv1beta3.SSP) + newSsp := newObj.(*sspv1beta3.SSP) + return s.innerValidator.ValidateUpdate(ctx, convert.ConvertSSP(oldSsp), convert.ConvertSSP(newSsp)) +} + +func (s *sspValidatorV1Beta3) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) { + ssp := obj.(*sspv1beta3.SSP) + return s.innerValidator.ValidateDelete(ctx, convert.ConvertSSP(ssp)) +} + +func newSspValidatorV1Beta3(clt client.Client) *sspValidatorV1Beta3 { + return &sspValidatorV1Beta3{ + innerValidator: *newSspValidator(clt), + } +} diff --git a/webhooks/ssp_webhook_test.go b/webhooks/ssp_webhook_test.go index 5481b90b0..10f619cef 100644 --- a/webhooks/ssp_webhook_test.go +++ b/webhooks/ssp_webhook_test.go @@ -34,6 +34,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook/admission" sspv1beta2 "kubevirt.io/ssp-operator/api/v1beta2" + sspv1beta3 "kubevirt.io/ssp-operator/api/v1beta3" "kubevirt.io/ssp-operator/internal" "kubevirt.io/ssp-operator/internal/common" ) @@ -44,8 +45,9 @@ var _ = Describe("SSP Validation", func() { apiClient client.Client createIntercept func(ctx context.Context, client client.WithWatch, obj client.Object, opts ...client.CreateOption) error - validator admission.CustomValidator - ctx context.Context + validatorV1Beta2 admission.CustomValidator + validatorV1Beta3 admission.CustomValidator + ctx context.Context ) BeforeEach(func() { @@ -62,7 +64,8 @@ var _ = Describe("SSP Validation", func() { }). Build() - validator = newSspValidator(apiClient) + validatorV1Beta2 = newSspValidator(apiClient) + validatorV1Beta3 = newSspValidatorV1Beta3(apiClient) }) Context("creating SSP CR", func() { @@ -77,7 +80,7 @@ var _ = Describe("SSP Validation", func() { Expect(err).ToNot(HaveOccurred()) }) - It("should reject SSP when one is already present", func() { + It("should reject v1beta2.SSP when one is already present", func() { ssp := &sspv1beta2.SSP{ ObjectMeta: metav1.ObjectMeta{ Name: "test-ssp2", @@ -86,147 +89,303 @@ var _ = Describe("SSP Validation", func() { Spec: sspv1beta2.SSPSpec{}, } - _, err := validator.ValidateCreate(ctx, ssp) + _, err := validatorV1Beta2.ValidateCreate(ctx, ssp) Expect(err).To(MatchError(ContainSubstring("creation failed, an SSP CR already exists in namespace test-ns: test-ssp"))) }) - }) - - Context("DataImportCronTemplates", func() { - var ( - oldSSP *sspv1beta2.SSP - newSSP *sspv1beta2.SSP - ) - BeforeEach(func() { - oldSSP = &sspv1beta2.SSP{ + It("should reject v1beta3.SSP when v1beta2.SSP is already present", func() { + ssp := &sspv1beta3.SSP{ ObjectMeta: metav1.ObjectMeta{ - Name: "test-ssp", - Namespace: "test-ns", + Name: "test-ssp2", + Namespace: "test-ns2", }, - Spec: sspv1beta2.SSPSpec{ - CommonTemplates: sspv1beta2.CommonTemplates{ - Namespace: "test-templates-ns", - DataImportCronTemplates: []sspv1beta2.DataImportCronTemplate{ - { - ObjectMeta: metav1.ObjectMeta{ - Namespace: internal.GoldenImagesNamespace, + Spec: sspv1beta3.SSPSpec{}, + } + + _, err := validatorV1Beta3.ValidateCreate(ctx, ssp) + Expect(err).To(MatchError(ContainSubstring("creation failed, an SSP CR already exists in namespace test-ns: test-ssp"))) + }) + }) + + Context("v1beta2", func() { + Context("DataImportCronTemplates", func() { + var ( + oldSSP *sspv1beta2.SSP + newSSP *sspv1beta2.SSP + ) + + BeforeEach(func() { + oldSSP = &sspv1beta2.SSP{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-ssp", + Namespace: "test-ns", + }, + Spec: sspv1beta2.SSPSpec{ + CommonTemplates: sspv1beta2.CommonTemplates{ + Namespace: "test-templates-ns", + DataImportCronTemplates: []sspv1beta2.DataImportCronTemplate{ + { + ObjectMeta: metav1.ObjectMeta{ + Namespace: internal.GoldenImagesNamespace, + }, }, }, }, }, - }, - } + } - newSSP = oldSSP.DeepCopy() - }) + newSSP = oldSSP.DeepCopy() + }) - It("should validate dataImportCronTemplates on create", func() { - _, err := validator.ValidateCreate(ctx, newSSP) - Expect(err).To(MatchError(ContainSubstring("missing name in DataImportCronTemplate"))) + It("should validate dataImportCronTemplates on create", func() { + _, err := validatorV1Beta2.ValidateCreate(ctx, newSSP) + Expect(err).To(MatchError(ContainSubstring("missing name in DataImportCronTemplate"))) - newSSP.Spec.CommonTemplates.DataImportCronTemplates[0].Name = "test-name" + newSSP.Spec.CommonTemplates.DataImportCronTemplates[0].Name = "test-name" - _, err = validator.ValidateCreate(ctx, newSSP) - Expect(err).ToNot(HaveOccurred()) - }) + _, err = validatorV1Beta2.ValidateCreate(ctx, newSSP) + Expect(err).ToNot(HaveOccurred()) + }) - It("should validate dataImportCronTemplates on update", func() { - _, err := validator.ValidateUpdate(ctx, oldSSP, newSSP) - Expect(err).To(MatchError(ContainSubstring("missing name in DataImportCronTemplate"))) + It("should validate dataImportCronTemplates on update", func() { + _, err := validatorV1Beta2.ValidateUpdate(ctx, oldSSP, newSSP) + Expect(err).To(MatchError(ContainSubstring("missing name in DataImportCronTemplate"))) - newSSP.Spec.CommonTemplates.DataImportCronTemplates[0].Name = "test-name" + newSSP.Spec.CommonTemplates.DataImportCronTemplates[0].Name = "test-name" - _, err = validator.ValidateUpdate(ctx, oldSSP, newSSP) - Expect(err).ToNot(HaveOccurred()) + _, err = validatorV1Beta2.ValidateUpdate(ctx, oldSSP, newSSP) + Expect(err).ToNot(HaveOccurred()) + }) }) - }) - Context("validate placement", func() { - It("should not call create API, if placement is nil", func() { - createIntercept = func(_ context.Context, _ client.WithWatch, _ client.Object, _ ...client.CreateOption) error { - Fail("Called create API") - return nil - } + Context("validate placement", func() { + It("should not call create API, if placement is nil", func() { + createIntercept = func(_ context.Context, _ client.WithWatch, _ client.Object, _ ...client.CreateOption) error { + Fail("Called create API") + return nil + } - ssp := &sspv1beta2.SSP{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-ssp", - Namespace: "test-ns", - }, - Spec: sspv1beta2.SSPSpec{ - TemplateValidator: &sspv1beta2.TemplateValidator{ - Replicas: ptr.To(int32(2)), - Placement: nil, + ssp := &sspv1beta2.SSP{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-ssp", + Namespace: "test-ns", }, - }, - } + Spec: sspv1beta2.SSPSpec{ + TemplateValidator: &sspv1beta2.TemplateValidator{ + Replicas: ptr.To(int32(2)), + Placement: nil, + }, + }, + } - _, err := validator.ValidateCreate(ctx, ssp) - Expect(err).ToNot(HaveOccurred()) + _, err := validatorV1Beta2.ValidateCreate(ctx, ssp) + Expect(err).ToNot(HaveOccurred()) + }) + + It("should call create API dry run", func() { + placement := &api.NodePlacement{ + NodeSelector: map[string]string{ + "test-label": "test-value", + }, + Affinity: &v1.Affinity{ + PodAffinity: &v1.PodAffinity{ + RequiredDuringSchedulingIgnoredDuringExecution: []v1.PodAffinityTerm{{ + LabelSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "foo": "bar", + }, + }, + }}, + }, + }, + Tolerations: []v1.Toleration{{ + Key: "key", + Value: "value", + }}, + } + + var createWasCalled bool + createIntercept = func(ctx context.Context, cli client.WithWatch, obj client.Object, opts ...client.CreateOption) error { + deployment, ok := obj.(*apps.Deployment) + if !ok { + Fail("Expected created object to be Deployment.") + } + + createOptions := &client.CreateOptions{} + for _, opt := range opts { + opt.ApplyToCreate(createOptions) + } + + if len(createOptions.DryRun) != 1 || createOptions.DryRun[0] != metav1.DryRunAll { + Fail("Create call should be dry run.") + } + + Expect(deployment.Spec.Template.Spec.NodeSelector).To(Equal(placement.NodeSelector)) + Expect(deployment.Spec.Template.Spec.Affinity).To(Equal(placement.Affinity)) + Expect(deployment.Spec.Template.Spec.Tolerations).To(Equal(placement.Tolerations)) + createWasCalled = true + return nil + } + + ssp := &sspv1beta2.SSP{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-ssp", + Namespace: "test-ns", + }, + Spec: sspv1beta2.SSPSpec{ + TemplateValidator: &sspv1beta2.TemplateValidator{ + Replicas: ptr.To(int32(2)), + Placement: placement, + }, + }, + } + + _, err := validatorV1Beta2.ValidateCreate(ctx, ssp) + Expect(err).ToNot(HaveOccurred()) + + Expect(createWasCalled).To(BeTrue()) + }) }) + }) - It("should call create API dry run", func() { - placement := &api.NodePlacement{ - NodeSelector: map[string]string{ - "test-label": "test-value", - }, - Affinity: &v1.Affinity{ - PodAffinity: &v1.PodAffinity{ - RequiredDuringSchedulingIgnoredDuringExecution: []v1.PodAffinityTerm{{ - LabelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "foo": "bar", + Context("v1beta3", func() { + Context("DataImportCronTemplates", func() { + var ( + oldSSP *sspv1beta3.SSP + newSSP *sspv1beta3.SSP + ) + + BeforeEach(func() { + oldSSP = &sspv1beta3.SSP{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-ssp", + Namespace: "test-ns", + }, + Spec: sspv1beta3.SSPSpec{ + CommonTemplates: sspv1beta3.CommonTemplates{ + Namespace: "test-templates-ns", + DataImportCronTemplates: []sspv1beta3.DataImportCronTemplate{ + { + ObjectMeta: metav1.ObjectMeta{ + Namespace: internal.GoldenImagesNamespace, + }, }, }, - }}, + }, }, - }, - Tolerations: []v1.Toleration{{ - Key: "key", - Value: "value", - }}, - } + } + + newSSP = oldSSP.DeepCopy() + }) + + It("should validate dataImportCronTemplates on create", func() { + _, err := validatorV1Beta3.ValidateCreate(ctx, newSSP) + Expect(err).To(MatchError(ContainSubstring("missing name in DataImportCronTemplate"))) + + newSSP.Spec.CommonTemplates.DataImportCronTemplates[0].Name = "test-name" + + _, err = validatorV1Beta3.ValidateCreate(ctx, newSSP) + Expect(err).ToNot(HaveOccurred()) + }) + + It("should validate dataImportCronTemplates on update", func() { + _, err := validatorV1Beta3.ValidateUpdate(ctx, oldSSP, newSSP) + Expect(err).To(MatchError(ContainSubstring("missing name in DataImportCronTemplate"))) + + newSSP.Spec.CommonTemplates.DataImportCronTemplates[0].Name = "test-name" + + _, err = validatorV1Beta3.ValidateUpdate(ctx, oldSSP, newSSP) + Expect(err).ToNot(HaveOccurred()) + }) + }) - var createWasCalled bool - createIntercept = func(ctx context.Context, cli client.WithWatch, obj client.Object, opts ...client.CreateOption) error { - deployment, ok := obj.(*apps.Deployment) - if !ok { - Fail("Expected created object to be Deployment.") + Context("validate placement", func() { + It("should not call create API, if placement is nil", func() { + createIntercept = func(_ context.Context, _ client.WithWatch, _ client.Object, _ ...client.CreateOption) error { + Fail("Called create API") + return nil } - createOptions := &client.CreateOptions{} - for _, opt := range opts { - opt.ApplyToCreate(createOptions) + ssp := &sspv1beta3.SSP{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-ssp", + Namespace: "test-ns", + }, + Spec: sspv1beta3.SSPSpec{ + TemplateValidator: &sspv1beta3.TemplateValidator{ + Replicas: ptr.To(int32(2)), + Placement: nil, + }, + }, } - if len(createOptions.DryRun) != 1 || createOptions.DryRun[0] != metav1.DryRunAll { - Fail("Create call should be dry run.") + _, err := validatorV1Beta3.ValidateCreate(ctx, ssp) + Expect(err).ToNot(HaveOccurred()) + }) + + It("should call create API dry run", func() { + placement := &api.NodePlacement{ + NodeSelector: map[string]string{ + "test-label": "test-value", + }, + Affinity: &v1.Affinity{ + PodAffinity: &v1.PodAffinity{ + RequiredDuringSchedulingIgnoredDuringExecution: []v1.PodAffinityTerm{{ + LabelSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "foo": "bar", + }, + }, + }}, + }, + }, + Tolerations: []v1.Toleration{{ + Key: "key", + Value: "value", + }}, } - Expect(deployment.Spec.Template.Spec.NodeSelector).To(Equal(placement.NodeSelector)) - Expect(deployment.Spec.Template.Spec.Affinity).To(Equal(placement.Affinity)) - Expect(deployment.Spec.Template.Spec.Tolerations).To(Equal(placement.Tolerations)) - createWasCalled = true - return nil - } + var createWasCalled bool + createIntercept = func(ctx context.Context, cli client.WithWatch, obj client.Object, opts ...client.CreateOption) error { + deployment, ok := obj.(*apps.Deployment) + if !ok { + Fail("Expected created object to be Deployment.") + } + + createOptions := &client.CreateOptions{} + for _, opt := range opts { + opt.ApplyToCreate(createOptions) + } + + if len(createOptions.DryRun) != 1 || createOptions.DryRun[0] != metav1.DryRunAll { + Fail("Create call should be dry run.") + } + + Expect(deployment.Spec.Template.Spec.NodeSelector).To(Equal(placement.NodeSelector)) + Expect(deployment.Spec.Template.Spec.Affinity).To(Equal(placement.Affinity)) + Expect(deployment.Spec.Template.Spec.Tolerations).To(Equal(placement.Tolerations)) + createWasCalled = true + return nil + } - ssp := &sspv1beta2.SSP{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-ssp", - Namespace: "test-ns", - }, - Spec: sspv1beta2.SSPSpec{ - TemplateValidator: &sspv1beta2.TemplateValidator{ - Replicas: ptr.To(int32(2)), - Placement: placement, + ssp := &sspv1beta3.SSP{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-ssp", + Namespace: "test-ns", }, - }, - } + Spec: sspv1beta3.SSPSpec{ + TemplateValidator: &sspv1beta3.TemplateValidator{ + Replicas: ptr.To(int32(2)), + Placement: placement, + }, + }, + } - _, err := validator.ValidateCreate(ctx, ssp) - Expect(err).ToNot(HaveOccurred()) + _, err := validatorV1Beta3.ValidateCreate(ctx, ssp) + Expect(err).ToNot(HaveOccurred()) - Expect(createWasCalled).To(BeTrue()) + Expect(createWasCalled).To(BeTrue()) + }) }) }) })